What is Signal and is it secure? Cyber security expert explains amid chat breach

Summary

Signal, a widely used encrypted messaging app akin to WhatsApp, has come under scrutiny for its adequacy in protecting sensitive governmental communications. While it offers robust encryption for consumer use, its consumer-grade security is deemed insufficient for government officials dealing with classified information. Security expert Chris Pearson explains that while Signal encrypts data end-to-end, it doesn't prevent sophisticated hacks or protect devices from malware, often used by nation-states like China. Additionally, errors such as mistakenly adding contacts to chats could also compromise security, highlighting the need for government officials to use designated secure devices and communication tools.

Highlights

• Signal is highly encrypted, but not foolproof against sophisticated hacking attempts by nation-states like China. 🇨🇳🔍
• Use of non-designated secure devices for government work can lead to vulnerabilities. 🔐
• Smishing and phishing attacks are common tactics to gain access to personal devices. ✉️🎣
• High-profile individuals are targeted using advanced spyware like Pegasus that doesn't require user interaction. 🛰️🕵️
• Errors like unintended contacts in chats can compromise security, often due to user mistakes. 🤦‍♂️📱

Key Takeaways

• Signal is a robust encrypted app for consumers, but not for government officials handling classified data. 🔒
• Government officials should avoid using personal devices for work to prevent security breaches. 📱⚠️
• Sophisticated nation-state hackers can bypass app encryption by targeting devices directly with malware. 🌐💻
• Errors in contact management can lead to security breaches, emphasizing the need for strict security protocols. 📧🚫
• Nation-states actively target telecommunications to gather intelligence on high-profile individuals. 🕵️‍♂️📡

Overview

Signal is an encrypted application often likened to WhatsApp, praised for its strong encryption tailored for consumer use. In the context of government usage, however, its consumer-level protections fall short. As Chris Pearson notes, it serves well for private individuals wanting secure communication but raises concerns for handling sensitive governmental information, given the persistent threat from state-sponsored hackers.

In discussions with Katie, Chris outlines the risks government officials face when using apps like Signal on personal devices. These risks are amplified by the ability of adversaries to employ open-source intelligence to track emails and phone numbers, leading to potential hacking via smishing and phishing methodologies. Also prevalent are advanced cyber weapons like Pegasus, which do not require user interaction to compromise devices.

Miscommunications during device use, like accidentally adding a contact to sensitive group chat, showcase human error's role in digital security breaches. As a solution, Pearson advises maintaining separate approved devices solely for government communications, emphasizing strict adherence to more secure-approved communication channels, especially for those in high-profile positions vulnerable to espionage.

Chapters

• 00:00 - 00:30: Introduction to Signal and Security Concerns The chapter "Introduction to Signal and Security Concerns" features an interview with security expert Chris Pearson, the founder and CEO of BlackCloak. The discussion revolves around the use of Signal, a popular encrypted messaging app, and its implications for security. Pearson explains that while Signal is known for its strong encryption, making it comparable to apps like WhatsApp, it is not deemed secure enough for sensitive or classified communications by government officials. The chapter highlights the government's previous advisories for citizens to use Signal in response to foreign threats to phone system security, yet it underscores the app's limitations for handling top-secret information.
• 00:30 - 01:00: Comparison with Text Messages This chapter compares regular text messaging with other forms of communication, emphasizing the lack of security in typical text messages (similar to sending a postcard). It suggests that sensitive information, such as social security numbers, should be communicated using encrypted applications like Signal. Signal is highlighted as a consumer-based application suitable for securely transmitting private data.
• 01:00 - 01:30: Concerns for Government Officials The chapter highlights the critical importance of protecting both devices and data transmissions used by government officials, especially when dealing with sensitive or classified information. It warns against the risks associated with using consumer-grade encrypted applications on personal devices, as this could expose the United States and other countries to foreign spying, hacking, and various security threats.
• 01:30 - 02:00: Methods of Infiltration by Bad Actors The chapter discusses various methods bad actors use to infiltrate communication systems, focusing on their strategies to breach classified or sensitive information. One key approach highlighted is the use of open-source intelligence to gather information about targeted individuals, such as obtaining phone numbers linked to personal or governmental accounts. This method is critical for bad actors, whether backed by foreign adversaries or unaffiliated individuals, to gain unauthorized access to the personal devices of influential figures like politicians.
• 02:00 - 02:30: Nation-State Threats and Spyware The chapter 'Nation-State Threats and Spyware' discusses how sensitive information, often found on data broker websites or the dark web, is accessed and exploited by cybercriminals and nation-states. It describes the process of sending 'smishing' (SMS phishing) or phishing messages to target individuals. Upon opening these messages, individuals risk launching malware on their devices, potentially granting attackers full access to their devices. The text highlights the advanced capabilities of nation-states in conducting such cyber threats.
• 02:30 - 03:00: Group Chat Vulnerabilities This chapter delves into the vulnerabilities of group chat applications, particularly focusing on nation-state spyware like Pegasus. This spyware can be deployed without any user interaction, granting attackers comprehensive control over the targeted device, including installed apps and stored messages. The discussion raises concerns about potential methods bad actors might use to insert a phone number into a group chat without the user's consent, exploring the broader implications for user privacy and security.
• 03:00 - 03:30: Separation of Work and Personal Devices The chapter discusses the importance of separating work and personal devices to avoid communication mishaps. It uses an example where someone mistakenly added Jeffrey Goldberg to a group text message. This situation is likened to common errors where individuals accidentally send messages or emails to the wrong person due to similar names or initials. The narrative emphasizes that such mistakes are universal, as everyone has experienced them, which underscores the necessity of keeping work and personal devices separate.
• 04:00 - 04:30: Threats from Foreign Governments This chapter discusses the importance of keeping work and personal devices separate, especially when dealing with government-related information. It highlights a specific incident where a lack of security measures led to 'cross contamination' of information. The narrator emphasizes the use of secure messaging apps like Signal, which have features to enhance security, such as not automatically pulling from contact lists, requiring users to add contacts manually. The chapter suggests that the security lapse was due to human error, described as a 'fat fingering' of a contact.
• 05:00 - 05:30: Conclusion and Recommendations The chapter delves into the topic of data sensitivity and the potential risk of foreign governments accessing private information through electronic devices. It uses the hypothetical scenario of Steve Witkoff in Russia and Tulsi Gabard, who was overseas during a particular incident, to underscore the vulnerabilities that can be exploited. The narrative metaphorically references Homer Simpson's comical clumsiness as an analogy for the mistakes or carelessness that can lead to security breaches. The emphasis is on the importance of safeguarding information against potential threats from foreign entities, even when individuals are abroad.

