By Ahmed Yussuf, ABC
For most cybersecurity experts, Signal is regarded as one of the most secure messaging apps available. Photo: NICOLAS ASFOURI
End-to-end encrypted messaging app Signal is secure for everyday use but shouldn't be used by government officials to have conversations regarding national security, cyber security experts say.
It comes after US President Donald Trump's national security team accidentally included a journalist in a group chat, which was sharing information about plans for a military operation against the Iran-aligned Houthi rebel group.
It's raised questions over the security of classified information shared by the Trump administration, and how safe it is to be sharing sensitive national security secrets on a platform such as Signal.
What is Signal?
Signal is a private messaging app that has historically prioritised security and privacy, and uses end-to-end encryption to ensure the communications of its users remain secure and untracked.
The company has previously criticised the UK government over pressure it has put on Apple to weaken its core privacy tech, which would allow it to access customers' information through a back door.
Meredith Whittaker, the president of Signal, referenced last year when the US government announced that a large number of Americans' data was stolen in a telecoms attack allegedly carried out by a Chinese hacking group dubbed "Salt Typhoon".
The attack was described as the "worst telecom hack" in the nation's history.
"How did hackers do this? They exploited 'back doors' integrated into telecommunications systems," Ms Whittaker wrote in the Financial Times.
Defence Secretary Pete Hegseth Photo: Alex Wong / Getty Images / AFP
How secure is Signal?
For most cybersecurity experts, Signal is regarded as one of the most secure messaging apps available.
Liam O'Shannessy, who is the executive director at CyberCX, has said that Signal's approach of secure messaging protocols was adopted several years ago by its competitor WhatsApp.
That's because it's possible for clever cybercriminals to figure out ways to remotely access devices which, in theory, could give them access to Signal on that device, he added.
"This is more common for Signal's desktop application, as desktop computers tend to be more easily compromised with malware than mobile phones. If you're in a group chat, it only takes one member of the group's device to be compromised," Mr O'Shannessy said.
Dr William Stoltz from the Australian National University, who specialises in cyber security, agreed.
"For example, other apps might be in place on somebody's mobile phone that could be potentially compromising the security settings of that device," he said.
Foreign intelligence services will regularly try and compromise an individual's device by putting malware in place on that device, Dr Stoltz added.
That included things such as screen mirroring, installing malware or capturing the keystrokes as someone types into their encrypted messaging app.
But in most cases, especially those not relating to national security, Mr O'Shannessy from CyberX said the most likely risk when sharing sensitive information on Signal was human error.
"[The risk] will always be the recipient and whether they might screenshot or forward - even accidentally - the information you share with them," he said.
Michael Waltz, US Vice President JD Vance (rear) and Defence Secretary Pete Hegseth. Photo: AFP / Getty Images / Andrew Harnik
Should government officials be using Signal to discuss national security?
Defence experts have said transmitting classified information on an app like Signal could be a breach of the Espionage Act.
Members of the group shared information including air-strike targets and timing. The name of an active CIA intelligence officer, usually kept confidential, was also shared.
It appeared to include cabinet secretaries and top aides, including Vice-President JD Vance, Defence Secretary Pete Hegseth and national security adviser Mike Waltz.
Strategist and retired Australian Army Major General Mick Ryan said it was very unusual and concerning to see this kind of breach of security.
"It's dangerous on multiple levels. Firstly, you risk the compromise of the operation, which ultimately puts the lives of military personnel at risk," Mr Ryan told ABC radio.
"It shows a degree of arrogance that they think these kind of conversations are secure when it's been proven that they're not. That's a problem."
What do governments usually do?
When handling classified information related to an active military operation, government officials will typically be called into what is called a Secure Compartmentalised Information Facility (SCIF), according to Dr Stoltz from the ANU.
That's because this kind of communication should take place in a physically controlled space such as inside a government building that has been screened and tested by cyber and physical security specialists.
"So the fact that these communications are happening in this kind of unsecured ways is pretty, pretty incredible," he said.
University of Melbourne's Toby Murray, who previously worked for the Department of Defence and specialises in cyber security, said there were laws governing how classified information was handled.
Professor Murray added that there were specific government-approved systems used for storing and transmitting classified information - Signal not being one of them.
"It's because classified information needs to be kept very secure. We need to make sure that it isn't going to inadvertently leak out."
But securing devices requires supply chain assurance, according to cybersecurity expert Richard Buckland from the University of New South Wales.
Professor Buckland explained governments would put in place mechanisms within the delivery of technologies such as computers and phones to ensure they were not tampered with.
"So only for certain levels of security would you ever be allowed to use anything other than one of these devices. And certainly, for all the top levels, you'd be required to use a specially secured device," he said.
- ABC
