It's Like Signal, but Dumb

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Stairwell .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

The use of encrypted messaging apps by senior Trump officials has become a rolling security disaster. We've now learned that rather than using actual Signal, they've been using a bastardised version that undermines the app's security guarantees.  

Last week, President Trump's then-national security advisor Mike Waltz was photographed surreptitiously checking his phone for messages during a cabinet meeting. It gave a decent view of exactly what was on Waltz' screen. Rather than the official Signal app, he appeared to be using something called TM SGNL to communicate with Secretary of State Marco Rubio, Vice President JD Vance, Director of National Intelligence Tulsi Gabbard and special envoy Mike Wiktoff.

It turns out TM SGNL is a forked version of Signal maintained by a company called TeleMessage. The company makes clones of popular consumer messaging apps with the addition of archiving functions to store messages. 

Record-keeping in government is a good thing. Since Waltz was discovered to be using TeleMessage's app, though, the service has reportedly been breached in two separate incidents. That is not a good thing.

The first breach was reported by 404 Media . An unnamed hacker provided the outlet with evidence he had access to TeleMessage data related to US Customs and Border Protection, Coinbase and other financial institutions. Per 404 Media :

The data includes apparent message contents; the names and contact information for government officials; usernames and passwords for TeleMessage's backend panel; and indications of what agencies and companies might be TeleMessage customers. The data is not representative of all of TeleMessage's customers or the sorts of messages it covers; instead, it is snapshots of data passing through TeleMessage’s servers at a point in time. The hacker was able to login to the TeleMessage backend panel using the usernames and passwords found in these snapshots.

The hacker did not retrieve any messages from Waltz or Trump's cabinet. However, he told 404 Media "the whole process took about 15-20 minutes" and he grabbed only a subset of the data he had access to. Another hacker provided credible evidence to NBC News   that they accessed TeleMessage's archive server and downloaded a large cache of files. 

In a well-implemented end-to-end encrypted messenger such as Signal, only the devices of intended recipients have access to plaintext or unencrypted messages. This is about as good as it gets from a security point of view, as long as you are ok with your communications being sent over (not entirely secure) internet-connected devices in the first place. 

In a system where archiving is well-implemented, only the intended recipients and a customer-controlled archive server would have access to plaintext messages. This centralised store of messages is definitely an extra point of vulnerability, but considering record-keeping is crucial for good government, it's a necessary compromise. The sensible response here would be to ensure the archiving process is secure.

Unfortunately, TeleMessage just didn't do the work. 

An analysis of TeleMessage's Android app by security engineer and journalist Micah Lee found that in the case of TM SGNL the intended recipients, the customer's archive store, and TeleMessage itself had access to plaintext messages. The company's archive server received plaintext chat logs directly from devices running TM SGNL and then forwarded these logs to the customer-controlled archive destination. So, it's really a misnomer to call it an 'archive server'. We think 'best place to steal messages' server is more fitting.  

On Tuesday, NBC News reported TeleMessage had suspended its services "out of an abundance of caution". We'd be cautious too if we were being hacked daily and our product was the favoured messaging service of the White House.

Beyond the White House, TeleMessage archiving products are used by several US government agencies. Procurement records show that the list of government departments that entered into contracts for TeleMessage's archiving products include Homeland Security's Federal Emergency Management Agency , the Centers for Disease Control and Prevention and the National Archives . These contracts commenced in 2023 or 2024, under the Biden administration. 

While communications security is important for most of these agencies, the fate of nations doesn't depend upon it. In these examples, when balancing the information at risk, security, record-keeping, convenience and cost, an end-to-end encrypted messaging app on commodity smartphones coupled with a secure archiving system makes sense. These agencies have a reasonable requirement but chose the wrong tool for the job. TM SGNL is just a badly implemented system.

Curiously, the US government already knows of, and uses, a better alternative. AWS Wickr is an end-to-end encrypted messenger with archive capabilities. It has been approved for some government use , including for controlled unclassified information in the US Department of Defense . We are surprised that after jumping through these approval hoops that Wickr is not the only choice for secure messengers in government. 

One key point here, though, is that even Wickr, which has been far more rigorously assessed, is still only suitable for unclassified information. 

In the case of Trump's cabinet, recent reporting suggests that Signal* is used to send and receive messages of very high interest to America's adversaries. This week The Wall Street Journal reported that Secretary of Defense Pete Hegseth was using the app for official Pentagon business in at least a dozen separate chats. Per The Journal : 

Instead of using the Pentagon's vast communications network, Hegseth preferred Signal to run the Defense Department's day-to-day operations, the people said…

To read the messages, aides routinely had to step away from their desks to find a location in the Pentagon that received phone service, which is spotty in the building.

It would be laughable, if it weren't so deadly serious:

Among the messages posted in some of the other chats by Hegseth were his thoughts on personnel matters, Pentagon programs facing cuts, and details of administration national security debates.

In one case, he authorised aides to tell foreign governments about an unfolding military operation. This is all intelligence gold. 

Protecting conversations of such importance presents an entirely different risk calculus. We don't believe internet-connected consumer smartphones will ever be appropriate when that kind of information is at risk. 

When it comes to such sensitive communications, we stand by our original analysis when we first wrote about the Signal saga a month ago.

"Hey, perhaps we should talk about this elsewhere."

*It's not clear whether the entire Trump cabinet is using normal Signal or the TeleMessage version. They haven't all checked their messages in front of Reuters photographers yet. 

