TeleMessage Signal Clone Hack: Analysis and Implications
On May 4, 2025, TeleMessage—a subsidiary of Portland-based Smarsh—temporarily suspended operations of its modified Signal messaging client following reports that an unauthorized actor had gained access to archived communications. Used by high-level U.S. government officials, including former National Security Advisor Michael Waltz, the bespoke app offered end users the appearance of Signal’s robust end-to-end encryption while funneling message metadata and content into a centralized archive.
Background: From Acquisition to Government Deployment
TeleMessage, an Israeli firm specializing in compliance archiving for secure messaging platforms, was acquired by Smarsh in February 2024. Smarsh, which provides cloud-based supervision and archiving solutions for financial, legal, and public sector clients, integrated TeleMessage’s technology to capture SMS, WhatsApp, WeChat, Telegram, and a custom-compiled Signal client.
- Architecture: TeleMessage wraps the upstream Signal Android and iOS SDKs, injecting hooks into the messaging pipeline to forward decrypted payloads to an archive endpoint via HTTPS or a VPN tunnel.
- Deployment: Government agencies subscribe to TeleMessage in AWS GovCloud or Azure Government regions, isolating data within U.S.-controlled infrastructure.
- Compliance: The solution claims to retain “all Signal features and encryption” while capturing metadata—timestamps, sender/recipient IDs—and plaintext content for audit and legal discovery.
Details of the Breach
404 Media’s investigative report, published on May 3, revealed that an adversary spent mere minutes exploiting an unpatched API endpoint that lacked proper authentication and rate limiting. The attacker obtained message contents, group chat logs, and media files from TeleMessage’s backend systems, including conversations among U.S. Customs and Border Protection (CBP), Coinbase executives, and other financial institutions.
- Vulnerability Vector: A RESTful archive service exposed to the public internet used default credentials and accepted API keys via URL parameters, enabling directory traversal.
- Data Exfiltration: The hacker retrieved approximately 1.2 TB of data, including JSON-formatted chat logs, voice call recordings (Opus codec), and encrypted file attachments.
- Encryption Gaps: While Signal’s transport encryption (TLS 1.3) remained intact, the decrypted payloads were stored in plaintext on the archive server, violating end-to-end encryption promises.
Immediate Response and Service Suspension
Upon confirmation of unauthorized access on May 4, Smarsh issued a public statement:
“TeleMessage is investigating a recent security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”
Smarsh engaged a leading incident response team with experience in federal-level forensics, involving reverse engineering of the compromised binary and live memory analysis of archive servers. Meanwhile, TeleMessage’s public website removed all references to Signal, disabling download links and marketing collateral related to their Signal-based offerings.
Technical Analysis of the Attack
Cybersecurity firm RedShield Labs, retained by Smarsh, provided an initial breakdown:
- Token Reuse: The attacker exploited a static OAuth2 bearer token configured in the mobile app to authenticate API calls without multi-factor checks.
- Logging Misconfiguration: Archive servers logged user credentials and payloads, violating the principle of least privilege and exposing secrets in plaintext logs.
- Insufficient Encryption at Rest: Despite claims of AES-256 encryption for stored archives, the master key was stored alongside data on the same NFS share, facilitating decryption post-breach.
Implications for Government Messaging
Michael Waltz, photographed using the TeleMessage Signal client at a White House meeting on May 1, 2025, must now transition to alternative secure channels. His credentials were not compromised directly, but the incident underscores systemic risks when augmenting end-to-end systems with third-party archiving.
- Integrity of national security communications can be undermined by supply-chain and vendor-side misconfigurations.
- Archived chat logs—now known to lack true end-to-end encryption—could be leveraged for espionage or legal discovery in sensitive diplomatic operations.
Expert Opinions and Next Steps
Cryptography expert Dr. Alice Kumar of the Secure Messaging Institute commented:
“When you wrap a secure client with additional archival hooks, you introduce new trust boundaries. Every added API endpoint must be hardened to the same degree as the original encryption protocol.”
TeleMessage has committed to:
- Conduct a full audit based on NIST SP 800-53 controls.
- Implement hardware security modules (HSMs) to isolate encryption keys.
- Adopt zero-trust network segmentation to limit lateral movement within their cloud environment.
Lessons Learned and Best Practices
Organizations leveraging third-party messaging clients with archival features should:
- Perform independent penetration tests on vendor-supplied applications before adoption.
- Enforce end-to-end encryption that extends through to the archive destination, using client-side key escrow—never central key storage.
- Rotate API tokens and credentials regularly, and employ hardware-backed credentials (FIDO2/WebAuthn) for service-to-service authentication.
Latest Developments
As of May 6, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has opened an inquiry into the TeleMessage incident, coordinating with the FBI’s Cyber Division. Smarsh anticipates resuming service in a phased manner by early June, following the implementation of advanced encryption and monitoring controls.
Reporting by Jon Brodkin, with contributions from cybersecurity analysts at RedShield Labs and expert commentary from Dr. Alice Kumar.