A huge hack of U.S. phone companies means your text messages may not be safe

At least eight U.S. telecom firms and dozens of countries have been impacted this week by what a top White House official called a Chinese hacking campaign that has also raised concerns about the security of text messaging.

At a media briefing Wednesday, U.S. Deputy National Security Adviser Anne Neuberger shared details about the breadth of a sprawling hacking campaign that gave officials in Beijing access to private texts and phone conversations of an unknown number of Americans.

A group of hackers known as Salt Typhoon are being blamed for the attack targeting companies, which reportedly included AT&T, Verizon and Lumen Technologies. White House officials cautioned the number of telecommunication firms and countries impacted could still grow.

Canadian cybersecurity experts paying close attention to this latest breach say some industry practices and government regulations that allow intelligence organizations access to the telecommunications system are part of the problem. These experts and U.S. law enforcement officials are recommending that people take action to protect their text messages.  

"The attack that is unfolding in the United States is a reflection of historical and continuing vulnerabilities in telecommunication networks around the world, and some of those vulnerabilities are made worse by government," said Kate Robertson, a lawyer and senior researcher at the University of Toronto's Citizen Lab, which studies digital threats to civil society. 

Though the hack apparently focused on American politicians and government officials, experts say regular SMS text messages, the kind most wireless carriers offer, aren't very secure because they're unencrypted.

"We are constantly bombarded with concerns about phishing and email scams and malicious links," said security consultant Andrew Kirsch, a former intelligence officer with the Canadian Security Intelligence Service (CSIS).

"This shines a light on the fact that the other vulnerability is through our telecommunications, phone calls and text messages."  

CBC News has reached out to the RCMP, the Canadian Centre for Cyber Security and CSIS to ask if any of the cyberattacks compromised Canadian users or communications companies, but has yet to receive a response. 

Earlier this week the Canadian Centre for Cyber Security issued a joint release with the U.S., Australia and New Zealand with security advice for companies like cellphone providers on "enhanced visibility and hardening for communications infrastructure."

CBC News also contacted Canada's largest cellphone providers — Bell, Rogers and Telus — to ask if their networks had been targeted and breached in the same attack. Rogers and Telus did not respond before publication. 

Bell said it was aware of "a highly sophisticated" attack in the U.S. and was working with government partners and other telecommunications companies "to identify any potentially related security incidents across our networks."

The telecommunications company says it hasn't seen any evidence of an attack, but continues "to investigate and maintain vigilance."  

Robertson explained these attacks are made possible in part because governments have "prioritized the objective of surveillance over the security of the entire network of users."