Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate’s most tech-savvy lawmakers says the feds aren’t doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.
A screenshot of the first page from Sen. Wyden’s letter to FBI Director Kash Patel.
On May 29, The Wall Street Journal reported that federal authorities were investigating a clandestine effort to impersonate Ms. Wiles via text messages and in phone calls that may have used AI to spoof her voice. According to The Journal, Wiles told associates her cellphone contacts were hacked, giving the impersonator access to the private phone numbers of some of the country’s most influential people.
The execution of this phishing and impersonation campaign — whatever its goals may have been — suggested the attackers were financially motivated, and not particularly sophisticated.
“It became clear to some of the lawmakers that the requests were suspicious when the impersonator began asking questions about Trump that Wiles should have known the answers to—and in one case, when the impersonator asked for a cash transfer, some of the people said,” the Journal wrote. “In many cases, the impersonator’s grammar was broken and the messages were more formal than the way Wiles typically communicates, people who have received the messages said. The calls and text messages also didn’t come from Wiles’s phone number.”
Sophisticated or not, the impersonation campaign was soon punctuated by the murder of Minnesota House of Representatives Speaker Emerita Melissa Hortman and her husband, and the shooting of Minnesota State Senator John Hoffman and his wife. So when FBI agents offered in mid-June to brief U.S. Senate staff on mobile threats, more than 140 staffers took them up on that invitation (a remarkably high number considering that no food was offered at the event).
But according to Sen. Ron Wyden (D-Ore.), the advice the FBI provided to Senate staffers was largely limited to remedial tips, such as not clicking on suspicious links or attachments, not using public wifi networks, turning off bluetooth, keeping phone software up to date, and rebooting regularly.
“This is insufficient to protect Senate employees and other high-value targets against foreign spies using advanced cyber tools,” Wyden wrote in a letter sent today to FBI Director Kash Patel. “Well-funded foreign intelligence agencies do not have to rely on phishing messages and malicious attachments to infect unsuspecting victims with spyware. Cyber mercenary companies sell their government customers advanced ‘zero-click’ capabilities to deliver spyware that do not require any action by the victim.”
Wyden stressed that to help counter sophisticated attacks, the FBI should be encouraging lawmakers and their staff to enable anti-spyware defenses that are built into Apple’s iOS and Google’s Android phone software.
These include Apple’s Lockdown Mode, which is designed for users who are worried they may be subject to targeted attacks. Lockdown Mode restricts non-essential iOS features to reduce the device’s overall attack surface. Google Android devices carry a similar feature called Advanced Protection Mode.
Wyden also urged the FBI to update its training to recommend a number of other steps that people can take to make their mobile devices less trackable, including the use of ad blockers to guard against malicious advertisements, disabling ad tracking IDs in mobile devices, and opting out of commercial data brokers (the suspect charged in the Minnesota shootings reportedly used multiple people-search services to find the home addresses of his targets).
The senator’s letter notes that while the FBI has recommended all of the above precautions in various advisories issued over the years, the advice the agency is giving now to the nation’s leaders needs to be more comprehensive, actionable and urgent.
“In spite of the seriousness of the threat, the FBI has yet to provide effective defensive guidance,” Wyden said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver said Lockdown Mode or Advanced Protection will mitigate many vulnerabilities, and should be the default setting for all members of Congress and their staff.
“Lawmakers are at exceptional risk and need to be exceptionally protected,” Weaver said. “Their computers should be locked down and well administered, etc. And the same applies to staffers.”
Weaver noted that Apple’s Lockdown Mode has a track record of blocking zero-day attacks on iOS applications; in September 2023, Citizen Lab documented how Lockdown Mode foiled a zero-click flaw capable of installing spyware on iOS devices without any interaction from the victim.
Earlier this month, Citizen Lab researchers documented a zero-click attack used to infect the iOS devices of two journalists with Paragon’s Graphite spyware. The vulnerability could be exploited merely by sending the target a booby-trapped media file delivered via iMessage. Apple also recently updated its advisory for the zero-click flaw (CVE-2025-43200), noting that it was mitigated as of iOS 18.3.1, which was released in February 2025.
Apple has not commented on whether CVE-2025-43200 could be exploited on devices with Lockdown Mode turned on. But HelpNetSecurity observed that at the same time Apple addressed CVE-2025-43200 back in February, the company fixed another vulnerability flagged by Citizen Lab researcher Bill Marczak: CVE-2025-24200, which Apple said was used in an extremely sophisticated physical attack against specific targeted individuals that allowed attackers to disable USB Restricted Mode on a locked device.