What is Signal and is it secure? Cyber security expert explains amid chat breach Transcription

• 00:00 - 00:30 joining us now is security expert Chris Pearson founder and CEO of blackcloak um Chris thanks for being here signal is an encrypted app it's like WhatsApp but probably stronger it means it's scrambling the information from end to end um the government did tell Americans to use this when China was able to get into our our phone systems so why is it not secure enough for our government officials to be having sensitive top secret classified conversations
• 00:30 - 01:00 well there there are a few issues here Katie first of all is going to be in terms of just normal text messages a text message that you send between yourself and your parents your brothers your friends that is pretty much akin to sending a postcard writing the information on a postcard that everyone can see in the mail not going to be secure if you have to transmit that information to family member you know social security number other information there and you want to use encrypted communication signal is going to be an application of a choice but it is a consumer based application the real
• 01:00 - 01:30 issue here is that for sensitive or classified information that is being used by and transmitted by the government that number one the devices must be protected and number two the application and the transmission of the data must be protected just simply using an encrypted app that is only consumer grade on a personal device is actually going to open up the United States and others right to foreign spine hacking and other risks it is is not
• 01:30 - 02:00 insufficient to go ahead and protect classified or even sensitive Communications um H how would they go about doing that if that you are a foreign adversary um or a bad actor maybe you're not even attached to a government and you want to get into Marco Rubio's phone or you want to get into Pete hex's personal phone uh to see what's on some of these apps how do they do that I mean the number one thing that people are going to do is go ahead and do open- Source intelligence so they're going to find the numbers that are associated with the individual much of
• 02:00 - 02:30 this information exists on data broker websites or is on the dark web which of course cyber criminals are on as well as nation states once you have that information you can go ahead and try to send a smishing a fake test message or a fishing message to their known email address and if they open up that email on their phone if they open up that email through the text message on their phone they could launch malware on the phone that then gives access into the entire device itself if you're talking about a sophisticated nation state then
• 02:30 - 03:00 what we've heard of many many times and reported on is Pegasus right nation state spyware that actually does not require the user to do anything but can be sent to your phone and gives a nation state total control of that device which would include apps that are on the device and the different messages that are on it in this case signal and the unencrypted messages that are resident on the phone is there um any way for a bad actor to place somebody's phone number into a group chat they keep
• 03:00 - 03:30 talking about how they have their best guys working on trying to figure out how um Jeffrey Goldberg got onto this this group text message chain could somebody Place him on uh it seems that that is going to be less likely uh you've done this I've done this everyone has done this we've sent the wrong test message to somebody we've sent added somebody to an email chain by mistake because their name starts with the same name or same initials we've all done this before this is why you separate the devices right
• 03:30 - 04:00 you do not have your work device that associated with the government be combined with your personal device associated with you individually so you don't have cross contamination on Signal you can actually have a setting so it does not pull from your contacts and so you have to individually and uniquely add an individual to that text message to that chat which gives you an upper level of security that probably was not done in this case and this is probably more of a fat fingering of that contact
• 04:00 - 04:30 being added in fat fingering I'm thinking of Homer Simpson mashing his palm against the phone in the in the Simpsons um one other question one other question for you uh about uh sensitivity and uh the ability of foreign governments to get into these phones Steve witkoff was in Russia when he was on this text chain um Tulsi gabard was overseas as well she's not saying specifically where she was she says she can't remember um if the Russians wanted to to find out what Steve witkoff had on
• 04:30 - 05:00 his phone um could they the answer simply is yes so when your phone connects into the different communication towers that are controlled by Foreign uh agents foreign adversaries intelligence agencies they can listen to watch hear what is actually going on in terms of voice Communications and the same in terms of text Communications now with regard to signal that is encrypted end to end but you could launch a
• 05:00 - 05:30 successful network attack against a specific device and try to take over that device which would render the actual encryption useless now we absolutely know from Salt typhoon which was launched by China where it impacted eight major telecommunication companies just four months ago that those nation states especially China are targeting telecommunications in specific individuals specific numbers and specific text messages because that is all part of their plan the fact of the
• 05:30 - 06:00 matter is if you are a high-profile person a high-profile government individual that you should stick to approved devices and approved communication mediums Chris Pearson thank you very much for joining us