Connect with us

Published

2 months ago

on

Think twice before sending your next text message. Or better yet, make sure you are using an end-to-end encryption method.

Consumers regularly use different types of messaging technology from the biggest technology companies including Apple, Alphabet and Meta Platforms, including iMessage, Google Messages, WhatsApp and SMS, but the level of protection varies. Now, the U.S. government is expressing greater concern after a recent massive hack of the nation’s largest telecom companies. 

Last month, the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation revealed a campaign by hackers associated with China, Salt Typhoon, that compromised AT&T and Verizon, and others, and was one of the largest hacks of U.S. infrastructure in history. Following that warning, CISA, the National Security Agency, the FBI and international partners published a joint guide to help protect Americans. One suggestion is to use end-to-end encryption, a method that makes communications more secure.

End-to-end encryption helps ensure that only the intended recipients can read your messages as they travel between your phone and another person’s phone. Secure messaging apps use end-to-end encryption to protect communications from hackers, surveillance and unauthorized access, so even messaging app providers can’t read your messages.

“All things being equal, if you have the opportunity to use a platform that’s end-to-end encrypted, you should,” said Michael Hughes, chief business officer of Duality Technologies, which allows organizations to share and analyze sensitive data using encryption.

Many consumers don’t know their options for communicating securely over messaging apps. Here are the basics.

WhatsApp, Signal among best end-to-end options

Consumers use different messaging apps for various purposes, often without giving a second thought to security. However, there are notable differences among platforms that people need to be aware of. 

From a security perspective, free messaging apps like Meta’s WhatsApp and Signal — whose co-founder was one of the creators of WhatsApp — are considered the best because end-to-end encryption is built in. That makes these apps highly preferable to SMS and MMS, two older methods of messaging that don’t offer end-to-end encryption, said Trevor Horwitz, founder of TrustNet, a cybersecurity and compliance services provider.

Even platforms considered the best for end-to-end encryption have downsides. Signal is a favorite among many privacy enthusiasts because its mission emphasizes not collecting or storing sensitive information. This can be especially compelling for people who are wary of WhatsApp’s parent Facebook and its privacy practices. The downside to Signal is it’s not as widely used as WhatsApp and if your contacts aren’t on it, you can’t communicate, said Roger Grimes, an analyst at KnowBe4, a security platform provider.

There are also paid messaging apps that are end-to-end encrypted, such as Threema. It’s privacy by design and no phone number or email address is required, but it costs a few dollars, and getting your friends and family to join when there are free options that are already popular might be a challenge.

Most people will use encryption “if it’s default and they don’t have the slightest inconvenience,” Grimes said.

RCS and iMessage

Many messaging platforms now use RCS, which stands for Rich Communication Services. It’s a successor to SMS and MMS that has enhanced features and also offers the ability for end-to-end encryption, though not by default on all devices. For example, RCS messages using Google Messages are automatically upgraded to end-to-end encryption, but Apple’s implementation of RCS on iPhones is not end-to-end encrypted, Horwitz said. 

For any Apple device user, the company’s proprietary iMessage app is end-to-end encrypted, but for users sending RCS messages through other text plans, such as a mobile carrier text option, end-to-end encryption isn’t offered. As Apple explains itself of sending messages through non-iMessage RCS options: “They’re not protected from a third-party reading them while they’re sent between devices.”

Additionally, not all devices are compatible with RCS and it’s not universally supported by carriers. Plus, there are compatibility issues between some iPhone and Android devices that are still being worked out, Horwitz said. 

Facebook Messenger gaps in encryption

It’s even more complicated because technology companies have multiple messaging products and not every application from a particular provider supports end-to-end encryption in the same way. For example, Facebook Messenger offers end-to-end encrypted messages, but not in all cases. According to Facebook, some products don’t currently support end-to-end encryption, such as community chats for Facebook groups, chats with businesses or accounts using business messaging tools, Marketplace chats and others. 

