The Israeli company behind the obscure messaging app former US national security advisor Mike Walz was photographed using on his iPhone last week was recently hacked, it has been alleged.
The app in question, TM SGNL, is a modified version of the more famous Signal app senior administration officials got themselves into hot water for using in March when The Atlantic journalist Jeffrey Goldberg was accidentally added by Walz to a classified chat.
No sooner had Walz been photographed using TM SGNL than researchers started trying to find the app. That didn’t prove to be easy: Unlike Signal, TM SGNL is non-public and can’t be downloaded from the Apple App Store or Google’s Play Store.
Software engineer and former journalist for The Intercept Micah Lee eventually managed to hunt down the source code for TM SGNL, uncovering at least one serious vulnerability, the use of hardcoded credentials.
That raised an obvious question mark about the app’s security. However, since then he and journalist Joseph Cox were contacted by a hacker who provided evidence that the company behind TM SGNL, TeleMessage, had itself suffered a data breach, they alleged in a report for 404media.
“The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat,” Lee and Cox wrote.
“The data includes apparent message contents; the names and contact information for government officials; usernames and passwords for TeleMessage’s backend panel; and indications of what agencies and companies might be TeleMessage customers,” they said.
They quoted the unidentified hacker as claiming that the breach took “about 15-20 minutes,” and that “It wasn’t much effort at all.”
Zero public scrutiny
If the March ‘Signalgate’ scandal smacked of carelessness, the revelation that Walz and others are now using an app that barely anyone has heard of before is an altogether stranger affair.
In a series of blog posts at the weekend, Lee started to pull back the curtain on an app that is being used by some of the most powerful people in the US administration despite appearing to have received almost zero public scrutiny.
That is probably the first revelation: Ine appeal of the app seems to be its obscurity. The app is based on code from Signal licensed under the GNU General Public License version 3 (GPLv3) and sends and receives messages via Signal’s server infrastructure. Like Signal, these messages are also end-to-end encrypted (E2EE).
However, in a video explainer the app makers said that TM SGNL has been modified to add the ability to archive messages. Lee speculated that this means copying the messages in plaintext before they are encrypted by TM SGNL, after which they are transported to an archive server in the cloud.
So, messages are end-to-end encrypted but not end-to-end secured because they exist in two places: on the device (where the user’s private key resides) and elsewhere (where a separate accessible key is used).
This archiving could be the reason why TM SGNL is being used at all: It gives officials a way to comply with the rules around government record keeping.
But could an attacker target this archive? While there is no evidence that this has happened, according to Lee and Cox the server the hacker breached was on the same AWS server used for the archiving:
“By reviewing the source code of TeleMessage’s modified Signal app for Android, 404 Media confirmed that the app sends message data to this endpoint. 404 Media also made an HTTP request to this server to confirm that it is online,” said Lee and Cox.
That alone should raise serious questions about security. On top of this is the discovery by Lee that TM SGNL uses hardcoded credentials. This is a not uncommon flaw but counts as incredibly sloppy and would pose an immediate security risk if an attacker got hold of the source code.
“The fact that Waltz is using the TeleMessage version of Signal highlights some of the tension and complexity associated with high-ranking government officials communicating about sensitive topics on an app that can be configured to have disappearing messages: Government officials are required to keep records of their communications, but archiving, if not handled correctly, can potentially introduce security risks to those messages,” Cox noted in a separate article.
The deeper question is why so many officials seem inclined to use apps such as Signal, or TM SGNL, when dedicated and proven secure government systems exist as alternatives. Speculation about this abounds.
What’s clear, however, is that whatever the reason it has led officials to make some surprisingly risky assumptions about smartphone app security that need to be reassessed.
The original article found on Ransomware-Attacke auf AWO Gießen | CSO Online Read More
