-
@ kepford
2025-05-15 17:40:26It's been in the news recently that Mike Waltz was not using Signal but an app called TeleMessage, which is marketed as a tool to archive Signal chat conversations. This event presents a great opportunity for learning. After years of following security and privacy tech, one of the many lessons I've learned is that humans are almost always the weak link in security. Foolish decisions are usually at the root of most breaches and attacks. This was the case with the Trump admin. I am of the opinion that it is foolish to use devices like the iPhone or any phone OS for secure communication. Not because the devices are not secure—they can be very secure. It's that humans can break this security very easily with careless behavior, as we see in this case.
While Signal encrypts messages in transit[^1] and at rest on your mobile devices, it is important to remember that any encrypted messenger app, whether it's Signal, WhatsApp, Apple Messages, or SimpleX, must decrypt the messages for you to read them. There really isn't a way around this. So, with this in mind, it's obvious that trust is involved when using any of these apps. First, you are trusting the person you are conversing with. This might seem trivial, but it seems to be lost on many people. When you send a message to another party, you have no idea what they are doing with it. Apps like Signal try to mitigate this by offering disappearing messages. Some apps don't allow screenshots of the application. But make no mistake, if your message is readable by a human, they can capture it. Even if they just snap a picture of it from another device. If that were the only thing to consider, we could end this now, but it's not.
You are also trusting the phone/device OS. While I think it is unlikely that Apple and Google are capturing the screens on devices and apps like Signal, we cannot have 100% certainty of this. At least I do not. But it's worse than this. There are attack toolkits like Pegasus which can be covertly installed on phones like the iPhone and most Android devices. It is almost certain that Pegasus or something like it could capture and expose your private messages when you read them. This is because they basically gain low-level access to the device without your knowledge. And because humans can't mentally unencrypt messages, Signal must decrypt the message for you to read it. When it does, the malicious app can capture it and send it off to the attacker. FWIW, this is possibly what happened to Tucker Carlson when he claimed that Signal "leaked" his communication about traveling to Russia to interview Putin. Though I suspect it is more likely a mole in either his operation or the Russians. The least likely scenario is that Signal was actually compromised.
So no matter how secure your messaging app may be, if your phone OS is compromised, it's game over. This wasn't the case here as Waltz foolishly was using a clone of the Signal app called TM SGNL to log Signal chats and send them to the TeleMessage servers. It appears that this was done in the clear and that the logs were even emailed to mail servers. You can read more about this in a post I made earlier today. So, as you can see, he wasn't actually using Signal at all. Signal was not the issue.
So what should you do now that you are armed with this knowledge? Well, first of all, you should take everything I write with a grain of salt. Do your own research and do not do anything you don't feel comfortable doing. Don't trust, verify. With that caveat, the likelihood of Signal being compromised in my opinion is low. The likelihood that Apple or Google is logging your Signal chats is also low. I think they could if they desired. The likelihood of your being targeted with something like Pegasus is also low but not impossible. I don't know you or your threat model. It's something to think about. But here is something everyone should consider.
The most important thing to consider is that you are always trusting the person you communicate with. This is not only true for digital communication but also in-person communication. Of course, SMS is not secure, but I do use it for things that I have no concern about being recorded. But I do prefer to use encryption when I can. A side note, we seem to be heading toward a secure-by-default standard in the future with SMS[^2], which is good to hear. I use Signal with any friends that are willing to use it, but I do not trust them all equally. For one thing, most of us do not trust everyone equally for anything. Trust is earned and built over time. But even for people I trust, I may not trust their technical skills or security practices. This has to be a consideration when you use Signal. Signal cannot protect you against a malicious recipient. This person could be building a log of your conversations. They might even be hacked and unaware. They could be using an insecure client, as was the case with the Trump admin.
So be aware. The best policy is to be very careful with anything you put in a digital device. The best way to keep a secret is to not share it. There are many thoughts and communications that I would never use a phone or computer to communicate. I think people would be wise to do the same.
[^1]: The Double Ratchet Algorithm at the heart of Signal [^2]: End to End Encryption is coming as the default for mobile phones
https://stacker.news/items/980937