Tech

The FBI Tried to Plant a Backdoor in an Encrypted Phone Network

The FBI wanted a backdoor in Phantom Secure, an encrypted phone company that sold to members of the Sinaloa cartel, and which is linked to the alleged leaking of sensitive law enforcement information in Canada.
phantom-secure-phone
Image: Screenshot from Instagram of Phantom PGP

The FBI tried to force the owner of an encrypted phone company to put a backdoor in his devices, Motherboard has learned. The company involved is Phantom Secure, a firm that sold privacy-focused BlackBerry phones and which ended up catering heavily to the criminal market, including members of the Sinaloa drug cartel, formerly run by Joaquín "El Chapo" Guzmán.

The news signals some of the tactics law enforcement may use as criminals continue to leverage encrypted communications for their own ends. It also comes as Canadian media reported that a former top official in the Royal Canadian Mounted Police (RCMP), who has been charged with leaking state secrets, offered to sell information to Vincent Ramos, Phantom's CEO.

Advertisement

"He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access," one source who knows Ramos personally and has spoken with him about the issue after his arrest told Motherboard.

A backdoor is a general term for some form of technical measure that grants another party, in this case the FBI, surreptitious access to a computer system. What exactly the FBI was technically after is unclear, but the desire for a backdoor was likely to monitor Phantom's clients.

Did you used to work at Phantom Secure? Did you ever buy their phones, or do you have more information about the company? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

A second source with intimate knowledge of Phantom's operations told Motherboard "The FBI wanted a backdoor into Phantoms network." Motherboard granted several sources in this story anonymity to talk more candidly about a law enforcement investigation and internal Phantom deliberations.

Phantom was part of the secure phone industry, where companies often strip the microphone and GPS functionality from a device, add encrypted email or messaging programs, and route communications through overseas servers. In early 2018, the FBI and its partners arrested Ramos and shut down the company in a large scale international operation. Ramos pleaded guilty to running a criminal enterprise that facilitated drug trafficking, and in May was sentenced to nine years in prison.

Advertisement

Phantom's clients included serious organized crime groups around the world. Court filings in Ramos' case include testimony from an unnamed convicted drug trafficker from the Sinaloa drug cartel.

A third source told Motherboard "He never gave law enforcement a backdoor into Phantom Secure. He did not do that." When pressed on whether the FBI still asked for access, the source, who worked directly on the case, said, "Basically that's all I want to say. He did not give law enforcement a backdoor into Phantom Secure."

An FBI spokesperson told Motherboard in an email "Unfortunately, we do not have a comment for you at this time."

One of the sources said Ramos did not have the technical knowledge to implement a backdoor though, and so the FBI asked Ramos to lure another Phantom member who could. Ramos declined, the source said.

"The FBI wanted a backdoor into Phantoms network."

The FBI's attempt to plant a backdoor into an encrypted phone network is an important episode in the Going Dark debate, in which law enforcement agencies say they are losing visibility into criminals' activities as groups increasingly use digital protections. The encryption itself used in end-to-end encryption is typically too robust to crack, so law enforcement agencies have to find a work around. That might include hacking a device directly—the end point—to install message reading malware. Or it could include trying to force a service provider to provide extra access to authorities.

Advertisement

The Department of Justice famously tried to compel Apple to create a custom version of its iOS operating system that would lower protections on the phone used by one of the San Bernardino terrorists, so that authorities could then attempt to bruteforce the phone's passcode. The FBI also previously leaned on Microsoft to create a backdoor in its BitLocker encryption software, Mashable reported in 2013.

One key difference between Phantom and other companies such as Apple or Microsoft, is that authorities say in court records that Phantom deliberately and explicitly catered to criminal behaviour, rather than just being incidental to a crime. In an undercover operation, the RCMP posed as drug traffickers and recorded Ramos saying, "We made it—we made it specifically for this [drug trafficking] too."

But Phantom Secure started as a legitimate, privacy-focused phone company.

"The idea was solely to provide a secure telecommunications system," Michael Pancer, Ramos' attorney, previously said in a phone call. "Then when individuals started to use this system to break the law, at some point it came to his [Ramos'] attention, and he has apologized to the court for allowing them to continue. But his intentions were certainly honorable when he started the network."

"He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access."

The FBI still gained valuable information on the Phantom network. After the FBI shut down the network, the agency briefly ran a portal that allowed customers to 'check' whether their email address was included in the list of impacted customers. It is unclear what the FBI did with any email addresses that were entered into this portal.

Advertisement

The FBI did obtain information that led to other high profile investigations. Ramos' arrest revealed that someone tried to sell sensitive law enforcement information to the company, Global News reported this week.

"While Ramos did not know the identity of the person allegedly brokering the RCMP information, Canadian investigators traced it to a list of suspects who had access to it," the outlet reported. That led to Cameron Ortis, a senior member of the Ottawa-based National Security Criminal Investigations unit of the RCMP. Ortis has been charged under the Security of Information Act, an espionage and foreign powers-focused piece of legislation.

The source who knows Ramos personally said, "He respected the privacy of clients whoever it was."

Update: This piece has been updated with an FBI spokesperson declining to comment.

Subscribe to our new cybersecurity podcast, CYBER.