The Trump administration has downplayed the security breach, dismissing it as the ‘only glitch in two months.’
Signal, a publicly available messaging app, has come under the spotlight after a journalist was added to a group chat among US national security officials as they coordinated plans to strike Houthi targets in Yemen.
President Donald Trump has downplayed the leak as a “glitch,” while Director of National Intelligence Tulsi Gabbard says no classified intelligence information was shared.
The Atlantic’s editor-in-chief Jeffrey Goldberg, the journalist inadvertently invited into the chat, has since published further messages that reveal the sensitivity of the information leaked.
In those messages, Defence Secretary Pete Hegseth lays out detailed plans to strike Houthi targets in Yemen, including timings and the weapons used.
National security adviser Mike Waltz has said he is taking “full responsibility” for the gaffe. According to screenshots provided by the Atlantic, Waltz was the user who added Goldberg to the chat.
The debacle has raised questions over why a commercial app was used to discuss potentially compromising information, and how a journalist was added to the chat, seemingly by mistake.
What is Signal?
Signal is a messaging app hailed for being one of the most secure on the market. It can be used for direct messaging, group chats, and audio and video calls.
It’s owned by a non-profit group, Signal Foundation, which says its mission is to “enable secure global communication through open source privacy technology.”
With an estimated 70 million users worldwide in 2024 according to non-profit Lawfare, it is not as widely-used as competitors such as WhatsApp and Apple’s iMessage.
User accounts are registered and managed using the user’s mobile phone number, the only personal data Signal stores.
This means that when adding members to a group chat, as it is assumed Michael Waltz or a member of his team did when adding Goldberg, a list of the users’ mobile contacts with an active Signal account appears.
It is presumed that in Waltz’s case, this list could have included Goldberg, despite Waltz telling Fox News on Wednesday “I can tell you 100 percent I don’t know this guy.”
How secure is it?
Signal uses a form of end-to-end encryption (E2EE) that is more robust than its competitors.
Encryption means that, in principle, any message sent from one user to another cannot be accessed in between by third parties, even by the platform itself.
In a nutshell, only the sender and recipient of a message has the key to decode a message.
On Signal, encryption is not an option and is enabled by default. This is different to Telegram, for example, where E2EE is not enabled in many of the platform’s most popular features.
Signal’s encryption protocol is also open source, meaning researchers and cybersecurity experts are able to scrutinise the code to ensure it complies with the highest standards.
“Signal is the best thing you can get as a journalist or activist,” Bart Preneel, a cryptographer and professor at Belgium’s KU Leuven, told Euronews, calling it “clearly one of the best.”
“But the weakest point is the device itself,” Preneel added.
“We can assume that nation states have power to hack mobile devices and therefore access such communications. This is why government officials usually have dedicated devices that they should use.”
Could the group chat have been hacked?
Preneel also described the US officials’ Signal debacle as a “major failure.”
“These people should have known not to use non-dedicated devices,” he added.
According to flight tracking analysis by CBS news, Trump’s Ukraine and Middle East envoy Steve Witkoff was likely in Moscow when he was included in the group chat.
Witkoff travelled to Russia on 13 March to meet Russian President Vladimir Putin as part of a push for a ceasefire deal in Ukraine. According to CBS research, he was added to the chat around 12 hours after landing in Moscow.
Euronews asked cryptographer Bart Preneel whether the fact Witkoff was in Russia could have increased the security risk.
“There is definitely more risk in Russia as the government controls the network connection. It is very well known that if you travel there, your device can be hacked over the network,” he said.
Preneel added that another “far-fetched but not impossible” method a foreign state could use to access such communications is the covert use of electromagnetic radiation to pick up signals from a device through an antenna. This essentially allows them to capture all activity from a device’s screen.
Why is Signal popular and do governments use it?
The messaging app is popular among journalists. Euronews journalists, for example, use it to minimise security risks when communicating with sources.
It’s also favoured by dissidents who want to avoid any government snooping.
In early 2020, the European Commission advised its staff to start using Signal as part of a security push.
In a report released last year, the US’s Cybersecurity and Infrastructure Security Agency urged government officials to switch to end-to-end encrypted communications apps, such as Signal.
The Associated Press recently found that more than 1,100 government officials across all 50 states use Signal.
But earlier this month, the Pentagon warned its staffers against using the messaging app to share even unclassified information, according to a memo seen by NPR.
The note, dated 18 March, says that a “vulnerability has been identified in the Signal Messenger Application,” adding that “Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations.”
A 2023 Department of Defence (DoD) note also classifies Signal as an “unmanaged” app that is not authorised “to access, transmit, or process non-public DoD information.”
Did officials breach US public records law?
Another concern is whether the senior US officials in the Signal chat broke US laws on maintaining public records.
The group chat, according to Goldberg’s testimony, used Signal’s “disappearing messages” function to delete some messages one week after they were sent.
Preneel told Euronews that in contrast to WhatsApp, which allows users to retrieve deleted messages if they have opted into a back-up system, disappearing messages on Signal cannot be retrieved.
A former US government security official, speaking anonymously with Fortune, said that the type of communication in the chat should have been preserved as part of US record laws.
Read the full article here
