Security Breach of Messaging App Clone Raises Questions About U.S. Government Communications

An alternative version of the Signal messaging app that was thought to be safe enough for high-level U.S. government officials has suspended service indefinitely after a security breach, and the incident has raised serious questions about how confidential and classified communications are being handled.

The flaw does not lie with Signal itself, which boasts some of the strongest end-to-end encryption available in messaging apps. The issue is with a clone from a vendor called TeleMessage that is built off the Signal source code and appears to have government contracts, yet also had what a hacker calls a “trivial” exploit and may have been storing messages in plaintext.

Security breach impacts government and private clients

The issue ranges beyond the US government, as TeleMessage parent company Smarsh also does business with some major private companies such as Coinbase and ScotiaBank. But the headlines are naturally focused on the impact on Trump administration members given the involvement of former national security adviser Mike Waltz, who made the news in March for accidentally inviting an Atlantic journalist to a secret high-level group chat about military plans in Yemen. In April a photojournalist with Reuters caught a shot of Waltz’s phone screen during a cabinet meeting that shows him using TeleMessage’s “TM SGNL” clone, which appears to have been hacked shortly after.

The security breach appears to be unrelated to Waltz, and the hacker says they did not have access to his messages or those of anyone from the Trump administration. But they did demonstrate to reporters that it provides far-reaching access to the company’s message archiving servers, to include viewing Signal messages that should normally be encrypted in plaintext. The news has caused TeleMessage to pull the app from the market while it investigates, and in the meantime government agencies such as the Department of Homeland Security and U.S. Customs and Border Protection  have banned employees from using it.

The hacker, who first spoke to reporters with 404 Media, says that they were able to view internal messages from Coinbase and other organizations in plaintext and found backend login credentials for TeleMessage employees. Follow-up research indicates that the security breach also impacts other messaging app clones and message archives that Smarsh offers for services such as WhatsApp and WeChat. TM SGNL interacts seamlessly with others who are using the regular Signal app, but appears to strip the app’s encryption and send the archived messages to TeleMessage servers as plaintext.

Major security oversights in messaging app adoption

TeleMessage is supposed to be a way to add highly secure message archiving functionality to Signal, but the security breach makes it look more like a giant third-party vulnerability.

The hacker who uncovered the security breach appears to have ethically disclosed it (if also publicly) without taking illicit advantage, but warns that they found the messaging app’s vulnerabilities within half an hour of beginning to explore it and surmises that other parties quite possibly followed the same steps and found the same unprotected message archives. Most of the impacted agencies and businesses have yet to comment, but Coinbase has issued a statement indicating that customer accounts are not at risk.