[conspire] Signalgate gets dramatically worse
Rick Moen
rick at linuxmafia.com
Sun May 4 19:34:38 PDT 2025
Thanks to two sharp-eyed analysts, there are plot twists in the
SIgnalgate story. First, 404 Media journalist Joseph Cox noticed a
Reuters photo of Mike Waltz checking his Signal messages during a
Cabinet meeting and, surprise! It's not actually Signal Messenger,
but rather a weird variant smartphone app from obscure Israeli company
TeleMessage called TM SGNL -- coded by them to interoperate using the
Signal Protocol., but wrapping that core protocol suite with some
alarming additions. The firm, bought three years ago by Smarsh, Inc.
(https://www.smarsh.com/press-release/smarsh-to-acquire-telemessage),
also produces similarly mutated client code for Telegram, WhatsApp, and
WeChat.
The TM SGNL binary and source code were then analysed by cryptographer
Micah Lee and others
(https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/).
Most significantly, that extra layer of TeleMessage-produced code
transparently sends an utterly plaintext copy of any Signal messages the
app handles, across the Internet to a TeleMessage-operated server on one
of Amazon's EC2 cloud-computing farm in Northern Virginia, for central
archiving -- including content flagged for automatic, timed
disappearance. This alone eviscerates Signal security. Even worse, the
archiving code uses hardcoded credentials, an absolute no-no for secure
communication (https://cwe.mitre.org/data/definitions/798.html), and is
said to commit other blunders. (Lee has been doing further analysis
over the weekend.)
Within hours, a third-party coder (who has remained anonymous) used
these elementary mistakes, particularly the hardcoded credentials, to
break into TeleMessage's archiving data:
https://micahflee.com/the-signal-clone-the-trump-admin-uses-was-hacked/
This included a significant sample
(https://micahflee.com/the-signal-clone-the-trump-admin-uses-was-hacked/)
of data related to Customs and Border Protection (CBP), the
cryptocurrency giant Coinbase, and other financial institutions, and
involving many other Federal officials. Other TM SGNL-using
institutions shown in the gathered data include Scotiabank, Galaxy
Digital, and Washington D.C. Metropolitan Police. The coder stressed
that his break-in was easy, taking "about 15-20 minutes". And, as he
pointed out, if it was easy for him, it'll have been also easy for
countless others.
Provisioning of TM SGNL is interesting: On Android, it's available only
from a private App Store collection available to employees of a
qualifying firm using Google Enterprise to manage devices. On iOS,
there's a similar arrangement using the Apple Business Manager to
distribute code to employees' devices. Both systems outsource
administration of the employee's device to admins of the respective
Mobile Device Management (MDM) service.
Doubtless, the pointy-hairs in TrumpCo 2.0 who selected this setup
thought it achieved greater security. Ironically, it creates and
enforces dramatically less security. But, hey, maybe it's all worth it
for them to evade the Federal Records Act.
More information about the conspire
mailing list