Steve Witkoff was on the chat while he was in Russia.
There’s a vulnerability in Signal where you can set up linked devices that replicate your signal messages. You can do this by just scanning a QRcode. This is known to be used by Russian hackers.
What are the chances the Russians duped Witkoff into scanning a QR code while he was in Moscow?
Why must a Signal attack take place only in Russia? If Russia intelligence operations can operate freely in the US, they can attack US Officials in the US as well.
Good point. I was just thinking Witkoff must be dealing with Russian functionaries all the time in Moscow so they have near constant direct access. There’s nothing to stop them duping one of them in the US though, and it doesn’t seem like duping these guys would be a stretch.
> There’s a vulnerability in Signal where you can set up linked devices that replicate your signal messages.
You mean the desktop linking feature? If that's considered a vulnerability, then so is being able to chat with someone after getting their public key unverified from an overseas server, the primary mode in which everyone uses it (including the people in this chat, evidently, since no out-of-band key exchange was performed)...
Not to mention the "vulnerability" where you copy the phone's storage and get the key material onto another device to do with what you will, which may be harder or easier depending on the hardware but I'd trust any sufficiently funded security agency to be able to do this for common devices
If you're part of the US government, with access to the most sensitive information which will put people's lives at risk if compromised, then yes this is a vulnerability because "russian GRU agent nicks your phone and scans your signal QR code" is a real threat.
Bringing in a phone with decryption keys for this conversation is a risk, then, not just Signal's featureset...
I agree it could be hardening to allow users/organizations to disable this feature, and also other features such as automatic media decoding and other mechanisms that are trade-offs between security and usability, but simply does not meet the definition of a vulnerability (nobody will assign this a CVE number to track the bug and "resolve" it)
Totally! Probably for a restaurant menu or something. . . It also seems likely that they added Jeffrey Goldberg, (the Atlantic's editor-in-chief) to the chat as the outlet, so the whole thing would become public. . . .
You guys are forgetting that you have to scan the QR code from Signal's "link new device" menu, and then approve the new device, which is a somewhat uncommon thing for a restaurant menu to ask you to do.
“… the threat actors, including one it's tracking as UNC5792, have resorted to malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance.”
“ These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website.”
Also
“ Last week, Microsoft and Volexity also revealed that multiple Russian threat actors are taking advantage of a technique called device code phishing to log into victims' accounts by targeting them via messaging apps like WhatsApp, Signal, and Microsoft Teams.”
Signal could make the pairing attack impossible by eliminating the device pairing feature, but that would also reduce its appeal and harm its mission of bringing secure communication to a broad audience. It could add steps to setting up a group chat and inviting additional members to make it less likely users will invite the wrong person, but that, too would hurt its popularity.
Security is a process and a spectrum, not a binary that can be guaranteed by using a certain product or service.
I agree. There are official channels that already exist for discussing sensitive information, and it does not appear Signal is one of them. These officials using any device or software not approved for that purpose constitutes a serious breach of protocol.
Signal probably shouldn't be approved for that purpose because it does trade some foolproofness for convenience. Secure communication should also be limited to dedicated devices, which probably wouldn't have journalists stored in their contacts.
The CIA was approved to use signal but for certain applications. Probably because it was better than SMS. But not good enough for classified information.
You could see a CIA agent being in Russia needing to use Signal with an informant, e.g. But that wouldn't be the same level of security needed to hold nuclear secrets.
I imagine Signal itself is secure enough that it wouldn't be unreasonable for a government to develop a procedure to use it to transmit classified information under certain conditions.
That list of conditions would likely be quite restrictive compared to how we saw it used here. It would certainly include using a dedicated device for classified information, and would forbid taking that device to an unfriendly country. The US government doesn't need to do that though; it already has its own systems for secure communication.
Right. So the problem is not that everyone in the chat was using an unsanctioned app to exchange classified information, but these insidious Ruskies who tricked Witkoff and hacked his personal Signal account.
That's the White House line, apparently they did nothing wrong. It's that Journalists's fault. It can't be the Russians though, they're trusted allies now.
There’s a vulnerability in Signal where you can set up linked devices that replicate your signal messages. You can do this by just scanning a QRcode. This is known to be used by Russian hackers.
What are the chances the Russians duped Witkoff into scanning a QR code while he was in Moscow?