Recent findings regarding the communications app TM Signal, developed by TeleMessage, have raised significant alarms about its security flaws. This application has been utilized by at least one official from the Trump administration to archive messages, and a recent breach has catalyzed an external investigation into its security protocols.

Uncovered Security Flaws

Micah Lee, a journalist and security researcher, conducted an in-depth analysis of TM Signal’s Android source code and concluded that its archiving features fundamentally compromise Signal’s core security promises. His findings suggest that the communications sent between the app and its archive are not protected by end-to-end encryption, allowing the parent company, TeleMessage, to potentially access users’ conversations.

Implications of Recent Data Breaches

Over the weekend, a reported breach revealed that user messages and sensitive data were exposed, suggesting that some information was sent unencrypted. This directly contradicts TeleMessage’s claims stating that TM Signal offers “End-to-End encryption from the mobile phone through to the corporate archive.” Lee’s findings highlight that not only is the app vulnerable, but it also allows for plaintext accessibility of chat logs by the archive server.

Government Scrutiny and Response

Following the breach, Smarsh, TeleMessage’s parent company, acknowledged the security incident and stated they are collaborating with an external cybersecurity firm for an investigation. However, concerns have been escalated to the federal level. U.S. Senator Ron Wyden has called for a Department of Justice investigation, asserting that TeleMessage poses a serious threat to national security and urging a review of its adoption among government agencies.

Concerns Over User Data Security

The implications of the app’s vulnerability are particularly troubling, given its use by high-ranking officials. For instance, Mike Waltz, the former national security adviser to President Trump, was recently photographed using TM Signal in a cabinet meeting, reportedly communicating with other top officials. Lee’s research revealed that TM Signal saves communication data directly to local device databases before sending it to an archive server, thereby enabling potential plaintext exposure.

Conclusion

The troubling revelations about TM Signal underscore significant challenges in ensuring secure communication within government agencies. As investigations continue, the findings raise critical questions about the appropriateness of using this archiving service and its potential risks to sensitive information.