Consumers should try to dig deeper into the apps they are using to understand how end-to-end encryption works for a particular app, said Deirdre Connolly, cryptography standardization research engineer at SandboxAQ, an AI applications developer. This information is often available in the support or privacy section of a provider’s website. But even then, it can be hard to find and decipher. “You have to go into the fine print,” Connolly said.

Google vs. Apple

Google Messages is the default messaging app on many devices running the Android operating system and many people use it to communicate, but consumers need to understand that not all messages sent or received using the app are end-to-end encrypted. The app supports end-to-end encryption when messaging other users using Google Messages over RCS, according to the company. But messages aren’t end-to-end encrypted when communicating with an iPhone user, for example. Text messages appear dark blue in the RCS state and light blue in the SMS/MMS state. Users will also see a lock symbol when end-to-end encryption is active in a conversation. 

In Apple’s case, communications between two iMessage users are end-to-end encrypted, but iMessage is an Apple-specific platform. That means, at present, communications between iMessage users and Android device users aren’t end-to-end encrypted. A green message bubble instead of a blue one indicates the message was sent using MMS/SMS instead of iMessage.

In fact, a Department of Justice antitrust case against Apple harps on the failure to offer end-to-end encryption outside its iOS messaging app as a monopoly concern.

Protocols are being developed to allow end-to-end encryption between different communication platforms using RCS, but that’s still a work in progress. “Work with key industry stakeholders is progressing well and we look forward to updating the market in the coming months,” said a spokesperson for GSMA, an industry organization spearheading this effort. 

Phone settings and ongoing risk of hacks

One thing people should do is check the settings on their phones. Many consumers have older phones and those who don’t have auto updates enabled may miss critical security updates, which could include messaging apps that allow for end-for-end encryption, said Chris Henderson, senior director of threat operations at Huntress, a cybersecurity company. Also, with a new phone, settings on transferred apps might not migrate. If you have enabled end-to-end encryption for apps on your prior phone, it’s also a good idea to check that the settings are enabled on the new phone as well, Henderson said.

End-to-end encryption is not foolproof because hackers can intercept users’ communications in other ways, such as if the device itself is compromised, Horwitz said. For security purposes, it’s also important to keep your devices healthy by installing all software updates, avoiding sketchy downloads, and performing periodic reboots.

Even so, using end-to-end encryption is a good practice, when available. “Threat actors go where the masses go,” said Kory Daniels, global CISO for Trustwave, a cybersecurity and managed security services provider. “If the masses are still using unencrypted communication methods, [bad actors] will continue to exploit the opportunity until users begin to evolve their digital behaviors.”

Related Topics:
Continue Reading

Technology

Chinese medical devices are in health systems across U.S., and the government and hospitals are worried

Published

15 hours ago

on

February 23, 2025

By

Chinese medical devices are in health systems across U.S., and the government and hospitals are worried

A popular medical monitor is the latest device produced in China to receive scrutiny for its potential cyber risks.  However, it is not the only health device we should be concerned about. Experts say the proliferation of Chinese health-care devices in the U.S. medical system is a cause for concern across the entire ecosystem. 

The Contec CMS8000 is a popular medical monitor that tracks a patient’s vital signs.  The device tracks electrocardiograms, heart rate, blood oxygen saturation, non-invasive blood pressure, temperature, and respiration rate.  In recent months, the FDA and the Cybersecurity and Infrastructure Security Agency (CISA) both warned about a “backdoor” in the device, an “easy-to-exploit vulnerability that could allow a bad actor to alter its configuration.”  

CISA’s research team described “anomalous network traffic” and the backdoor “allowing the device to download and execute unverified remote files” to an IP address not associated with a medical device manufacturer or medical facility but a third-party university — “highly unusual characteristics” that go against generally accepted practices, “especially for medical devices.”

“When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device,” CISA wrote.

The warnings says such configuration alteration could lead to, for instance, the monitor saying that a patient’s kidneys are malfunctioning or breathing failing, and that could cause medical staff to administer unneeded remedies that could be harmful. 

