Sign up to save your podcasts
Or
Share The Signal Clone Crisis: Mike Waltz, TeleMessage, and the Hack That Exposed Sensitive Comms
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Signal Clone Crisis: Mike Waltz, TeleMessage, and the Hack That Exposed Sensitive Comms
Episode Summary: In this episode of Upwardly Mobile, we unpack the unsettling incident involving TeleMessage, a modified clone of the secure messaging app Signal, its use by the U.S. government, and the subsequent data breach. We explore how a lack of fundamental security measures like app attestation and token-based API access created gaping vulnerabilities, allowing a hacker to access sensitive archived data. Drawing on insights from the sources, we discuss why encryption alone is insufficient and highlight the urgent need for robust client-side security to protect sensitive communications and safeguard brand trust in the digital age.
Key Takeaways:
Key Takeaways:
- An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government.
- Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts.
- Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate.
- A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination.
- Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material.
- The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs.
- Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets.
- Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection.
- The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions.
- While Signal’s end-to-end encryption is a strong foundation, its leadership has been criticised for not addressing the security mechanics that uphold it, specifically app attestation. Encryption alone is not sufficient if the app client itself can be easily repackaged and compromised.
- The lack of attestation enforcement has tarnished Signal's brand reputation, as users cannot easily differentiate between the legitimate app and a clone.
- Organisations handling sensitive data should mandate app attestation and token-based API access, utilise robust third-party attestation services, and hold app providers accountable for architectural flaws that enable brand misuse. Security must begin with verifying the source of every API call.
- Read more about the TeleMessage hack: Based on "The Signal Clone the Trump Admin Uses Was Hacked" and "What Is TeleMessage? Mike Waltz Reportedly Caught Using Obscure App". (Note: Specific URLs are not provided in the sources).
- Explore solutions for mobile app and API security, including app attestation: Learn more at approov.io.
View all episodes
By Approov LimitedEpisode Summary: In this episode of Upwardly Mobile, we unpack the unsettling incident involving TeleMessage, a modified clone of the secure messaging app Signal, its use by the U.S. government, and the subsequent data breach. We explore how a lack of fundamental security measures like app attestation and token-based API access created gaping vulnerabilities, allowing a hacker to access sensitive archived data. Drawing on insights from the sources, we discuss why encryption alone is insufficient and highlight the urgent need for robust client-side security to protect sensitive communications and safeguard brand trust in the digital age.
Key Takeaways:
Key Takeaways:
- An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government.
- Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts.
- Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate.
- A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination.
- Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material.
- The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs.
- Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets.
- Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection.
- The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions.
- While Signal’s end-to-end encryption is a strong foundation, its leadership has been criticised for not addressing the security mechanics that uphold it, specifically app attestation. Encryption alone is not sufficient if the app client itself can be easily repackaged and compromised.
- The lack of attestation enforcement has tarnished Signal's brand reputation, as users cannot easily differentiate between the legitimate app and a clone.
- Organisations handling sensitive data should mandate app attestation and token-based API access, utilise robust third-party attestation services, and hold app providers accountable for architectural flaws that enable brand misuse. Security must begin with verifying the source of every API call.
- Read more about the TeleMessage hack: Based on "The Signal Clone the Trump Admin Uses Was Hacked" and "What Is TeleMessage? Mike Waltz Reportedly Caught Using Obscure App". (Note: Specific URLs are not provided in the sources).
- Explore solutions for mobile app and API security, including app attestation: Learn more at approov.io.