An unidentified miscreant is said to have obtained US government communications from TeleMessage, a messaging and archiving app based on the open-source Signal app and used by ousted national security advisor Michael Waltz.
TeleMessage, which was acquired by Oregon-based Smarsh in 2024, says it’s shut the app down for now.
“TeleMessage is investigating a potential security incident,” a company spokesperson told The Register Monday. “Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”
Waltz’s use of the app emerged last week after a Reuters photo showed the advisor holding a phone running an app with a PIN verification popup similar but not identical to the one used by Signal.
That’s the same Mike Waltz who was at the center of March’s Signalgate storm in which, among other things, secret military plans were shared in a group text chat that inadvertently included a journalist.
The ex-Vice folks at 404 Media determined from that photograph that the “TM SGNL” PIN popup came from TeleMessage’s Signal clone, which supports things like message archiving – a feature TeleMessage touts on its website. The official version of Signal implements strong end-to-end encryption to protect messages from being intercepted and read during transit. It isn’t immediately clear whether TeleMessage’s app properly handles secure communication between the app and Signal’s servers. But encryption-in-transit appears not to be the issue.
A miscreant reportedly gained access to the instant-messaging app’s chat logs that were somehow stored unprotected. If TeleMessage’s version of Signal archives decrypted messages without re-encrypting them for storage, that’s not ideal from a security perspective.
Screenshots of the obtained data are said to show correspondence related to US Customs and Border Protection (CBP) and to cryptocurrency firm Coinbase and other financial entities.
Messages related to Waltz were seemingly not included. The concern here, though, is that the security advisor was seen using software that is said to have been compromised at some point, and that its code was insecure.
On Friday, journalist Micah Lee published an analysis of the Telemessage Signal clone app, which he says is only available through a mobile device management service tied to Apple or Google enterprise accounts.
Over the weekend, Lee reports receiving a copy of a TeleMessage-hosted URL, from which he was able to obtain and share the Android source code for the messaging app. Cryptographer Matthew Green also posted about the URL, which now requires authentication to access. Other online researchers subsequently identified related resources, including source code for the iOS version of the app.
Lee found that the source code contains hardcoded credentials among other vulnerabilities, which is never a good sign.
Lee also speculated TeleMessage’s version of Signal violates Signal’s open source license – something others have alleged, based on source files.
Neither Signal nor TeleMessage responded to questions about those allegations.
As for Waltz, who – as mentioned above – invited the Atlantic’s editor-in-chief Jeffrey Goldberg to join a Signal discussion of classified military plans earlier this year? Last week, was removed as national security advisor and nominated as ambassador to the United Nations instead. ®