The Contec’s vulnerability doesn’t surprise medical and IT experts who have warned for years that medical device security is too lax. 

Hospitals are worried about cyber risks

“This is a huge gap that is about to explode,” said Christopher Kaufman, a business professor at Westcliff University in Irvine, California, who specializes in IT and disruptive technologies, specifically referring to the security gap in many medical devices.

The American Hospital Association, which represents over 5,000 hospitals and clinics in the U.S., agrees. It views the proliferation of Chinese medical devices as a serious threat to the system. 

As for the Contec monitors specifically, the AHA says the problem urgently needs to be addressed. 

“We have to put this at the top of the list for the potential for patient harm; we have to patch before they hack,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.  Riggi also served in FBI counterterrorism roles before joining the AHA. 

CISA reports that no software patch is available to help mitigate this risk, but in its advisory said the government is currently working with Contec. 

Contec, headquartered in Qinhuangdao, China,  did not return a request for comment. 

One of the problems is that it is unknown how many monitors there are in the U.S. 

“We don’t know because of the sheer volume of equipment in hospitals. We speculate there are, conservatively, thousands of these monitors; this is a very critical vulnerability,” Riggi said, adding that Chinese access to the devices can pose strategic, technical, and supply chain risks. 

In the short-term, the FDA advised medical systems and patients to make sure the devices are only running locally or to disable any remote monitoring; or if remote monitoring is the only option, to stop using the device if an alternative is available. The FDA said that to date it is not aware of any cybersecurity incidents, injuries, or deaths related to the vulnerability.

The American Hospital Association has also told its members that until a patch is available, hospitals should make sure the monitor no longer has access to the internet, and is segmented from the rest of the network.

Riggi said the while the Contec monitors are a prime example of what we don’t often consider among health care risk, it extends to a range of medical equipment produced overseas. Cash-strapped U.S. hospitals, he explained, often buy medical devices from China, a country with a history of installing destructive malware inside critical infrastructure in the U.S.  Low-cost equipment buys the Chinese potential access to a trove of American medical information that can be repurposed and aggregated for all sorts of purposes. Riggs says data is often transmitted to China with the stated purpose of monitoring a device’s performance, but little else is known about what happens to the data beyond that. 

Riggi says individuals aren’t at acute medical risk as much as the information being collected and aggregated for repurposing and putting the larger medical system at risk. Still, he points out that, at least theoretically, is can’t be ruled out that prominent Americans with medical devices could be targeted for disruption. 

“When we talk to hospitals,  CEOS are surprised, they had no idea about the dangers of these devices, so we are helping them understand.  The question for government is how to incentivize domestic production, away from overseas,”  Riggi said. 

Chinese data collection on Americans

The Contec warning is similar at a general level to TikTok, DeepSeek, TP-Link routers, and other devices and technology from China that the U.S. government says are collecting data on Americans. “And that is all I need to hear in deciding whether to buy medical devices from China,” Riggi said. 

Aras Nazarovas, an information security researcher at Cybernews, agrees that the CISA threat raises serious issues that need to be addressed. 

“We have a lot to fear,” Nazarovas said. Medical devices, like the Contec CMS8000, often have access to highly sensitive patient data and are directly connected to life-saving functions.  Nazarovas says that when the devices are poorly defended, they become easy prey for hackers who can manipulate the displayed data, alter vital settings, or disable the device completely.  

“In some cases, these devices are so poorly protected that attackers can gain remote access and change how the device operates without the hospital or patients ever knowing,” Nazarovas said. 

The consequences of the Contec vulnerability and vulnerabilities in an array of Chinese-made medical devices could easily be life-threatening.  

“Imagine a patient monitor that stops alerting doctors to a drop in a patient’s heart rate or sends incorrect readings, leading to a delayed or wrong diagnosis,” Nazarovas said. In the case of the Contec CMS8000, and Epsimed MN-120 (a different brand name for the same tech), warning from the government, these devices were configured to allow remote code execution by the remote server.  

