The Situation With US Government Signals Has Only Gotten Worse
If you want to send private messages securely, Signal is a great option . If you are a government official discussing classified information? Not so much.
The same goes for Trump administration officials: Last month , we learned that highly sensitive military plans were being discussed in Signal group chats after Jeffrey Goldberg, editor-in-chief of The Atlantic, was accidentally added to the conversation by then-National Security Adviser Mike Waltz. (Trump has since fired Walz and later appointed him UN ambassador .)
Signalgate continues
There are many reasons why the administration’s Signal Strategy is problematic, but the problems don’t end there. On Thursday, Reuters published a photo of Mike Waltz during a Cabinet meeting at the White House. While there are a lot of important people to pay attention to in the photo, 404 Media focused on Waltz , namely his iPhone. The publication noted that Waltz opened correspondence with officials such as Tulsi Gabbard (Director of National Intelligence), Marco Rubio (Secretary of State) and J.D. Vance (Vice President), with a PIN verification message that Signal would regularly send to users to keep their credentials in memory.
However, 404 Media noticed that this is not the usual Signal PIN verification pop-up: The message says “TM SGNL PIN,” which is a PIN verification screen for TeleMessage, a Signal “clone” that advertises itself as a way to archive your Signal messages. While the app claims it doesn’t hack Signal’s secure messaging system to archive messages, 404 Media reports that the advertised service has multiple security vulnerabilities.
These vulnerabilities also did not take long to manifest themselves in a catastrophe. On Sunday, 404 Media reported that a hacker had broken into TeleMessage networks and stolen customer data. While the hacker didn’t take everything, he did get some private messages and group chats, as well as data from modified versions of other chat apps like WhatsApp, Telegram and WeChat, all within about 15 to 20 minutes of hacking. 404 Media reports that the hacker did not gain access to Walz’s chats or the conversations of any cabinet members, but he did gain access to the names and contact information of government officials, login credentials for TeleMessage’s internal dashboard (a tool that allows TeleMessage administrators to manage the service), and information indicating which agencies can use TeleMessage.
Some of the stolen messages appeared to reflect a discussion about ongoing efforts to gather votes in support of the cryptocurrency bill. One message said: “Just spoke with a D staffer on the Senate side – 2 co-sponsors (Alsobrooks and Gillibrand) did not sign the letter in opposition, so they believe the bill still has a good chance of passing the Senate, and 5 more Ds support it.” The hack did not reveal sensitive information, but it did reveal political conversations that the senders likely never intended to appear in the press.
Why is TeleMessage unsafe?
To understand why TeleMessage is not a secure service and why it is unlikely that a government agency would use it for secret conversations, you need to understand what makes Signal secure.
Signal chats are fully encrypted. This means that when you talk to someone through the app, only you and the recipient can access the conversation. When you send a message, the text is encrypted in transit and decrypted when it reaches the other user’s device. If someone were to intercept the message in transit, it would look like an encryption code – only the devices of the chat participants can decrypt the message and return it to a readable form.
This setup will prevent even Signal from accessing your messages. No authority can force Signal to publish your messages because the company itself does not have access to the only thing that can decrypt messages: your device. Even if someone hacks Signal’s database, they’ll be out of luck.
TeleMessage, on the other hand, breaks this security chain. To archive these messages, TeleMessage must first capture them in plain text and store them. Although the company claims to do this while maintaining security, the fact that this hacker was able to obtain the DM proves that the end-to-end encryption is broken. The stolen information was taken from data collected for “debugging purposes” – the unintentional leak of decrypted data in the TeleMessage security chain. It doesn’t matter whether the service stores all messages in an encrypted archive: the company processes the decrypted data in insecure ways, which leaves it accessible to hackers.
Even before the hack, 404 Media was skeptical about the service’s security as it touted the archiving of these “end-to-end encrypted” messages in Gmail, a platform not known to have end-to-end encryption. (Although TeleMessage said the Gmail aspect was only for “demo” purposes.) The publication also emphasizes that Signal does not guarantee the privacy or security of unofficial versions of its app.
Signal is great for personal use rather than sensitive information.
Signal and other end-to-end encrypted services like it are great for personal security. Your messages cannot be accessed by anyone without physical access to the trusted devices involved, which is essential to protecting your digital privacy.
But encryption isn’t the only security issue. When it comes to any kind of digital communication, including end-to-end encryption, there are still many vulnerabilities and weaknesses.
Hackers know that these messages can only be decrypted by the devices involved. So, a great way to break this security is to hack the devices themselves. Hackers use malware such as “Pegasus” to surreptitiously infiltrate a target’s device and gain access to sensitive data, including encrypted data.
Hackers regularly target high-profile individuals with this type of malware, so much so that Apple regularly warns affected users . Waltz is no exception: according to Mike Casey , former director of the National Counterintelligence Center, there is “zero probability that someone didn’t try to install Pegasus or some other spyware on [Mike Waltz’s] phone… he’s probably one of the top five most targeted people in the world for spying.”
Of course, this only applies to your personal device. You’ll also have to worry about the other end of the conversation. If you’re communicating with someone through an encrypted chat app and their phone is hacked, it doesn’t matter how secure you are : your messages are vulnerable. They don’t even need to be hacked: they can leave their phone unlocked so anyone can pick up the phone and access it. And if you talk in group chats, as Trump administration officials did, the security implications only multiply.
All digital communication comes with risk: it’s up to you to decide what level of risk is worth the data you’re transmitting. For most private conversations, you’ll probably be fine with using an encrypted service like Signal. However, if you are discussing details that could put people’s lives at risk, it may be better to keep them in SCIF .