The FBI and NSA have jointly issued new smartphone security guidelines in response to growing concerns about vulnerabilities in mobile communications, particularly following the Salt Typhoon cyberattack that exposed critical weaknesses in telecommunications infrastructure. The new guidance expands on previous security recommendations issued by CISA earlier this year addressing Chinese-linked telecom breaches.
In a joint alert issued on December 3, 2024, the FBI and CISA highlighted specific vulnerabilities in unencrypted SMS, MMS, and RCS communications. The agencies noted that these protocols, including SS7 and Diameter, were developed without contemporary security standards, making them susceptible to exploitation. The warning follows a pattern of increasing concerns about mobile communication security, as documented in previous FBI and CISA warnings about SMS vulnerabilities between different mobile platforms.
The Salt Typhoon cyberespionage campaign, which targeted government and institutional communications, demonstrated the real-world implications of these vulnerabilities. The attack revealed how unencrypted SMS and MMS messages, transmitted in plaintext, can be intercepted by malicious actors. Additionally, SIM swapping attacks have become increasingly prevalent, compromising phone numbers used for SMS-based two-factor authentication and leading to significant financial losses.
In response to these threats, the Federal Communications Commission has implemented new measures requiring telecommunications carriers to enhance their security protocols. The requirements include compliance with Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), annual certification of cybersecurity risk management plans, and expanded security obligations for all communications providers. The measures complement recent NSA and CISA guidelines emphasizing the importance of device identity in secure communications.
The guidelines specifically address vulnerabilities in telecommunications infrastructure protocols like SS7, Diameter, and RCS, which can allow adversaries to compromise entire networks and intercept metadata, call records, and live communication streams. The comprehensive approach reflects lessons learned from recent high-profile breaches and the evolving threat landscape in mobile communications.
To address these security challenges, new technological solutions are emerging. One such solution, DataShielder NFC HSM Defense, implements hybrid encryption using AES-256 CBC to encrypt data locally before transmission. The technology is compatible with Android NFC devices and can secure various communication platforms, including SMS, MMS, RCS, and satellite messaging, providing an additional layer of protection against the vulnerabilities highlighted in the new guidelines.
Sources: Freemindtronic, BEAMSTART, Global Player, Hogan Lovells
Follow Us