“This functionality can be used as an entry point into the hospital’s network,” Nazarovas said, leading to patient danger.  

More hospitals and clinics are paying attention. Bartlett Regional Hospital in Juneau, Alaska, does not use the Contec monitors but is always looking for risks. “Regular monitoring is critical as the risk of cybersecurity attacks on hospitals continues to increase,” says Erin Hardin, a spokeswoman for Bartlett.  

However, regular monitoring may not be enough as long as devices are made with poor security. 

Potentially making matters worse, Kaufman says, is that the Department of Government Efficiency is hollowing out departments in charge of safeguarding such devices. According to the Associated Press, many of the recent layoffs at the FDA are employees who review the safety of medical devices. 

Kaufman laments the likely lack of government supervision on what is already, he says, a loosely regulated industry. A U.S. Government Accountability Office report as of January 2022, indicated that 53% of connected medical devices and other Internet of Things devices in hospitals had known critical vulnerabilities. He says the problem has only gotten worse since then. “I’m not sure what is going to be left running these agencies,” Kaufman said.

“Medical device issues are widespread and have been known for some time now,” said Silas Cutler, principal security researcher at medical data company Censys. “The reality is that the consequences can be dire – and even deadly. While high-profile individuals are at heightened risk, the most impacted are going to be the hospital systems themselves, with cascading effects on everyday patients.”  

Continue Reading

Technology

Substack boosts video capabilities amid potential TikTok ban

Published

18 hours ago

on

February 23, 2025

By

Substack boosts video capabilities amid potential TikTok ban

Rafael Henrique | SOPA Images | AP

After posting almost 200 videos, amassing hundreds of thousands of followers and racking up millions of views, Carla Lalli Music is quitting YouTube. Substack is her new focus. 

Music is a cookbook author and food content creator, and she is shifting her focus to Substack, a subscription platform that lets creators charge users subscriptions for access to their content. Music told CNBC she came to that decision after earning more in one year of using Substack, nearly $200,000 in revenue, than she did by posting videos on YouTube since 2021. 

Music is the exact kind of content creator that Substack is trying to lure to its platform as TikTok’s future in the U.S. remains in limbo. 

San Francisco-based Substack launched in 2017 as a tool for newsletter writers to charge readers a monthly fee to read their content. The platform allows creators to connect to their followers directly without having to navigate algorithmic models that control when their content is shown, as is the case on TikTok, Google’s YouTube and other social platforms. Substack has raised about $100 million, most recently at a post-money valuation of more than $650 million, the company told CNBC.

This year, Substack has broadened its focus beyond newsletters, and on Thursday, it announced that creators can now post video content directly through the Substack app and monetize these videos.

“There’s going to be a world of people who are much more focused on videos,” Substack Co-founder Hamish McKenzie told CNBC. “That is a huge world that Substack is only starting to penetrate.”

Substack began this push after the social media landscape was thrown into flux as a result of the effective ban of TikTok in January that caused the popular Chinese-owned service to go offline for a few hours. TikTok was also removed from Apple and Google’s app stores for nearly a month. 

The disruption to TikTok in January happened as a result of a law signed by former President Joe Biden to force a sale of the Chinese-owned app or have it effectively banned in the U.S. On his first day in office, President Donald Trump signed an executive order extending TikTok’s ability to operate in the U.S., but that order expires on April 5. 

Days after TikTok went offline, Substack launched a $20 million fund to court creators to its platform.

“If TikTok gets banned for political reasons, there’s nothing to do with the work you’ve done, but it really affects your life,” McKenzie said. “The only and surefire guard against that is if you don’t place your audience in the hands of some other volatile system who doesn’t care about what happens to your livelihood.”

Moving beyond newsletters

McKenzie says that they are going after creators on competing social media platforms to start sharing their video content on Substack.

“Video-first creators, people who are mobile oriented, there’s a whole lot of new possibility waiting to be unlocked once they meet this model in the right place,” McKenzie said. 

