An encrypted messaging app used by President Trump’s former national security advisor, Mike Waltz, during a recent Cabinet meeting has temporarily gone dark after reportedly being hacked.
The app in question, TeleMessage, an Israel-based platform that functions as a customized version of Signal—was breached, though attackers didn’t get access to messages from Waltz or his contacts, according to 404 Media, which first broke the story.
Still, the incident raises some serious questions. If a secure app designed for message archiving and compliance is being used by high-ranking officials—and it’s still vulnerable—how confident can the rest of us be in its security?
The app first came under public scrutiny after Waltz appeared to be using it during a Cabinet meeting last week, which reignited concerns about the security of his communication methods that were sparked by the “Signalgate” controversy,
At the time, he inadvertently invited a journalist into a Signal chat of top administration officials as it planned military strikes on Houthis in Yemen.
Although Signal automatically encrypts messages as they travel between users. But the details around TeleMessage’s encryption and security protocols aren’t completely clear.
If you are looking for any commentary on this, please find below, perspective from my AppSec expert at Black Duck. If you have any questions, please let me know.
“Alarming on Many Levels”
“This breach is alarming on many levels,” comments Thomas Richards, Infrastructure Security Practice Director at Black Duck. “Taking a secure messaging application and changing a core functionality such as backing up messages essentially breaks the security model. Users want secure messaging for privacy, and it now appears that the messages stored were not encrypted. This creates a security risk for users of the application as their sensitive information could be, and has been, compromised.”
Richards says any entity that is looking into a secure messaging application for compliance reasons should do a thorough review of the application. “This should include at least a penetration test against the application and a threat model to understand what risks the application could introduce. I would also encourage organizations to ask the developers to produce evidence of internal penetration testing along with an internal threat model to validate their claims of security and privacy.”
Casey Ellis, Founder at Bugcrowd adds: “Hopefully this will go down in AppSec history as a prime example of why frameworks aren’t a silver-bullet security solution. The Signal source code is phenomenal and incredibly robust, however, there are certain things that it can’t and won’t do for security reasons. When user demand is great enough, developers will hack things to create unorthodox and insecure solutions like this one.”
Ellis says the same thing happens in enterprise and government application development all the time, and this whole debacle is a solid reminder of the importance of runtime application testing and following security policy when it counts.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.