Signal speaks out on the TeleMessage affair
Signal itself is now speaking out in the affair surrounding the modified Signal variant used by the US government.
(Image: Primakov/Shutterstock.com)
In the affair surrounding the modified Signal variant TeleMessage used by members of the US government to exchange confidential information, Signal itself is now speaking out. The Signal Foundation has a clear position on data protection and security in particular.
The modified messenger has since ceased operations following a second intrusion. TeleMessage allows the otherwise end-to-end encrypted messages to be forwarded to the provider's servers, with which the users apparently wanted to comply with the documentation requirements for government communications in the USA. However, this opens up a security leak.
TeleMessage: source code public, contains serious security vulnerability
The TeleMessage source code is now public and could be downloaded from the provider's website. Initial analyses came to the conclusion that, for example, access data is hard-coded into it. Attackers can then apparently use these to log on to the TeleMessage servers and gain unauthorized access to data.
Videos by heise
The Signal Foundation has now commented on this: "We cannot guarantee the data protection and security features of unofficial versions of Signal." This is understandable, because with the source code of Signal, which is available under an open source license, other developers can create their own versions and incorporate insecure additions. Just as happened in the case of TeleMessage.
Logically, the Signal developers cannot be held responsible for anything created by third parties outside the control of the Signal Foundation. The functions for extracting and archiving messages that TeleMessage implemented apparently used the aforementioned amateurishly hardcoded access data and in all likelihood made the attacks on the service possible in the first place.
Since such modifications are not available in the original Signal client, secure end-to-end encryption is used here and communication remains confidential – unless, of course, the endpoints are infected with spyware, which can naturally read the plain text messages in this position.
Foreign ministers in the EU also use Signal's group chat to send selfies, for example. Kaja Kallas, EU High Representative for Foreign Affairs, is said to be responsible. Signal is considered a comparatively secure crypto messenger, but originates from the USA. The use of such publicly available applications by ministers therefore also entails potential security risks.
(dmk)
