Days After the Trump National Security Team’s Signal Leak, the Pentagon Warned That Russian Hackers Are Using Phishing Attacks to Abuse Signal’s ‘Linked Devices’ Feature

NPR:

Several days after top national security officials accidentally included a reporter in a Signal chat about bombing Houthi sites in Yemen, a Pentagon-wide advisory warned against using the messaging app, even for unclassified information.

“A vulnerability has been identified in the Signal messenger application,” begins the department-wide email, dated March 18, obtained by NPR. The memo continues, “Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations.” It notes that Google has identified Russian hacking groups who are “targeting Signal Messenger to spy on persons of interest.”

It’s not a weakness in Signal’s cryptography, it’s a hole in their device-mirroring setup. From that Google Threat Intelligence post, published last month:

The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance. If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.

You’d have to be a bit of a doofus to fall for such a phishing attack if you were in a national security leadership position, but, well, our national security leadership positions are currently occupied by what the Russians call “useful idiots”.

Tuesday, 25 March 2025