Signal was a 'risky' choice for sharing classified plans. Which is the most secure messaging app?

Euronews

01-04-2025

ADVERTISEMENT
A mere three days after US Defence Secretary Pete Hegseth boasted on national television that America "no longer looked like fools," it emerged that he was part of a group of high-ranking officials who
inadvertently texted plans
for an attack in Yemen to a journalist.
Hegseth, alongside Vice President JD Vance, Secretary of State Marco Rubio, National Security Advisor Michael Waltz and others, had been using the messaging platform Signal to discuss highly sensitive and classified information.
Democratic lawmakers swiftly condemned this as an "egregious" security breach, and US President Donald Trump said he knew "nothing about it," as his team claimed
a "glitch"
was to blame for the addition of journalist Jeffrey Goldberg to a message chain named "Houthi PC small group".
Related
What is Signal and should US officials have used it to share Yemen air strike plans?
Though encrypted and technically secure, the platform is "full of risks" related to human error and spyware, and was not the appropriate choice for such a conversation, argues Callum Voge, Director of Governmental Affairs and Advocacy at Internet Society.
"Governments have specific protocols for protecting classified information, and those protocols usually state that classified info can only be shared under certain conditions. So when people say Signal isn't appropriate for sharing state secrets, it's not just about Signal - it's about any consumer messaging app. Whether it's WhatsApp, Signal, or Telegram, they all pose risks," Voge told Euronews Next.
A key danger is that
Signal
is available to the general public and used by millions worldwide.
"Anyone in the world can create a Signal account. So, for example, someone without security clearance could be accidentally added to a group chat. That's one way secrets could be leaked - by accident, human error, or on purpose," Voge added.
"Also, Signal is used on personal devices. That introduces the risk of spyware - software that can record what's happening on your device in real-time and send it to a third party. So even if Signal is the most secure app in the world, if your phone has spyware, it's still a leak".
Related
'My concerns are more about people, institutions than the tech': Signal's Meredith Whittaker on AI
Warnings Signal was a target for hackers
In fact, the Pentagon issued a department-wide memo just days after the Signal group chat leak, warning that Russian professional hacking groups were actively targeting the app.
According to the memo, the attackers were exploiting Signal's "linked devices" feature - a legitimate function that allows users to access their account across multiple devices - to spy on encrypted conversations.
If a device is compromised - whether through malware, unauthorised access, or sophisticated spyware like Pegasus - encryption becomes irrelevant.
Gustavo Alito
Cybersecurity expert, Equans BeLux
"Signal's effectiveness depends on the security of the device used. It's like installing the most secure alarm system in a house without doors," Gustavo Alito, a cybersecurity expert at Equans BeLux, noted.
"If a device is compromised - whether through malware, unauthorised access, or sophisticated spyware like Pegasus - encryption becomes irrelevant. Attackers can monitor and capture all device activity in real time, including messages being written," he told Euronews Next.
"A surprising development in this case is that reports indicate Signal was pre-installed on US government devices. While this suggests an institutional push for encrypted communication, it also raises concerns," Alito added.
"The fact that Signal was made widely available may have led officials to assume it was approved for classified discussions, despite warnings from the NSA and the Defence Department against using it for sensitive matters".
Related
What is Pegasus, the Israeli mobile phone spyware used by governments around the world?
Signal, WeChat, WhatsApp, Telegram: Which is the most secure platform?
On the low end of the spectrum, where messages are most vulnerable, are platforms that either lack end-to-end encryption or don't enable it by default.
ADVERTISEMENT
According to Voge, "that means it's encrypted from endpoint to endpoint. So, for example, one endpoint is your phone and the other is mine - and as the conversation or text goes back and forth between us, no third party can decrypt it, not even the provider".
Apps like WeChat, for instance, do not offer end-to-end encryption, meaning messages can potentially be accessed by the service provider or government authorities - a major concern in countries like China.
Similarly, Telegram does not encrypt group chats or even one-on-one chats by default; users must manually enable "secret chats" for end-to-end protection. Because of this, messages on these platforms are more susceptible to interception.
At the high-security end are apps like Signal, WhatsApp, and to a limited extent, iMessage, all of which offer end-to-end encryption by default.
ADVERTISEMENT
Among them, Signal stands out for its open-source protocol, non-profit governance, minimal metadata retention, and default encryption across messages, calls, and group chats.
Related
Whatsapp faces strictest EU platform rules, but not Telegram
WhatsApp, while also encrypted using Signal's protocol, is owned by Meta and retains more metadata, which some view as a potential vulnerability. iMessage is considered technically secure, but it's a closed-source, Apple-only system, which limits transparency and auditing.
So,
Signal
is widely regarded by experts as the gold standard for encrypted messaging, but, as we've just seen, it is not immune to risks stemming from user error, device compromise, or misuse in contexts requiring classified communication protocols.
"Like any company, Signal regularly audits other parts of their app - like how users verify their phone numbers or add new devices. Sometimes issues come up, and they respond with security patches, which they publish on their website with details," said Voge.
ADVERTISEMENT
"You may have heard of a recent vulnerability involving Russia. This was a phishing attack used in Ukraine: attackers sent fake QR codes to trick people into joining Signal groups. When someone scanned the code, it linked a new device to their account - effectively hijacking it," he continued.
"It wasn't a flaw in the encryption protocol, but in how Signal handled device linking. Signal responded with an update - now, if you want to link a new device, you need Face ID or Touch ID".
Related
Report shows how messaging apps are used to spread political propaganda
What's the best way to message securely?
So what should Hegseth, Vance, Waltz and the rest of the Houthi PC small group have done instead?
The US government almost certainly has its own systems for handling classified information.
ADVERTISEMENT
"Government officials are generally expected to use special devices and systems not available to the public. You might imagine a platform that only government officials can download, and maybe even has levels of classification built in - like confidential, secret, and top secret," said Voge.
Indeed, he pictures "a government setting in which officials go to a secure room, leave their personal devices behind, and use a special computer that's not connected to the Internet to access sensitive information".
"Since people travel, there are probably government networks or apps only accessible to officials using government-provided devices. These systems wouldn't be available to the public, and probably have built-in ways of handling classification levels," he added.
Related
Telegram ban: Which countries are clamping down on it and why?
Or, as Alito puts it, "a government-approved, end-to-end encrypted system designed specifically for classified communications. Secure platforms like the NSA's Secure Communications Interoperability Protocol (SCIP) or classified networks such as SIPRNet and JWICS are more aligned with a governmental organisation's security and encryption needs".
ADVERTISEMENT
The system should also allow for records of conversations to be kept, which ties into record-keeping laws.
"Some governments require policymakers to retain a record of their messages or emails. But Signal has features like disappearing messages. So if government officials use it, that record of communication could be lost, which may go against transparency or accountability laws," Voge said.