Despite Misleading Marketing, TeleMessage Can Access Plaintext Chat Logs micahflee.com

Micah Lee:

Despite their misleading marketing, TeleMessage, the company that makes a modified version of Signal used by senior Trump officials, can access plaintext chat logs from its customers.

In this post I give a high level overview of how the TeleMessage fake Signal app, called TM SGNL, works and why it’s so insecure. Then I give a thorough analysis of the source code for TM SGNL’s Android app, and what led me to conclude that TeleMessage can access plaintext chat logs. Finally, I back up my analysis with as-of-yet unpublished details about the hack of TeleMessage.

TeleMessage suspended its service after NBC News reported a completely different breach to the one Lee and 404 Media reported Sunday. It is horribly bad form to speculate, but if two separate attackers publicly demonstrated their ability to download archived chats without permission, it seems plausible an eager state actor could have also done so. To be clear, there is no evidence for this; all I am saying is it would not surprise me.

Signal is secure. TeleMessage is certainly not.

While TeleMessage has been in the news for its association with various U.S. government agencies, it has a large customer base. You have heard of many of its users. How many of them, do you think, are still comfortable trusting it to capture their internal communications for record-keeping purposes?