You may have recently heard of a sophisticated cyberespionage campaign known as Salt Typhoon, which has targeted major U.S. telecommunications providers, including AT&T and Verizon. Attributed to Chinese state-sponsored actors, this operation has compromised sensitive systems, enabling unauthorized access to vast amounts of communication data—background sources: CyberScoop article, Reuters article.
Salt Typhoon is the name of an advanced persistent threat (APT) group active since 2020. Their operations focus on infiltrating critical infrastructure to conduct cyberespionage, with an emphasis on data theft and network surveillance.
This attack exposed the following information for any devices that were running on the compromised cell phone networks:
Metadata: Information such as who communicated with whom, when, and where.
Message Content: In some cases, attackers can intercept and read unencrypted text messages (SMS) passing through compromised networks.
When telecommunications networks are compromised at this scale, unencrypted communications such as SMS become vulnerable. Attackers could potentially:
Read Private Conversations: If you communicate using SMS/MMS/RCS, the content of your messages can be intercepted and read.
Intercept Authentication Codes: SMS-based two-factor authentication (2FA) codes can be stolen, enabling attackers to bypass security measures and gain access to sensitive accounts.
Track Communication Patterns: Even if message content isn’t accessible, metadata can reveal sensitive patterns about your contacts and routines.
Although you may think that the Chinese Government will probably not target you, and that’s probably correct, this is an important reminder about the vulnerability of unencrypted communications and cell phone communications in general.
This attack has revealed how vulnerable cell phone companies are to this type of attack. The way that telecommunications infrastructure is configured means that there are many access points and ways for your unencrypted communications to be compromised. It doesn’t have to be a foreign government; it could be a hacker, a rogue employee, or even your own government. There are many ways to compromise this information, and this hack is just another reminder.
I operate on the assumption that any unencrypted SMS message is easily intercepted. If you operate on this assumption, then it means that:
SMS codes sent for MFA are not safe (because they are unencrypted, and bad actors can get access to these).
Unencrypted SMS/MMS/RCS messages are not safe.
SMS-based MFA is highly vulnerable to interception when telecommunications networks are compromised. Instead, use more secure alternatives such as:
Authentication Apps: Tools like Google Authenticator or ID.me’s authenticator app generate time-based codes that are not dependent on SMS.
Passkeys: Passkeys use the biometrics tied to your device to authenticate into accounts. This is secure because the only way a hacker can replicate this is if they have your device (and your face).
Hardware Tokens: Devices like YubiKey provide an extra layer of protection by requiring physical confirmation to log in.
It’s important that both factors required to access your accounts are strong and secure. What you do not want is for BOTH factors to be weak. If you don’t have a choice but to use SMS for MFA, ensuring your password is unique and strong is more important than ever.
Use a password manager to help you keep every password strong and unique. This way, a bad actor can’t breach multiple accounts with the same password, and they will have a hard time brute forcing your password.
SMS lacks end-to-end encryption, making it easy for attackers to intercept messages. Switch to secure messaging apps that encrypt your communications, ensuring that only you and the intended recipient can read them.
I have written about this before (the last time there was a major incident at a telecom provider (AT&T). Still, the bottom line is that you should use iMessage for iPhone to iPhone and Signal or WhatsApp for cross-platform communications.
On iPhone, you can disable your iMessage from failing to SMS/MMS (meaning if the iMessage doesn’t go through, it won’t automatically try using SMS/MMS). You do this by going to Settings —> Apps —> Messages.
You don’t have this option on Android devices because there is no “iMessage” equivalent—all messages are RCS, SMS, and MMS and are not encrypted. I recommend only using the encrypted messaging apps listed above if you use Android devices.
No posts
Ready for more?

source