It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Please stop making me write about Signalgate

Oof … Okay, where to begin? 

We’ve been writing about the defense department’s use of Signal for communicating about military attack plans quite a lot in this newsletter lately. First, it was about the (now ousted) national security adviser Michael Waltz, who apparently added the editor-in-chief of The Atlantic to a group chat about attack plans on Yemen where Defense Secretary Pete Hegseth posted operational details. Then, Hegseth apparently created a second group chat involving his wife and brother where he posted similar plans. And since then, we’ve heard at least a few more related stories. I don’t even want to write about this anymore, so I’m going to just give a few bullets of updates on this.

  • At a White House cabinet meeting, Evelyn Hockstein of Reuters snapped a photo of Michael Waltz texting in a Signal chat underneath the desk. But those familiar with Signal noticed something unusual in the screenshot. Instead of the usual reminder to “Verify your Signal PIN” to give your account extra protection, Waltz’s screen read “Verify your TM SGNL PIN.” Well, what’s TM SGNL? It turns out this refers to a TeleMessage “clone” of Signal used to create archives of messages in the app. Because a nonstandard app includes code that may be less vetted and secure than the vanilla open source Signal app, this was widely regarded as a bad move.  
  • Alongside Joseph Cox of 404 Media, previous FPF board member Micah Lee reported the TM SGNL clone has been breached, allowing the attacker to read messages between Waltz and other senior officials, including Marco Rubio, Tulsi Gabbard, and JD Vance. Unlike regular Signal messages, these messages were not end-to-end encrypted between the clone app and the final archival destination.
  • Following the reported breaches, Smarsh, the company that runs TeleMessage, suspended the app’s service “out of an abundance of caution.”

What you can do

  • Just as someone you’re talking to could take a screenshot of your messages together, it’s important for reporters to understand that if you are talking to someone on Signal (or any app), their messages are only as secure as the device they’re on. If you’re talking to someone who is using a workplace-issued or -controlled device, it may be capable of copying employees’ messages. Likewise, if your device or any device in a conversation is infected with malware, your chat privacy may be compromised. This is why it’s so important to keep your devices and apps up to date. Read our guide to mobile maintenance.
  • If you’re just getting started, check out our guide to Signal for beginners. For those familiar, check out our guide to locking down Signal to dive deeper.
  • Don’t install TM SGNL.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation