The Pentagon warned against using Signal in a memo just last week, according to NPR. It cited threats from Russian hackers.
The memo was delivered department-wide days before The Atlantic published a bombshell revelation that its editor-in-chief Jeffrey Goldberg had been erroneously added to a Signal group chat that involved detailed discussions of planned strikes on Houthi rebels in Yemen. Members in the Signal chat included U.S. Secretary of Defense Pete Hegseth and Vice President J.D. Vance, among others.
In its memo warning against using Signal, the Pentagon wrote, “Russian professional hacking groups are employing the ‘linked devices’ features to spy on encrypted conversations.”
As the name implies, linked devices allows Signal users to sign into their account from multiple places, and incoming and outgoing messages appear on all devices. Because Signal is end-to-end encrypted and messages are only stored locally on devices with an encryption key, the company first bundles up all of a user’s communications in an encrypted package. Then using QR codes, users can send an encryption key along to the new device:
A single encryption key sent from the primary device to the new device does the job, bootstrapping a secure connection through which we can send encrypted data. It turns out that even a simple QR code does the trick — the new linked device can display a QR code that includes all of the necessary information to bootstrap the process and send encrypted data through a secure connection. Just scan the code from your primary device to get started.
The Pentagon’s memo states that hackers are able to bypass this hurdle by creating malicious phishing pages or QR codes associated with group chats, which users can send to one another as invites. “After gaining access to the malicious code, the groups add their own device as a linked device. This allows the group to view every message sent by the unwitting user in real time, bypassing the end-to-end encryption.”
Another similar messaging app popular for private communications, Telegram, is used in both Russia and Ukraine, and has been the target of Russian hackers, with a firm that works directly with the Kremlin offering a $5 million bounty for exploits.
Signal has defended its security practices, and outlined the great lengths it has gone to prevent itself from being able to access user data. But at the end of the day, neither Signal nor end-to-end encryption technology is going to protect someone sharing classified war plans in an open group chat. It is a consumer-grade messaging app, operated by one technical organization, now being used for political communications amidst major global conflicts. It was inevitable that Signal would become a target. Governments provide secure physical rooms (commonly known as SCIFs) where classified information is discussed for a reason, and there’s also a reason why personal devices aren’t to be used in a SCIF. Consumer apps are meant to be easy and intuitive to use, and users can be targeted through means like social engineering.
White House Press Secretary Karoline Leavitt has been on the defensive trying to put out this latest fire, posting on X again on Tuesday to say that no war plans or otherwise classified materials were discussed in the chat. An investigation into how a journalist was added to the conversation remains ongoing.
Jeffrey Goldberg is well-known for his sensationalist spin. Here are the facts about his latest story:
1. No “war plans” were discussed.
2. No classified material was sent to the thread.
3. The White House Counsel’s Office has provided guidance on a number of different…
— Karoline Leavitt (@PressSec) March 25, 2025
Some have criticized Goldberg, The Atlantic’s editor, for remaining in the chat as sensitive information was being discussed. It is hard to not argue, however, that Goldberg as a journalist had an obligation to inform the public of gross incompetence at the highest levels of power. Also, if everyone else in the chat had been following the proper protocol for classified materials Goldberg wouldn’t have had a story to begin with, because he probably wouldn’t have been invited to the SCIF.
English (US) ·