Checklist 406: Less Salt, More Logos

AT&T and Verizon Respond to Salt Typhoon Cybersecurity Breach

In a significant update following the breach of U.S. telecom networks by the China-linked hacker group Salt Typhoon, both AT&T and Verizon have announced their networks are now secure. The revelations come after months of concern over compromised communications infrastructure, raising critical questions about cybersecurity readiness and consumer safety.

Background on Salt Typhoon Breach

First disclosed in October by AppleInsider and later detailed on Checklist 403, Salt Typhoon exploited vulnerabilities in the U.S. telecom wiretap network. The breach targeted backdoors created under the Communications Assistance for Law Enforcement Act (CALEA), which mandates that telecom providers maintain surveillance-ready systems for lawful interception. Reports suggest the group had unauthorized access to major carriers—including AT&T and Verizon—and their MVNO partners (e.g., Boost, Ting) for several months or longer.

In December, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) responded by urging Americans to adopt encrypted communication methods, such as iMessage, FaceTime, and Signal, to mitigate surveillance risks.

A December 30 article from TechCrunch marked the first acknowledgment by AT&T and Verizon of being targeted.

• AT&T: Spokesperson Alexander Byers assured customers there was “no activity by nation-state actors in our networks at this time.”
• Verizon: Spokesperson Richard Young stated the company had “contained the cyber incident” and had not detected threat activity on its network “for some time.” Verizon also noted that its containment efforts were validated by a “highly respected cybersecurity firm,” though the firm was not named.

Criticism and Recommendations

Despite the reassuring tone, skepticism lingers over the extended period of undetected breaches. The timeline of the Salt Typhoon activity—along with the lack of detailed disclosures—raises concerns about the initial detection and containment processes.

Security experts and federal agencies emphasize that encrypted communications remain essential for privacy protection. Recommendations include:

• Encrypted Apps: Use tools like Signal, iMessage, and FaceTime.
• Regular Updates: Ensure mobile devices receive timely operating system updates.
• Enhanced Authentication: Enable phishing-resistant multi-factor authentication (MFA) for accounts.

As CISA stated, “Encryption is your friend,” making data interception and deciphering nearly impossible, even in the event of a breach.

While AT&T and Verizon claim their networks are secure, the Salt Typhoon breach highlights vulnerabilities inherent in legacy systems and underscores the importance of proactive cybersecurity measures. Consumers are encouraged to remain vigilant and adopt encrypted tools to safeguard their communications.

FCC Launches U.S. Cyber Trust Mark for IoT Security

The Federal Communications Commission (FCC) has officially introduced the U.S. Cyber Trust Mark, a cybersecurity labeling program aimed at enhancing the safety of Internet-of-Things (IoT) consumer devices. While the initiative has been praised for its potential to improve device security, concerns about its implementation and impact remain.

What Is the Cyber Trust Mark?

The U.S. Cyber Trust Mark, first announced in mid-2023, is designed to help consumers identify IoT products that meet robust cybersecurity standards. According to The Hacker News, the label will apply to devices such as:

• Internet-connected home security cameras
• Voice-activated shopping devices
• Smart appliances
• Fitness trackers
• Garage door openers
• Baby monitors

Excluded from the program are medical devices (regulated by the FDA), motor vehicles (regulated by the NHTSA), wired devices, and industrial or enterprise-grade products.

Manufacturers must undergo testing by accredited FCC-recognized CyberLABs to verify their devices meet the program’s cybersecurity requirements. Approved products will display the Cyber Trust Mark logo and a QR code linking to additional security details.

Features of the Program

The QR code will provide users with critical security information, such as:

• The duration of product support
• Whether software patches and security updates are automatic
• Instructions for changing default passwords
• Additional steps to secure the device

These measures aim to simplify cybersecurity for consumers and encourage better practices by manufacturers.

Challenges and Criticism

Despite its potential, the program has drawn skepticism:

1. Recognition Issues: The Cyber Trust Mark logo, while visually appealing, may take years to gain widespread recognition. Counterfeiters could also misuse the label on fake goods.
2. QR Code Concerns: While informative, QR codes are increasingly associated with security risks. Experts warn about malicious QR codes, as discussed in Checklist 391 – Sextortion Scams and QR Codes, Revisited.
3. Voluntary Participation: The program is not mandatory, raising doubts about how many manufacturers will invest time and resources to obtain a label that lacks immediate consumer awareness or regulatory pressure.

Reasons for Optimism

Despite the challenges, the initiative could drive positive change. Forcing manufacturers to disclose product support timelines might encourage longer support periods. Simplified instructions on password changes and updates could lead to better consumer security practices. The program also highlights the importance of software patches for IoT devices, a topic many users overlook.

The U.S. Cyber Trust Mark represents a step forward in IoT security, offering transparency and encouraging better practices. However, its voluntary nature and reliance on public recognition may limit its initial effectiveness. Still, with time, the program could improve the security landscape for IoT devices.