In other words, the flaw could apparently be exploited only if the attacker had physical access to the targeted vulnerable device. And as the old infosec industry adage goes, if an adversary has physical access to your device, it’s most likely not your device anymore.
I can’t speak to Google’s Advanced Protection Mode personally, because I don’t use Google or Android devices. But I have had Apple’s Lockdown Mode enabled on all of my Apple devices since it was first made available in September 2022. I can only think of a single occasion when one of my apps failed to work properly with Lockdown Mode turned on, and in that case I was able to add a temporary exception for that app in Lockdown Mode’s settings.
My main gripe with Lockdown Mode was captured in a March 2025 column by TechCrunch’s Lorenzo Francheschi-Bicchierai, who wrote about its penchant for periodically sending mystifying notifications that someone has been blocked from contacting you, even though nothing then prevents you from contacting that person directly. This has happened to me at least twice, and in both cases the person in question was already an approved contact, and said they had not attempted to reach out.
Although it would be nice if Apple’s Lockdown Mode sent fewer, less alarming and more informative alerts, the occasional baffling warning message is hardly enough to make me turn it off.
The only way to protect the “Washington Wizards” from themselves is to issue them “dumb phones” that can only make calls.
Years ago in a meet and greet with a former US Senator, he was the first person I’d heard refer to his cohorts in the Senate and House with this sarcastic term. Make no mistake, he was making it obvious most in Washington are far from wizards.
There is an inverse relationship between people’s level of authority and their willingness to deal with obstructive security measures.
The most important wizardry of congresscritters is the summoning of big, beautiful campaign contributions.
Power interprets regulation as damage and routes around.
That’s some senator with some advanced knowledge. I tell ya. Or maybe he listens to his cybersecurity advisors.
But going back to this article. I doubt, Brian that securing those people’s phones would do much to the security of our current government. Who cares if they have spyware on their phones, when half of them are ruzzian assets anyway?
Well this would be a start, but this doesn’t prevent the telecomm provider from being hacked or some kind of Stingray device being used in DC.
I haven’t heard much about the Chinese hacking US telecomm companies. Looking it up, there is a Reuters report from January 5, 2025 that it isn’t an issue … anymore.
Unfortunately for US security, this issue is only going to change if security is pushed from the top, given how lax our current president is regarding mobile device security, well any security, the only hope for the US is either spies can’t deal with so much information or it becomes so easy to operate here countries send their worst and dimmest spies.
Although when dealing with security, “hope isn’t a strategy”.
So Mr. Krebs does not use Google or Android. I wonder if he could share with us what kind of tech security he does use. For example, what type of encrypted email, what webhost, does he have his own server like Hillary Clinton famously did, what VPN service, security key, password manager, go-bag, what kind of physical security? In other words, a tour of the Krebs “Batcave”.
Haha, dare to dream.
So Wiles still has her phone, it was never missing…
How do we know the contacts were stolen from whatever computer she syncs contacts with?
Do these folks’ phone only sync with secured computers?
We’ve seen these folks using gmail personal accounts, are we sure they’re not synching their contacts over there, even occasionally/manually, and maybe have a bad gmail password and no 2fa?
I recommend to family/friends: reboot your phone every night when you plug in to recharge. If you can’t do that, then reboot once a week on Sunday night. Set a reminder. The vast majority of phone hacks do not survive a reboot.
Mr Krebs, I was worried about you, you hadn’t posted in quite some time!
As long as they don’t appoint Pete Kegbreath to lead the way on cybersecurity…
If she has Facebook app on her phone – it has access to her full address book. So,,, good luck with that.
Allowing these data harvesting companies to abuse people is part of the issue, the other is companies like FB eagerly abusing people/data. Just calling out FB because it is a prime example. Greed is a heck of an addiction, ask Gates, Musk, Trump, Biden, KJU, shi, putin. Once you have power to do whatever you want – you don’t ever want to give it up.
By the time this is taken seriously, it will already be too late.
May consider that it is untypical for the FBI to provide hardening guidance for mobile devices. Yes, they will provide advisory of threats and recommend action. NSA is generally considered accountable in providing guidance for government and sensitive environments.