In a concerning development for government cybersecurity, TeleMessage has suspended all services following reports of a significant security breach that exposed sensitive communications from various government agencies and private organizations. The Israeli company, which provides modified versions of popular encrypted messaging apps like Signal for archiving purposes, is now facing serious questions about its security practices and the inherent vulnerabilities in its approach to message archiving.
The Breach and Its Discovery
The security incident came to light through an investigation by 404 Media, which revealed that a hacker had successfully breached TeleMessage's backend system. According to reports, the attacker gained access to archived messages in just 15 to 20 minutes by exploiting credentials found in intercepted data. This allowed them to enter the backend panel where usernames, passwords, and message content were visible. The compromised server was identified as an Amazon Web Services endpoint located in Northern Virginia, a fact verified through analysis of the modified Signal app's source code.
High-Profile Usage Exposed
The security concerns gained public attention after Reuters photographed Mike Waltz, former National Security Adviser to Donald Trump, using what appeared to be TeleMessage's Signal clone during a cabinet meeting. This revelation became particularly alarming after it was discovered that Waltz had created a Signal group chat to share live updates on US military operations in Yemen, which was accidentally shared with a journalist. The Reuters photo suggested that other high-profile officials, potentially including Marco Rubio, Tulsi Gabbard, and JD Vance, were also recipients in Waltz's communications through the app.
 |
|---|
| A formal meeting setting highlights the high-profile use of messaging apps like TeleMessage's among government officials |
Widespread Government and Corporate Adoption
Public procurement records indicate that TeleMessage has contracts with several US government agencies, including the State Department and the Centers for Disease Control and Prevention. These contracts span multiple administrations and are not limited to the Trump era. One active contract awarded by the Department of Homeland Security and FEMA allocates $2.1 million for mobile electronic message archiving, running from February 2023 through August 2025. Beyond government use, the breach also exposed communications from US Customs and Border Protection, cryptocurrency firm Coinbase, financial institutions such as Scotiabank, and the Intelligence Branch of the Washington D.C. Metropolitan Police.
The Fundamental Security Flaw
Security experts have pointed out a critical vulnerability in TeleMessage's approach: while the company claims to preserve Signal's encryption during communication, the process of capturing and storing decrypted messages for archival purposes inherently introduces new security risks. Once these messages leave the user's device and are archived on TeleMessage's servers, they are no longer protected by end-to-end encryption, making them vulnerable to unauthorized access if those systems are compromised. The breach exposed not only messages from TeleMessage's Signal clone but also from modified versions of WhatsApp, Telegram, and WeChat.
Company Response and Service Suspension
In response to the breach, TeleMessage has taken drastic measures. TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation, a spokesperson from Smarsh, TeleMessage's parent company, stated. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. The company has also removed much of its website content, including previously available service details and app download links.
Regulatory and Compliance Questions
TeleMessage's parent company, Smarsh, which is currently rebranding the app as Capture Mobile, has emphasized that their role is to help clients comply with regulations by capturing and storing communications. Tom Padgett, Smarsh's president of enterprise business, told NBC News that clients can choose from various archiving options, including storing messages in a Smarsh archive or forwarding them to a Gmail address. However, Smarsh claims it is not the archive of record for any government agency. Importantly, these apps are not approved for use under the US government's Federal Risk and Authorization Management Program (FedRAMP), raising questions about their appropriateness for government communications.
Signal's Position
A Signal spokesperson has distanced the original app from TeleMessage, emphasizing that Signal has no agreement with TeleMessage and was unaware of the product before the Reuters photo surfaced. Signal cannot guarantee the privacy or security of unofficial versions of its app, highlighting the risks associated with these modified versions. This incident underscores the inherent tension between the privacy-focused design of apps like Signal and the compliance requirements of government and regulated industries.
Broader Security Implications
This breach raises significant concerns about the security of high-level government communications and the trade-offs between security and compliance requirements. As government agencies and organizations continue to grapple with the need to archive communications while maintaining security, this incident serves as a stark reminder that any modification to secure messaging protocols introduces potential vulnerabilities. The ease with which the hacker gained access to sensitive information suggests that more robust security measures are needed when archiving encrypted communications, particularly those containing sensitive government information.