Mobile phone and lock icons showing messaging app security breach

High Security Messaging App Tool Used by US Government Suspends Service After Security Breach

A tool used by some US government officials to archive messaging app discussions has suspended service after reporting a security breach. TeleMessage provides a secure message archiving service used by some members of the US government among other more general clients, and has temporarily suspended service after a hacker surfaced with public claims of accessing private contact information and back-end login credentials.

The service was used by former national security advisor Mike Waltz, recently ousted from his position by the Trump administration after a scandal in which he errantly invited an Atlantic journalist to a secret high-level group chat. The hacker said that they did not access any of Waltz’s messages or any from other members of the cabinet, but that they were able to access some message content from unspecified other clients of TeleMessage.

Hacker claims breach of unofficial messaging app clone was likely not the first

TeleMessage provides secure archiving services for a variety of messaging apps, including Telegram and WhatsApp. In this case, the security breach is of an unofficial Signal clone that parent company Smarsh offers called “TM SGNL.”

As of this writing the service has been shut down for several days as the company conducts an internal investigation of the security breach, with no clear indication as to when it will return. Smarsh says that it has engaged the assistance of an external security firm, and that all of its other products remain fully operational. The company offers similar clones of the WhatsApp, Telegram, and WeChat messaging apps.

The hacker spoke to reporters with 404 Media to disclose their own security breach. They claimed to have only spent about 30 minutes locating a vulnerability that gave them extensive access to TM SGNL, and posited that many other interlopers would have been able to follow the same steps and it is quite possible that other spies have previously infiltrated the messaging app. The hacker said that they did not access information belonging to Waltz or other Trump cabinet members but did share screenshots indicating that they had access to message archives belonging to high-level employees of U.S. Customs and Border Protection, ScotiaBank and Coinbase among others. They also claim to have found back-end login credentials used by TeleMessage employees.

Coinbase has issued a statement indicating that the security breach has not had any impact on its operations or put any customer information at risk, since the messaging app is not used to share any account credentials or authorization elements. The other involved organizations have not made a statement as of yet.

Security breach puts spotlight on government messaging practices once again

The security breach follows the “Signalgate” incident of mid-March, in which Atlantic reporter Jeffrey Goldberg was mistakenly added to a high-level US government group chat by Waltz and had access to confidential conversations about plans to attack the Houthi rebels in Yemen. That incident had appeared to involve the use of the legitimate Signal app, but a feature of the TM SGNL clone is that it can interface seamlessly with users of the original app. This has raised some questions about how extensively these third-party app clones and services are used in government, and if they are sufficiently secure.

Waltz was inadvertently recorded using the TeleMessage app by reporters with Reuters covering a cabinet meeting in April, who snapped a picture in which it was visible on his phone screen. The Department of Homeland Security and U.S. Customs and Border Protection have since issued statements that they have disabled the Smarsh messaging app on agency devices.

Senator Ron Wyden of Oregon, a name frequently seen in matters involving digital privacy and cybersecurity, has sent a letter to Attorney General Pam Bondi requesting a Department of Justice (DOJ) investigation into TeleMessage on the basis of its foreign ownership and operation and potential violation of the terms of federal contracts. Wyden cites independent work by a researcher named Micah Lee, who makes clear a political motivation by calling a broad array of Trump administration officials “fascist” but also appears to point out valid and concerning flaws in TM SGNL structure. Primarily, the app appears to strip messages of Signal’s natural end-to-end encryption and stores them in plaintext on its archive server (an AWS public cloud located on a server in Virginia). Lee claims that this server was publicly accessible until the story was published, at which point TeleMessage took it offline. Screenshots shared by the researcher also appear to indicate that the company’s WhatsApp and WeChat clones are similarly vulnerable.

Casey Ellis, Founder at Bugcrowd, notes that this should serve as a warning that just because messaging apps are known to be secure it does not mean that all of their associated derivatives and bolt-ons are: “Hopefully this will go down in AppSec history as a prime example of why frameworks aren’t a silver-bullet security solution. The Signal source code is phenomenal and incredibly robust, however, there are certain things that it can’t and won’t do for security reasons. When user demand is great enough, developers will hack things to create unorthodox and insecure solutions like this one. The same thing happens in enterprise and government application development all the time, and this whole debacle is a solid reminder of the importance of runtime application testing and following security policy when it counts.”

Thomas Richards, Infrastructure Security Practice Director at Black Duck, adds: “This breach is alarming on many levels. Taking a secure messaging application and changing a core functionality such as backing up messages essentially breaks the security model.  Users want secure messaging for privacy, and it now appears that the messages stored were not encrypted. This creates a security risk for users of the application as their sensitive information could be, and has been, compromised.  Any organization who is looking into a secure messaging application for compliance reasons should do a thorough review of the application.  This should include at least a penetration test against the application and a threat model to understand what risks the application could introduce.  I would also encourage organizations to ask the developers to produce evidence of internal penetration testing along with an internal threat model to validate their claims of security and privacy.”