A recent report from the Department of Justice Inspector General warns that several recent compromises involving “ubiquitous technical surveillance” (UTS), the distributed collection and analysis of data, including call logs, phone geolocation data, and payment information have put agents and investigations in the cross-hairs of criminals and state actors.
Per the report, “the FBI is aware of prior and ongoing UTS compromises that have impacted FBI operations, threatened the safety of its sources, and are currently being used by adversaries to challenge the United States Government on a global scale. Some within the FBI and partner agencies like the CIA have described the threat as “existential.”
What Is UTS?
The report defines UTS as “the widespread collection of data and application of analytic methodologies for connecting people to things, events, or locations” across five data vectors: visual imagery, electronic signals, finance, travel, and online presence.
UTS has paralleled the rise of modern targeted‑advertising networks and widespread device telemetry. As the report describes, “recent advances in commercially available technologies have made it easier than ever for less-sophisticated nations and criminal enterprises to identify and exploit vulnerabilities created by UTS.”
Smart devices continuously broadcast granular device IDs, nearby connections, location pings, and browsing signals to thousands of bidders, who fuse them into advertiser profiles. While these ID’s and profiles are anonymized and intended to only be available to advertisers, every vulnerable data stream reduces the information entropy of a target and can easily be strung together to pose even larger risks.
Sinaloa cartel exploits data streams from FBI agent’s mobile device
The UTS report reveals that during the FBI’s 2018 El Chapo Investigation, the Sinaloa cartel employed a hacker to stake out the U.S. Embassy in Mexico City, and acquire information from the cellphones of persons who may be of interest to the cartel. The hacker was able to acquire the mobile phone number of the FBI’s Assistant Legal Attaché (ALAT) and use that number to retrieve the geolocation data associated with their device. Additionally, the number allowed the attacker to retrieve the call logs of the ALAT’s phone. Later, the hacker allegedly tapped into Mexico City’s video‑surveillance network to track the ALAT’s movements across the capital and identify individuals they met. Using UTS from their phone and camera systems, the cartel was able to monitor the ALAT’s movements and meetings. The case agent reports that this intelligence was subsequently used to intimidate and, in some cases, kill informants collaborating with U.S. authorities.
While this is the only incident revealed in the publicly released version of the report, the UTS audit makes frequent mention of a redacted FBI Data Breach, which seems to have had a large impact on the UTS mitigation priorities of the agency.
UTS has become a top risk for the agency
In 2023, former FBI director Wray, elevated the threat posed by UTS to a “Tier 1 Enterprise Risk”. The Sinaloa incident underscores how it’s evolved into such a hazard.
Modern phones were designed to collect an incredible array of information from their owners’ environment (video, audio, GPS location, historical graphs of nearby Bluetooth and Wi-Fi devices, website cookies, and app history, etc) and feed it to sophisticated analytics ecosystems that create targeted advertising profiles. While the exact methods the cartel hacker used were not disclosed, the incident shows how even “less sophisticated” actors can stitch some of this collected data together to gain significant information on the operations of an investigation.
Particularly for secure areas, strict enforcement of existing mobile device policies can mitigate some of the tail-end risks posed by UTS. The integration of continuous radio frequency monitoring and specialized operator training can aid policy enforcement. However, the report highlights that prior efforts have limited the reach of advanced mobile-risk training programs, leaving many field agents without critical knowledge. The report concludes that more may have to be done within the FBI to counter the threats posed by UTS.
Reforms to mitigate mobile phone UTS risks
To counteract these evolving threats, government agencies must adopt a proactive, multilayered security approach. This includes rigorous auditing of mobile and wireless security practices, continuous assessment of threats, and mandatory advanced training for personnel. Cross-agency collaboration is also crucial, as it enables the sharing of threat intelligence and best practices, ensuring that mobile security defenses keep pace with technological advancements and threat evolution.
Investing in advanced security technologies, such as encrypted communication tools, secure mobile device management systems, and real-time monitoring solutions, will further strengthen defenses. Agencies should also prioritize the adoption of strict policies governing the use and management of mobile devices, ensuring sensitive data remains secure against sophisticated threats.
Furthermore, government agencies must foster partnerships with private sector security experts and researchers. These collaborations can introduce fresh perspectives and innovative solutions, enhancing overall cybersecurity resilience. Leveraging private-sector insights and technologies can help bridge existing security gaps, providing more comprehensive protection against emerging threats.
Governance still lags the threat curve
The Sinaloa cartel’s ability to exploit these gaps demonstrates the urgent need for a paradigm shift in how government agencies approach mobile security. Implementing robust wireless security protocols and investing in comprehensive training can mitigate risks and protect national interests.