US Cyber Command to Be Unleashed

The US is vowing to take the gloves off in cyberspace. 

Speaking at the RSA Conference , Alexei Bulazel, Senior Director for Cyber and Special Assistant to the President, said he wanted to "destigmatise and normalise" offensive cyber operations.  

The idea of using cyber operations to disrupt adversaries has historically been controversial , but Bulazel's comments as reported in The Record and CyberScoop are pretty sensible. 

Bulazel described offensive cyber operations as "one arrow in the quiver". Per CyberScoop :

"I think deterrence in cybersecurity is actually very hard," he said. "I think there's a lot we could do to increase costs on these actors," adding that a response should show adversaries that "if you come do this to us, we'll strike back and we'll punch back, and administrations before us have been hesitant to do that." 

This hits the nail on the head. But we don't think the US needs to focus on fighting back with cyber punches, so much as blows that really hurt. 

The US has already thrown a few jabs. It has indicted lots and lots of Chinese hackers involved in intellectual property theft. But these are all examples of piecemeal responses that target individual threat actors.

Public indictments might once have been embarrassing for the Chinese government, but the suspects were just cogs in the machine of far larger campaigns to boost domestic industry. The pain never outweighed the gain. China has not been deterred simply because a few foot soldiers have been named in US indictments. 

Given that President Trump is perfectly willing to take strong action, will making offensive cyber a more prominent part of the US tool kit make much difference? We suspect it won't be long before we find out.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. US takes action against scam syndicates: The US Treasury department has taken recent action against entities related to Southeast Asian scam syndicates. It has proposed sanctioning the Cambodia-based Huione Group because of its involvement in money laundering. Treasury Secretary Scott Bessent said the Huoine Group is the "marketplace of choice" for Southeast Asian scam syndicates and North Korean cyber actors. It has also sanctioned the Karen National Army, a Myanmar militia group and its leader Saw Chit Thu. Further coverage at The Record .
2. Hacking WhatsApp becomes VERY expensive: A jury in California has ruled that spyware vendor NSO Group must pay WhatsApp nearly USD$445,000 in compensation and a whopping USD$167 million in punitive damages. NSO Group sold Pegasus spyware and had targeted around 1,400 WhatsApp users. Pegasus was implicated in human rights abuses around the world. 
3. ICC says cyber doesn't matter: The International Criminal Court, which investigates and prosecutes crimes such as genocide, war crimes and crimes against humanity, is seeking feedback on a draft policy on cyber-enabled crimes . It looks pretty sensible to us, in that it essentially says that crimes are defined by their impact on people, and it doesn't matter whether they were cyber-enabled or not.  

Sponsor Section

In this Risky Bulletin sponsor interview, Mike Wiaceck, CEO and founder of Stairwell, explains why he believes security is really a data storage and retrieval problem. He demonstrates how that pays off in the analysis of new malware.

Shorts

Fighting Cheaters with Mind Games 

TechCrunch has an interesting article about how Riot Games combats cheating in its video games. 

The company uses a variety of strategies including:

… leveraging the security features in the Windows operating system, fingerprinting cheaters' hardware to stop them from reoffending, infiltrating cheat communities, and playing psychological games in an effort to discredit cheaters.

Like cyber operations tackling ransomware crews, there is no single measure that will eliminate cheating. Instead, a variety of tactics are used to suppress it.

Risky Business Interviews Mark Warner

Risky Business host Patrick Gray interviewed Senator Mark Warner, Vice Chair of the Senate Select Committee on Intelligence. The pair talked about Signalgate, why America needs to be more aggressive in responding to Volt Typhoon, how tariffs are affecting American alliances and why the Five Eyes alliance is sacrosanct.

Or watch on YouTube:

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about an in-depth report on a Ukrainian hacking control panel. The panel shows how the Ukrainian group thinks about hacking operations and the pair discuss why the report exists and what it achieves. 

Or watch it on YouTube!

From Risky Bulletin :

Microsoft joins industry crackdown on bulk email senders: Microsoft has joined rivals in the consumer email inbox market, such as Apple, Google, and Yahoo, and implemented stronger anti-spam features for its Outlook.com email platform.

The new rules entered into effect on Monday, May 5, and apply only to bulk senders, which are domains that send more than 5,000 emails per day to Outlook users.

Bulk senders must now authenticate their domains using modern email security standards such as DKIM, DMARC, and SPF.

They must also provide an easy way for users to unsubscribe and remove invalid email addresses from their sender lists to prevent server bandwidth waste.

[ more on Risky Bulletin ]

Six-year-old backdoor comes to life to hijack Magento stores: Hackers activated secret backdoors they planted six years ago inside Magento plugins to hijack almost 1,000 Magento online stores.

The initial compromises took place in 2019 when the attackers allegedly gained access to the servers of three Magento software developers—Magesolution, Meetanshi, and Tigren.

According to security firm Sansec , the hackers modified the source code of 21 plugins. The backdoor was hidden in the License.php file, which is typically included in most plugins to check if the user holds a valid license.

Sansec says the malicious code was left dormant for six years until April when the attackers started exploiting it to deploy malicious code on Magento stores that installed the plugins.

[ more on Risky Bulletin ]

New Microsoft accounts will be passwordless by default: Microsoft is making the passwordless login experience the default for all new user accounts, the company said in a blog post on World Password Day.

New users will have several passwordless options to choose from when creating their account, and they won't need to set up a password going forward.

Existing users also have a new option in their settings that will let them unlink and delete passwords from their accounts.

[ more on Risky Bulletin ]