The trial of Mexican drug kingpin Joaquín Guzmán, better known as El Chapo, has been underway in New York for about a month. In the last two days, the revelation of the contents of phone calls and text messages have provided some salacious details about El Chapo’s love life, and many reporters, especially for the tabloids, are focused on the content of those messages rather than the more interesting issue of how the FBI got hold of them.
The answer to that question teaches a very valuable lesson (other than don’t become a Mexican drug lord): no method of electronic communication is ever truly secure. Because as it turns out, El Chapo’s downfall was largely due to the FBI’s ability to turn his IT expert into a cooperating witness.
Encryption is only as tough as the person with the key
Every enterprise needs an IT department, and the Sinaloa Cartel is no exception. On the recommendation of Colombian drug producer Jorge Cifuentes, Guzmán hired another Colombian, Christian Rodriguez, to handle his technology needs. Rodriguez set up two important capabilities for the drug lord: a private server running a voice-over-internet-protocol system to enable telephone calls that used encrypted data instead of regular cellular transmissions, and a method of using smartphones to spy on his associates—and his wife and girlfriends.
The FBI knew El Chapo was using encrypted VoIP, and they also realized that they were simply not going to be able to break the encryption. Posing as a Russian mafioso looking for his own means of secure communication, the FBI met with Rodriguez in 2010, eventually convincing him to cooperate. Rodriguez moved the cartel’s servers from Canada to The Netherlands, and then provided the FBI with the encryption key.
This gave them access to calls Guzmán thought were beyond reach. The result was what the New York Times described as “one of the most extensive wiretaps of a criminal defendant since the Mafia boss John Gotti was secretly recorded in the Ravenite Social Club.”
But the FlexiSPY revelation is even more intriguing, and will make you never look at your phone or laptop the same way again.
Turning phones into spy devices
FlexiSPY bills itself as “the most elegant and powerful spy phone software that has ever been created.” While I’m certainly not an expert on what else is out there, the claim is probably not far off the mark. The software—which works on computers, Android phones, “jailbroken” iPhones and iPads, Nokia Symbian phones, and El Chapo’s favorite, BlackBerry—allows the installer to monitor calls and texts, track the phone’s movements, and, with the “Extreme” version, turn the phone into a listening device.
FlexiSPY markets the product as an ideal solution for parents who want to monitor their children or companies who want to monitor their employees’ use of company-owned phones and computers.
Rodriguez outfitted more than 50 phones with the software, which Guzmán used to spy on his wife, his two girlfriends, and his underlings. Once Rodriguez told the FBI about the software, the Bureau obtained a court order requiring FlexiSPY to give it access to everything El Chapo had access to. As Times reporter Alan Feuer tweeted from the courtroom, the FBI used Guzmán’s “own lust and sexual paranoia against him in order to collect the most private communications one could imagine.”
But there’s a bigger message here. Just as it’s important to remember that “there is no ‘cloud,’ there is only someone else’s computer,” there is no such thing as “security” software that cannot eventually be turned against you. Guzmán probably did not realize, and FlexiSPY is undoubtedly upset to have everyone learn, that the company has access to everything you’re using that software to do.
Privacy concerns abound these days, for good reason. Siri doesn’t live on your iPhone, and Alexa doesn’t live in that Amazon Echo in your kitchen. Everything you speak into those devices goes to a server somewhere else, where someone can eventually access it, whether legally or illegally.
Act accordingly.