Pentagon Advisory on Signal Messenger Vulnerability The Pentagon issued a department-wide advisory concerning the Signal messaging application, citing a vulnerability exploited by Russian hacking groups. The identified weakness involves Signal’s “linked devices” feature.
Attack Vector
Threat actors, including Russian state-aligned groups, employ phishing tactics. They use malicious QR codes embedded in phishing pages or disguised links to trick users into linking their Signal accounts to an attacker-controlled device. This allows attackers to eavesdrop on encrypted conversations in real-time without breaking the underlying encryption.
Official Guidance and Context
The Pentagon memo clarified that while Signal is permitted for unclassified communications like recall exercises, it is not approved for processing or storing non-public unclassified information. Signal stated that its core security remains robust but acknowledged users were targeted by phishing, prompting them to add safeguards months ago. The advisory followed an incident where a journalist was inadvertently included in a Signal group chat discussing sensitive military plans. This exploitation technique also poses a risk to other messaging apps like WhatsApp and Telegram.