Already, Substack has more than 4 million paid subscriptions with over 50,000 creators who make money on the platform, the company said. Substack says that 82% of its top 250 revenue-generating creators have already integrated audio or video into their content, reflecting a growing emphasis on multimedia content.

Prior to the video announcements, Substack allowed creators to post videos on the app to Notes, which is the platform’s front-facing feed format. But the feature did not allow creators to publish video content behind Substack’s paywalls. 

The update enables creators to put video content behind a paywall and it provides data on estimated revenue impact. It also allows them to track viewership and new subscribers.

Carla Lalli Music is a cookbook writer and food creator.

Carla Lalli Music

The push by Substack into video is a welcomed development for creators like Music, who was losing money from making videos for YouTube. 

Music said each video costs her $3,500 to produce despite filming at home. If she published four videos a month on YouTube, she’d earn about $4,000 in revenue. Music was losing about $10,000 a month, she said. 

“It’s really depressing to operate at a loss,” said Music. 

Even with brand deals, which is an agreement where brands pay creators to post content that promotes their products, the earnings were barely enough to recoup the costs of posting on YouTube, Music said. 

More than half of the $290 billion creator economy comes from direct-to-fan value. That includes ticket sales, courses, livestreams and paid memberships, according to a survey conducted by Patreon, a Substack competitor.

With her shift to Substack, Music said she’s now focused on writing another book, posting recipes behind the platform’s paywall and sprinkling in occasional videos.

“I have a lot more to benefit from focused attention on a smaller group of people than I ever did on throwing stuff and seeing what was going to stick with billions of potential audience members,” Music said. “It’s more sustainable.”

WATCH: Our base case for TikTok is that it gets banned in the U.S.: Lead Edge Capital’s Mitchell Green

Our base case for TikTok is that it gets banned in the U.S.: Lead Edge Capital's Mitchell Green

Continue Reading

Technology

Anne Wojcicki has a new offer to take 23andMe private, this time for $74.7 million

Published

2 days ago

on

February 21, 2025

By

Anne Wojcicki has a new offer to take 23andMe private, this time for .7 million

Anne Wojcicki attends the WSJ Magazine Style & Tech Dinner in Atherton, California, on March 15, 2023.

Kelly Sullivan | Getty Images Entertainment | Getty Images

23andMe CEO Anne Wojcicki and New Mountain Capital have submitted a proposal to take the embattled genetic testing company private, according to a Friday filing with the U.S. Securities and Exchange Commission.

Wojcicki and New Mountain have offered to acquire all of 23andMe’s outstanding shares in cash for $2.53 per share, or an equity value of approximately $74.7 million. The company’s stock closed at $2.42 on Friday with a market cap of about $65 million.

The offer comes after a turbulent year for 23andMe, with the stock losing more than 80% of its value in 2024. In January, the company announced plans to explore strategic alternatives, which could include a sale of the company or its assets, a restructuring or a business combination. 

Read more CNBC tech news

23andMe has a special committee of independent directors in place to evaluate potential paths forward. The company appointed three new independent directors to its board in October after all seven of its previous directors abruptly resigned the prior month. The special committee has to approve Wojcicki and New Mountain’s proposal.

“We believe that our Proposal provides compelling value and immediate liquidity to the Company’s public stockholders,” Wojcicki and Matthew Holt, managing director and president of private equity at New Mountain, wrote in a letter to the special committee on Thursday.

Wojcicki previously submitted a proposal to take the company private for 40 cents per share in July, but it was rejected by the special committee, in part because the members said it lacked committed financing and did not provide a premium to the closing price at the time.

Wojcicki and New Mountain are willing to provide secured debt financing to fund 23andMe’s operations through the transaction’s closing, the filing said. New Mountain is based in New York and has $55 billion of assets under management, according to its website.

23andMe declined to comment.

WATCH: The rise and fall of 23andMe

The rise and fall of 23andMe

Continue Reading

Trending