Encrypted Apps and the Houthi PC Small Group Chat – Lessons Learned

The recent decision by senior officials in the Trump administration to use Signal, an encrypted communications app, for discussions about a sensitive military operation has placed a massive spotlight on Signal itself, and more generally on commercial encryption platforms. A group, dubbed “Houthi PC Small Group Chat” was created to discuss forward-looking and real-time information about missile strikes against a key Houthi Leader and his associates.

While Signal turns out to have been an embarrassingly poor choice for such a sensitive discussion, the incident gives rise to some interesting lessons about the strengths and shortcomings of Signal and other encrypted messaging apps. What follows is a brief analysis of the recent incident and some guidance for those seeking to further secure their communications.

Human Error and Operational Security

An old security maxim goes something like “the more people that know, the less secure you are.” And that’s exactly what happened here, when a journalist was inadvertently added to a group chat that ultimately included 18 other parties. This single decision permanently and irrevocably obviated all the confidentiality protections Signal could otherwise afford.

Even if the journalist had not been invited, including 18 other chat participants dramatically increases the likelihood that a chat will be seen or shared by an unauthorized party. Keeping sensitive communications groups as small as possible limits these risks and increases the likelihood that an unauthorized party’s presence will be detected.

Here are the key Signal Vulnerabilities

Other key lessons from this incident can be drawn from Signal’s selection by the senior officials, from how it works, and from the mismatch between its capabilities and the security needs of the chat participants. In hindsight, it is clear they had a poor understanding of Signal’s nuances, including the inherent risks when using its text-messaging features.

There is no question that Signal is an easy way to secure your conversations. It is a free, intuitive app that works well with your native device, and we suspect it was selected for these reasons. For audio calls, RosettiStarr and other corporate security professionals still consider it to be secure. Unfortunately for the Houthi PC Small Group, their discussion was a text chat and not a call.

The problems with text messages are twofold and have been documented by the U.S. intelligence community and researchers in the private sector. The first issue comes with Signal’s ability to link a user account to multiple endpoints, i.e. mobile phones and computers. State actors have discovered ways to exploit this capability and have been documented surreptitiously gaining access to these endpoints so they can monitor the de-encrypted accounts of encrypted chats. This is a critical security breach but does not mean Signal’s encryption has been broken.

Signal – and many other secure messaging apps – also has potential issues with data backups. In some contexts, decrypted or plaintext Signal chat histories can be backed up and stored in cloud environments.  To be clear, Signal’s native backup service is encrypted, but downloaded copies of unencrypted data could migrate to a cloud environment, which may not be encrypted by default. Sensitive data should always be encrypted, including while “at rest” in all storage formats. This is why RosettiStarr suggests taking steps to limit the number of places where sensitive data is replicated.

Signal and other encrypted messaging apps offer ephemeral messaging, meaning a sender can determine how long a message will be viewable on a recipient’s device. That can be a valuable security feature over the long term but does not preclude screenshots or photos of sensitive information from being taken in the meantime. Users should also be aware that ephemeral messaging can run afoul of certain court orders, recordkeeping laws, or other regulatory requirements, and as a result should use it sparingly.

The best practice – which eluded the participants in the Houthi raid discussion – is to avoid texting extremely sensitive information over Signal.

Personal Devices for Business or Government Use

The final, and perhaps most alarming aspect of this story is that many chat participants were evidently using their personal devices. The phone numbers tied to these devices are easily discoverable, rendering them vulnerable to sophisticated hacking as well as leaks of sensitive personal data through various apps or services. In the case of chat participant National Security Adviser Mike Waltz, his Venmo app settings allowed anyone to see his “friend list.” According to “Wired,” a Venmo account tied to Waltz had a 328-person, publicly viewable friend list that included White House chief of staff Susie Wiles and National Security Council staffer Walker Barrett.

More sophisticated actors could track a user’s location or introduce malicious software via targeted phishing messages. In short, the “attack surface area” of a personal communications device like an Iphone, or a Pixel or Galaxy, is exponentially greater than a restricted-use, secure communications device.

What You Can Do to Stay Secure

The first step in keeping your communications secure is identifying what you are trying to protect and from whom. Suppose you are trying to secure trade secrets, intellectual property, or details of an upcoming acquisition. If so, RosettiStarr can help quantify your risk and identify a proportional encryption solution. Whether you need basic encryption or a completely closed-circuit network, we can work with you to tailor a secure solution for your unique use case. We support short- term and long-term deployments and have a deep understating of the risks associated with mobile communications domestically and abroad.