How Data Detectors led to a security breach on Signal

National Security Advisor Mike Waltz has blamed his iPhone for accidentally inviting a journalist into a secret discussion of a strategic military strike.

Jeffrey Goldberg, editor of The Atlantic magazine, accepted a March 13 invitation from Waltz that was intended for National Security Council spokesperson Brian Hughes. Goldberg then reported on the chat, revealing that the administration used the Signal app for what should be considered classified information.

A report published in the UK by The Guardian explained exactly how the error in inviting Goldberg occurred. The journalist was accidentally included because Waltz accepted an iPhone-suggested updated contact number in Hughes' original missive, thinking it was an updated number for Hughes — when in fact it was the number for Goldberg.

Goldberg thus received Hughes' invitation to the Signal chat among White House advisors. Goldberg's resulting article revealed the name of the chat — "Houthi PC small group" — and that plans were discussed for an upcoming military strike against the Houthis in Yemen.

The current administration is not the only one to have relied on Signal. The Biden administration also used it, because the government does not have its own system and Signal is considered one of the most secure messaging platforms.

Watch the Latest from AppleInsider TV

42 Comments

Luis.A.Masanti 1 Year · 84 comments

About 6 days ago

Greeks killed the messenger of bad news… but the bad news remained!
This ‘advisor’ blames his iPhone… but the bad news remains!

6 Likes · 2 Dislikes

lollercoaster New User · 1 comment

About 5 days ago

AppleInsider said:

National Security Advisor Mike Waltz has blamed his iPhone for accidentally inviting a journalist into a secret discussion of a strategic
…
A report published in the UK by The Guardian explained exactly how the error in inviting Goldberg occurred. The journalist was accidentally included because Waltz accepted an iPhone-suggested updated contact number in Hughes' original missive, thinking it was an updated number for Hughes -- when in fact it was the number for Goldberg.

I don’t know…is it possible that the error occurred because he was using Signal instead of an actual approved platform…where shit like this wouldn’t happen? Just a thought!

15 Likes · 1 Dislike

dewme 11 Years · 5967 comments

About 5 days ago

This was a stupid mistake by someone who should have known better. If I made this mistake I would have had my security clearance revoked. Since my job was contingent on having a security clearance I would have lost my job - instantly.

You can’t blame the technology for this mistake. It doesn’t matter how secure or not secure a particular public or open source communication platform is for these types of transactions. Any communication mechanism used for official communication at these levels of security must be certified as such by the agencies who are responsible for maintaining security. That means controlling both ends of the pipe.

Secure communication can take place over unsecured connections using black channel methods and certified encryption. Relying on someone else’s definition of security is just plain stupid. It doesn’t matter if Signal has great encryption, the conveyance of classified information has to be secure based on the security needs of the endpoints, not the channel.

Unless the US government and DOD owns the channel and has certified that the channel security itself provides defense in depth regardless of the endpoints, it should not be used. At the very least, they should have encrypted the messages using their own public/private keys (that had expiries appropriate to the duration of the task) before putting them on Signal. In that case any communications sent to the wrong recipient would be protected. But even doing that would be a security violation if use of Signal had not been authorized.

The party that screamed for jail time for a previous candidate for a far less damaging concern has no right to sweep this verified breach under the rug. There is no hypothetical “what if” here. This was a major violation of security practices by top officials of the US government, not some E1 fresh out of boot camp. Our entire model of responsibility and accountability at the top levels of US government is totally absurd. Having so many amateurs in key top level posts who show such little regard for protecting the US and allies from outside threats is unforgivable and derelict.

24 Likes · 0 Dislikes

chasm 11 Years · 3721 comments

About 5 days ago

lollercoaster said:

don’t know…is it possible that the error occurred because he was using Signal instead of an actual approved platform…where shit like this wouldn’t happen? Just a thought!

That's the problem in a nutshell ... there apparently isn't an approved texting program for secure government communications. There's certainly a secure email system, and approved secure phone lines, but no texting platform for sensitive discussions -- hopefully this will inspire the administration to make one.

To be fair to Signal, the problem isn't the program. It's E2EE, so this is technically all that's needed. You just gotta have a way to better vet who is in on the chat.