CISA warns spyware crews are breaking into Signal and WhatsApp accounts CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls "high-value" users. In an alert published Monday, the US government's cyber agency said it's tracking …
https://www.theregister.com/2025/11/24/fcc_salt_typhoon_rules/
"The Federal Communications Commission (FCC) has scrapped a set of telecom cybersecurity rules introduced after the Salt Typhoon espionage campaign, reversing course on measures designed to stop state-backed snoops from slipping back into America's networks."
Hey, guys, how about a co-ordinated national cyber security response protecting comms and IT infrastructure?
Anyone? Anyone at all?
Without wishing in any way to defend the current administration, I feel I must point out that you'd be hard pressed to get any similar response out of any US administration, or a UK one come to that.
Worth noting that the FCC has been gutted and redirected for years by subsequent administrations, and on this side of the pond the UK parliament has demonstrated a complete lack of understanding of anything technical on a number of occasions, and has thus not been able to legislate effectively about it.
"Signal itself is (probably) pretty secure"
Secure against what? Sure, gov't intelligence may not be able to decrypt your messages. But often what they are doing is "link analysis". Who is talking to whom. This is enough to infiltrate most organizations. And from there, it's just the rubber hose.
This is what the FBI did in a few US cities. Grab protesters off the street, capture their phone IMEIs and trace connections back through the SS7 (notoriously insecure) records. Ring leaders identified.
You might be able to avoid this kind of surveilance by tossing burner phones frequently. But most of the aforementioned are so emotionally attached to their iDevices, that's not a frequent problem.
Definitely, link analysis is much harder to protect against. Partial solutions is if more of us start using signal for every day messages, then the actual secret messages won't stand out as much. At least here in EU all SIMs need to be registered to a person[1].
One could do it old school: key words in certain Ebay listings, sentence structure in Bluesky posts, what shoes I wear today, etc. But much slower and also more work than sending a text message.
[1] Useful against low skill terrorists, protestors and criminals, but also make it harder for e.g. people fleeing abusive ex-partners to hide.
"At least here in EU all SIMs need to be registered to a person"
Not sure about current law. On my last visit to the EU, I bought a cheap GSM phone and prepaid SIM in Germany. For cash.
And following that, I traveled to Greece. Where a local SIM required my passport number (or other ID).
Funny thing was: I only bought the Greek SIM to avoid outlandish roaming charges. The (anonymous) German SIM still worked, but would have been drained in short order.
Things may have changed in the last decade, but people who prize anonymity are sure to find new loopholes.
And following that, I traveled to Greece. Where a local SIM required my passport number (or other ID).
Last year, on holiday in Italy, I bought a prepaid SIM (for cheap data in my Android tablet) in a random High Street phone shop. I didn't have my passport with me (yes, I know I should have) but the guy was perfectly happy to make the sale and I never provided him, or the network, a passport number or any ID. He did do various stuff to activate it so maybe he made up a passport number or something. I don't know.
"SS7 won't help for encrypted calls"
You have to make the call. And so a record will be left within the telecoms systems (SS7). We may not be able to read or listen to the message, but the connection data exists. And in spite of all their other shortcomings, our phone companies are amazingly good at tracking calls when there's a fee collection involved.
“Mobile devices are now the primary gateway to the digital world. From banking to healthcare, users rely on apps for critical daily tasks. Yet, this convenience has become a double-edged sword.”
How about using a locked-down device with a read-only switch set for normal usage and not download from an apps store. I mean every time you install an app - it's game over as far as security is concerned.
NSO Pegasus
Paragon Graphite
LANDFALL
Each of these tools obtain PLAIN TEXT access to endpoints.
It DOES NOT MATTER if the endpoint user is a Signal customer.
- Yes.....Signal messages are encrypted while the messages are in transit
- But the same messages are IN PLAIN on the endpoint.....and can be read (see list above)
Duh!!!
Remember Jamal Khashoggi!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
