The Cybersecurity and Infrastructure Security Agency (CISA) has released comprehensive mobile security guidelines aimed at protecting high-value government targets following the Salt Typhoon telecommunications breach attributed to Chinese cyber actors.
The guidelines, issued on December 18, 2024, emphasize the use of end-to-end encrypted messaging applications, with Signal specifically recommended for both Android and iPhone platforms. The recommendation follows a joint FBI-CISA advisory earlier this year highlighting vulnerabilities in cross-platform SMS messaging. “While no single solution eliminates all risks, implementing these best practices will significantly enhance protection,” said Jeff Greene, CISA’s executive assistant director for cybersecurity.
CISA recommends Fast Identity Online (FIDO) phishing-resistant authentication over traditional multifactor authentication methods. The recommendation comes as the industry makes similar moves, including Microsoft’s announcement of native passkey support in its Authenticator app. The agency specifically recommends hardware-based security keys, such as Yubico’s latest Bio Series keys or Google Titan, for securing high-targeted accounts.
The guidance explicitly warns against using SMS-based authentication, noting that SMS messages are not encrypted and can be intercepted by those with access to telecommunications infrastructure. The warning comes amid increasing concerns about SIM-swapping attacks, which have led to numerous high-profile security breaches. Additional security measures include using password managers, maintaining regular software updates, and setting telecommunications account PINs to prevent SIM-swapping attacks.
For iPhone users, the guidelines recommend enabling “Lockdown Mode” and deploying Apple iCloud Private Relay for secure browsing. Android users are advised to select devices with strong security records and long-term update commitments, while ensuring the use of encrypted Rich Communication Services (RCS) for messaging, which provides enhanced security features compared to traditional SMS.
“Using end-to-end encrypted apps like Signal or WhatsApp represents the simplest way to ensure message security,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. The FBI and CISA have jointly emphasized the importance of encrypted messaging applications until vulnerabilities in cross-platform messaging are addressed.
Sources: CyberScoop, BW Security World, Freemindtronic, EURACTIV, TPR
Follow Us