The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging mobile users to move away from unencrypted SMS and adopt phishing-resistant multifactor authentication (MFA) in response to recent cyber threats.
This advisory follows an espionage campaign by Chinese-affiliated threat actors, including the advanced persistent threat (APT) group known as Salt Typhoon, which has targeted at least eight U.S. telecommunications companies.
CISA specifically warns high-risk individuals—such as senior government officials and political leaders—to discontinue using SMS for communication and switch to end-to-end encrypted messaging apps like Signal instead.
Additionally, the agency advises against using SMS-based MFA, recommending phishing-resistant MFA instead. Users are encouraged to adopt FIDO2-enabled authentication methods, as outlined by the Fast Identity Online (FIDO) Alliance, and enable MFA across all critical services, including Microsoft, Google, and Apple accounts.
“For Gmail users, enrolling in Google’s Advanced Protection Program (APP) enhances security against phishing and account hijacking,” CISA stated.
The agency also addressed the risks associated with personal VPNs, cautioning that while they may shift security concerns away from internet service providers (ISPs), they can also introduce new vulnerabilities. Many free or commercial VPN providers have questionable security and privacy practices. However, CISA acknowledged that VPNs remain essential for organizations requiring secure access to internal data.
Security Recommendations for Mobile Users
CISA provided specific security guidelines for iPhone and Android users to enhance device security:
For iPhone Users:
- Enable Apple’s Lockdown Mode for enhanced protection.
- Enroll in iCloud Private Relay to mask internet activity.
For Android Users:
- Activate Google Play Protect to detect and prevent malicious apps.
- Configure Private DNS settings using trusted resolvers like:
- Cloudflare’s 1.1.1.1
- Google’s 8.8.8.8
- Quad9’s 9.9.9.9
By following these measures, users can better defend against cyber threats and espionage efforts targeting mobile communications.