{"id":2966,"date":"2025-04-01T05:02:17","date_gmt":"2025-04-01T05:02:17","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/01\/the-signal-chat-leak-and-the-nsa-html\/"},"modified":"2025-04-01T05:02:17","modified_gmt":"2025-04-01T05:02:17","slug":"the-signal-chat-leak-and-the-nsa-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/01\/the-signal-chat-leak-and-the-nsa-html\/","title":{"rendered":"The Signal Chat Leak and the NSA"},"content":{"rendered":"\n
The Signal Chat Leak and the NSA<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities.<\/p>\n

“I didn\u2019t see this loser in the group,” Waltz\u00a0told<\/a>\u00a0Fox News about\u00a0Atlantic<\/em>\u00a0editor in chief Jeffrey Goldberg, whom Waltz\u00a0invited<\/a>\u00a0to the chat. “Whether he did it deliberately or it happened in some other technical mean, is something we\u2019re trying to figure out.”<\/p>\n

Waltz\u2019s implication that Goldberg may have hacked his way in was followed by a\u00a0report<\/a>\u00a0from CBS News that the US National Security Agency (NSA) had sent out a bulletin to its employees last month warning them about a security “vulnerability” identified in Signal.<\/p>\n

The truth, however, is much more interesting. If Signal has vulnerabilities, then China, Russia, and other US adversaries suddenly have a new incentive to discover them. At the same time, the NSA urgently needs to find and fix any vulnerabilities quickly as it can\u2014and similarly, ensure that commercial smartphones are free of backdoors\u2014access points that allow people other than a smartphone\u2019s user to bypass the usual security authentication methods to access the device\u2019s contents.<\/p>\n

That is essential for anyone who wants to keep their communications private, which should be all of us.<\/p>\n

It\u2019s common knowledge<\/span>\u00a0that the NSA\u2019s mission is breaking into and eavesdropping on other countries\u2019 networks. (During President George W. Bush\u2019s administration, the NSA conducted warrantless taps into domestic communications as well\u2014surveillance that\u00a0several<\/a>\u00a0district courts\u00a0ruled<\/a>\u00a0to be illegal before those decisions were later\u00a0overturned<\/a>\u00a0by appeals courts. To this day, many legal experts\u00a0maintain<\/a>\u00a0that the program violated federal privacy protections.) But the organization has a secondary, complementary responsibility: to protect US communications from others who want to spy on them. That is to say: While one part of the NSA is listening into foreign communications, another part is stopping foreigners from doing the same to Americans.<\/p>\n

Those missions never contradicted during the Cold War, when allied and enemy communications were wholly separate. Today, though, everyone uses the same computers, the same software, and the same networks. That creates a tension.<\/p>\n

When the NSA discovers a technological vulnerability in a service such as Signal (or buys one on the thriving clandestine vulnerability market), does it exploit it in secret, or reveal it so that it can be fixed? Since at least 2014, a US government interagency\u00a0“equities” process<\/a>\u00a0has been used to decide whether it is in the national interest to take advantage of a particular security flaw, or to fix it. The trade-offs are often complicated and hard.<\/p>\n

Waltz\u2014along with Vice President J.D. Vance, Defense Secretary Pete Hegseth, and the other officials in the Signal group\u2014have just made the trade-offs much tougher to resolve. Signal is both widely available and widely used. Smaller governments that can\u2019t afford their own military-grade encryption use it. Journalists, human rights workers, persecuted minorities, dissidents, corporate executives, and criminals around the world use it. Many of these populations are of great interest to the NSA.<\/p>\n

At the same time, as we have now discovered, the app is being used for operational US military traffic. So, what does the NSA do if it finds a security flaw in Signal?<\/p>\n

Previously, it might have preferred to keep the flaw quiet and use it to listen to adversaries. Now, if the agency does that, it risks someone else finding the same vulnerability and using it against the US government. And if it was later disclosed that the NSA could have fixed the problem and didn\u2019t, then the results might be catastrophic for the agency.<\/p>\n

Smartphones present a similar trade-off. The biggest risk of eavesdropping on a Signal conversation comes from the individual phones that the app is running on. While it\u2019s largely unclear whether the US officials involved had downloaded the app onto personal or government-issued phones\u2014although Witkoff suggested on X that the program was on his “personal devices<\/a>“\u2014smartphones are consumer devices, not at all suitable for classified US government conversations. An entire industry of spyware companies sells capabilities to remotely hack smartphones for any country willing to pay. More capable countries have more sophisticated operations. Just last year, attacks that were later attributed to China\u00a0attempted<\/a>\u00a0to access both President Donald Trump and Vance\u2019s smartphones. Previously, the FBI\u2014as well as\u00a0law enforcement agencies in other countries<\/a>\u2014have pressured both Apple and Google to add “backdoors” in their phones to more easily facilitate court-authorized eavesdropping.<\/p>\n

These backdoors would create, of course, another vulnerability to be exploited. A separate attack from China last year\u00a0accessed<\/a>\u00a0a similar capability built into US telecommunications networks.<\/p>\n

The vulnerabilities equities have swung against weakened smartphone security and toward protecting the devices that senior government officials now use to discuss military secrets. That also means that they have swung against the US government hoarding Signal vulnerabilities\u2014and toward full disclosure.<\/p>\n

This is plausibly<\/span>\u00a0good news for Americans who want to talk among themselves without having anyone, government or otherwise, listen in. We don\u2019t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn\u2019t crazy to\u00a0worry<\/a>\u00a0that the NSA might again start monitoring domestic communications.<\/p>\n

Because of the Signal chat leak, it\u2019s less likely that they\u2019ll use vulnerabilities in Signal to do that. Equally, bad actors such as drug cartels may also feel safer using Signal. Their security against the US government lies in the fact that the US government shares their vulnerabilities. No one wants their secrets exposed.<\/p>\n

I have long advocated for a “defense dominant” cybersecurity strategy. As long as smartphones are in the pocket of every government official, police officer, judge, CEO, and nuclear power plant operator\u2014and now that they are being used for what the White House now calls calls \u00a0“sensitive<\/a>,” if not outright classified conversations among cabinet members\u2014we need them to be as secure as possible. And that means no government-mandated backdoors.<\/p>\n

We may find out more about how officials\u2014including the vice president of the United States\u2014came to be using Signal on what seem to be consumer-grade smartphones, in a apparent\u00a0breach of the laws on government records<\/a>. It\u2019s unlikely that they really thought through the consequences of their actions.<\/p>\n

Nonetheless, those consequences are real. Other governments, possibly including US allies, will now have much more incentive to break Signal\u2019s security than they did in the past, and more incentive to hack US government smartphones than they did before March 24.<\/p>\n

For just the same reason, the US government has urgent incentives to protect them.<\/p>\n

This essay was originally published in Foreign Policy<\/a>.<\/em><\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Bruce Schneier
\n \t

\n
<\/BR>
\nGo to bruce schneier<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

The Signal Chat Leak and the NSA US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities. “I didn\u2019t see this loser in the group,” Waltz\u00a0told\u00a0Fox News about\u00a0Atlantic\u00a0editor in […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,1049,1050,1051,1,416],"tags":[87],"class_list":["post-2966","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-defense","category-department-of-defense","category-signal","category-uncategorized","category-vulnerabilities","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2966"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2966"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2966\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}