Sign up to save your podcasts
Or
Share The Signal Clone Crisis: Mike Waltz, TeleMessage, and the Hack That Exposed Sensitive Comms
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Signal Clone Crisis: Mike Waltz, TeleMessage, and the Hack That Exposed Sensitive Comms
Episode Summary: In this episode of Upwardly Mobile, we unpack the unsettling incident involving TeleMessage, a modified clone of the secure messaging app Signal, its use by the U.S. government, and the subsequent data breach. We explore how a lack of fundamental security measures like app attestation and token-based API access created gaping vulnerabilities, allowing a hacker to access sensitive archived data. Drawing on insights from the sources, we discuss why encryption alone is insufficient and highlight the urgent need for robust client-side security to protect sensitive communications and safeguard brand trust in the digital age.
Key Takeaways:
- An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government.
- Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts.
- Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate.
- A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination.
- Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material.
- The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs.
- Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets.
- Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection.
- The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions.
- While Signal’s end-to-end encryption is a strong foundation, its le
This content was created in partnership and with the help of Artificial Intelligence AI.
View all episodes
By Skye MacIntyreEpisode Summary: In this episode of Upwardly Mobile, we unpack the unsettling incident involving TeleMessage, a modified clone of the secure messaging app Signal, its use by the U.S. government, and the subsequent data breach. We explore how a lack of fundamental security measures like app attestation and token-based API access created gaping vulnerabilities, allowing a hacker to access sensitive archived data. Drawing on insights from the sources, we discuss why encryption alone is insufficient and highlight the urgent need for robust client-side security to protect sensitive communications and safeguard brand trust in the digital age.
Key Takeaways:
- An obscure Israeli company called TeleMessage offers modified versions of secure messaging apps like Signal, WhatsApp, Telegram, and WeChat, primarily for archiving purposes to meet compliance requirements for organisations, including the U.S. government.
- Former National Security Advisor Mike Waltz was reportedly photographed using a modified version of Signal by TeleMessage, labelled "TM SGNL," during a cabinet meeting, bringing attention to the use of such apps in sensitive government contexts.
- Despite being based on Signal’s open-source code, TeleMessage lacked core security defences such as robust app attestation and secure token-based API access control. This allowed the repackaged and unverified app to establish trust with the Signal backend and interact with secure infrastructure as if it were legitimate.
- A hacker successfully breached TeleMessage and stole customer data, including contents from direct messages and group chats from its modified apps. This hack demonstrated serious vulnerabilities, revealing that archived chat logs were not end-to-end encrypted between the modified app and the archiving destination.
- Data related to sensitive entities, including Customs and Border Protection (CBP) and the cryptocurrency giant Coinbase, were reportedly included in the hacked material.
- The incident underscores the critical need for app attestation, which ensures only authentic, unaltered app versions running in secure environments can access backend APIs.
- Key components of effective app attestation include runtime integrity verification and dynamic token issuance. This approach prevents repackaged, emulated, or jailbroken clients from accessing protected endpoints or receiving secrets.
- Solutions like Approov offer third-party app attestation services that provide comprehensive coverage across iOS and Android, including on jailbroken or rooted devices where platform-native solutions may be limited. Approov also includes features like dynamic certificate pinning and runtime secrets protection.
- The sources suggest that widespread API insecurity is partly due to limitations in platform-native security tools from Apple and Google and their resistance to allowing deeper integration of third-party security solutions.
- While Signal’s end-to-end encryption is a strong foundation, its le
This content was created in partnership and with the help of Artificial Intelligence AI.