Last month, I advised users to stop using Facebook Messenger and switch to its stablemate WhatsApp. The reason is simple—security. This led to people asking me about Apple iMessage and SMS—including Google Messages, and whether these are secure to use. The answer is not as simple as you might like.
The reason you should switch from Facebook Messenger to WhatsApp is down to end-to-end encryption. You’ve likely seen this discussed in the media—it can be so secure that lawmakers actually want weaknesses introduced to help them investigate crimes. Without that, platforms cannot provide user content even when warranted by a court.
Most of the traffic travelling to and from your devices is now encrypted—but that only solves half the problem. The risk remains in who holds the keys. When you end-to-end encrypt data or messages, keys are only held by the two (or multiple) endpoints of that link—you and the person you’re messaging, for example. Even though you might be using WhatsApp’s infrastructure, for example, it can’t read what you send.
Your phone is always a weakness, of course. If I have your device and it’s unlocked, I can read all your messages. There’s also the risk of an account hijack, which is broadly the same thing—compromising a decrypted endpoint. The end-to-end encryption itself, though, can be trusted to keep your messages safe and secure.
WhatsApp is end-to-end encrypted—it popularized this level of security and it has become one of its hallmarks. By contrast, its Facebook stablemate Messenger is not end-to-end encrypted by default. Recommending Facebook Messenger users to switch to WhatsApp is easy—Facebook itself advocates strongly for end-to-end encryption, while WhatsApp says it’s a must. The only thing stopping an immediate encryption upgrade for Messenger is the technical complexity involved.
SMS is at the other end of the security spectrum, built on an archaic architecture that sits inside the many cellular networks around the world. When you send an SMS, while it might be secure between your phone and your network, once there it can be easily intercepted and collected. Last year I reported on hackers compromising global telcos to collect SMS traffic between targeted senders and recipients. As FireEye warned at the time, “users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain.”
The advantage of SMS, though, is that it is as ubiquitous as it gets. However simple and un-smart your phone might be, it will be able to send and receive plaintext short-form messages. But the technology is now used for much more than that. Longer messages, MMS attachments, financial details, private data, sensitive information.
Almost all smartphones now run on either Apple’s iOS or Google’s Android operating systems, and so their default applications have become the front-end for inbuilt messaging. The two platforms operate different security: Apple’s iMessage is end-to-end encrypted, and while there’s less public information on this than with WhatsApp or Signal, it is secure. Google does not—it only encrypts between the device and its server, not end-to-end, although it’s reportedly working to address this.
Apple launched iMessage as an alternative to the WhatsApp-style over-the-top messengers, adding rich functionality and security, but limiting that to the Apple user community. Because iMessage users message beyond that community, and sometimes when a data network is unavailable, iMessage can revert to SMS when needed. But when it does so, there is no end-to-end encryption.
The challenge if you don’t disable this option is that you may not know when your phone fails over to SMS—there won’t be a warning. In a very quick, very ad hoc straw poll of a few non-security experts, most were unaware of the security difference between iMessages blue bubble and its revert to SMS, green alternatives. You can disable SMS message sending within the settings on your device—see below. This won’t stop you receiving SMS messages, and when you reply to a non-Apple user, that will be by SMS. But when you think it’s iMessage and end-to-end encrypted, it will always be iMessage and end-to-end encrypted.
Google’s Messages is more a front-end to SMS than a separate messenger, adding richer functionality but with a tightly integrated approach. SMS is now upgrading to RCS, its newer replacement. Unfortunately RCS is not end-to-end encrypted, built as it is on the same network architecture as SMS. A report from Germany’s SRLabs last year warned that RCS would be wide open to hackers unless its deployment approach was revised. We really need Google to deploy the full encryption functionality it reportedly has in the works.
Whichever service you use, there are SMS messages you will need to still receive—one time security codes, for example. Despite the lack of SMS security, a company sending you a code knows it’s your phone number, which adds a layer of security. There are also initiatives underway to verify those senders. Just make sure you never share those codes. And beyond texts from service providers—here’s your code, your taxi has arrived, here’s the balance on your card, your flowers were delivered, and such like, you should not use SMS for your own private messages. There’s no reason to do so.
My strong recommendation is to use an end-to-end encrypted messenger for all your personal traffic, even if you don’t think it’s especially sensitive. Why would you not—it’s all free to use. WhatsApp remains my recommendation, given its ease of use and huge user install base. But if you want even more security or to avoid Facebook, then Signal is the app of choice for many security folk. And if you use iMessage, then just make sure you understand the security implications when blue turns to green.
The Link LonkAugust 08, 2020 at 06:20PM
https://www.forbes.com/sites/zakdoffman/2020/08/08/apple-iphone-ipad-imessage-security-update-sms-rcs-google-whatsapp-encryption/
Why You Should Stop Sending SMS Messages—Even On Apple iMessage - Forbes
https://news.google.com/search?q=Send&hl=en-US&gl=US&ceid=US:en
No comments:
Post a Comment