A recent cybersecurity breach has raised alarms regarding the safety of customer data from TeleMessage, an Israeli company known for its messaging applications that resemble Signal. This incident comes into sharper focus given that former National Security Adviser Mike Waltz was observed utilizing the app during a Cabinet meeting with President Donald Trump.
Details of the Breach
The hack, reported by 404 Media, involved the unauthorized access of direct messages and personal information from TeleMessage’s platform. Unlike Signal, which offers full end-to-end encryption, TeleMessage provides modified versions of popular messaging apps like Signal and WhatsApp, allowing users to archive their messages. However, the lack of comprehensive encryption raises concerns, particularly as high-ranking officials from the Trump administration appear to be using it.
The hacker, who spoke to 404 Media, described the process of accessing the data as surprisingly straightforward, stating, “I would say the whole process took about 15-20 minutes. It wasn’t much effort at all.”
Waltz’s recent transition from national security adviser to a nominee for U.S. ambassador to the United Nations has also come under scrutiny. His judgment was questioned after he inadvertently included Atlantic editor Jeffrey Goldberg in a Signal chat discussing military strategies in Yemen, leading to widespread criticism regarding the administration’s handling of sensitive information.
Implications for Security
Last week, a photograph surfaced showing Waltz using TeleMessage, with chat labels such as “J.D. Vance” and “Gabbard,” further intensifying concerns about the security of his communications. Although the hacker did not access Waltz’s messages directly, the breach reportedly exposed the names, phone numbers, and email addresses of Customs and Border Protection officials, along with information related to various financial institutions. There are also indications that the Intelligence Branch of the Washington, D.C., Metropolitan Police may be utilizing the app.
TeleMessage has established contracts with several government agencies, including the State Department and the Centers for Disease Control and Prevention, likely to adhere to document retention regulations. This connection to government entities amplifies the significance of the breach.
Verification and Concerns
While the hacker did not manage to access all TeleMessage content, they hinted at the potential for further breaches. Journalists Joseph Cox and Micah Lee have independently verified some of the compromised material. The hacker expressed curiosity about the app’s security, stating, “The only difference is the TeleMessage version captures all incoming and outgoing Signal messages for archiving purposes.” However, this archiving process introduces a third party, which could lead to improper storage of sensitive messages.
In a now-private YouTube video, TeleMessage claimed to maintain the security and encryption standards of Signal when communicating with other Signal users. Yet, the reality of sending messages to an external server for archiving raises significant privacy concerns.
Industry Reactions
A spokesperson for Signal emphasized the risks associated with unofficial versions of their application, stating, “We cannot guarantee the privacy or security properties of unofficial versions of Signal.” The hacker concluded with a stark warning: “If I could have found this in less than 30 minutes, then anybody else could too. And who knows how long it’s been vulnerable.”
