Security
Headlines
HeadlinesLatestCVEs

Headline

A Police App Exposed Secret Details About Raids and Suspects

SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.

Wired
#vulnerability#web#android#apple#google#intel#auth

Last September, law enforcement agents from five counties in Southern California coordinated an operation to investigate, raid, and arrest more than 600 suspected sex offenders. The mission, Operation Protect the Innocent, was one of the largest such raids in years, involving ​​over 64 agencies. According to the Los Angeles Police Department, it was coordinated using a free trial of an app called SweepWizard.

The raid was hailed as a success by Chief Michael Moore of the LAPD at a press conference the following week. But there was a problem: Unbeknownst to police, SweepWizard had been leaking a trove of confidential details about the operation to the open internet.

The data, which the LAPD and partners in the regional Internet Crimes Against Children (ICAC) Task Force uploaded to SweepWizard, included private information about the suspects as well as sensitive details that, in the wrong hands, could tip off suspects as to when they were going to be raided and cast suspicion on people who had not yet been convicted of any crime.

The SweepWizard app, built by a company called ODIN Intelligence, is meant to help police manage multi-agency raids. But WIRED found that it didn’t just expose data from Operation Protect the Innocent; it had already leaked confidential details about hundreds of sweeps from dozens of departments over multiple years. The data included personally identifying information about hundreds of officers and thousands of suspects, such as geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and occasionally even suspects’ Social Security numbers. All this data was likely exposed due to a simple misconfiguration in the app, according to security experts.

The Los Angelese Police Department said it was unaware of the problem until WIRED reached out for comment. In a phone call, Captain Jeffery Bratcher, commanding officer of the LAPD Juvenile Division and project director for the ICAC Task Force, said the department is concerned and is taking the matter seriously. “Operational security is always paramount to us. We don’t want people to know when and if we are coming,” he says.

In a separate statement, Captain Kelly Muniz of the LAPD’s Media Relations Division, said the department has suspended the use of SweepWizard until a thorough investigation is complete. According to their statement, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”

The exposed data contained the location and names of 5,770 suspects, mostly located in California. In some instances, the data included their height, weight, and eye color and indicated whether they were experiencing homelessness. For more than 1,000 of these suspects, SweepWizard also exposed their Social Security numbers. According to the data, several of these suspects were juveniles at the time of the sweeps. Arrest records and press releases confirm that several people whose names appeared in the leaked data were arrested after the raid.

SweepWizard also appeared to have revealed the names, phone numbers, and email addresses of hundreds of law enforcement officers, as well as the operational details of nearly 200 sweeps. These details included the exact date and time of the sweep, the organizing officers, as well as information like where the pre-sweep briefings were to occur.

After verifying the data exposure, WIRED notified ODIN Intelligence, which quickly took down the app and began an investigation. After declining an interview, Erik McCauley, the CEO and founder of the company, said in a statement, “ODIN Intelligence Inc. takes security very seriously. We have and are thoroughly investigating these claims.” He added, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.” McCauley did not respond to specific questions about the issue.

At the time of publication, SweepWizard’s website is no longer accessible, and the app has been removed from Google Play and Apple’s App Store.

WIRED received a tip that there was a flaw in SweepWizard’s application programming interface, or API, that allowed anyone with a specific URL to retrieve confidential law enforcement data from the app. WIRED downloaded the Android version of the app from Google Play and verified that its API endpoints were in fact returning data regardless of authentication—in other words, you didn’t need to be logged in to the app to view sensitive data about years’ worth of raids and other police operations. The data could be viewed in any web browser simply by visiting a SweepWizard URL.

While the SweepWizard mobile app first launched in 2016, according to app store information, WIRED found data from sweeps going back to 2011, including more than 20 sweeps on Halloween over the years with names like Operation Boo, Operation Hocus Pocus, and Halloween Havoc. (Archived versions of the SweepWizard website date back to 2011.) The most recent data WIRED reviewed includes sensitive information about raids that took place on December 19, 2022.

It’s unclear whether all SweepWizard data was exposed ahead of scheduled raids, and ODIN Intelligence did not respond to specific questions about when the data may have been publicly accessible. However, while confirming the API vulnerability, WIRED observed that data from at least one scheduled sweep had been made public. It is also unclear whether anyone used the data SweepWizard leaked to the open web for nefarious purposes.

ODIN Intelligence advertises itself as a company that develops high-tech solutions for law enforcement that “enable our communities to be safer, better informed, more organized, and crime free.” On its website, the company claims to partner with organizations like the International Association of Chiefs of Police (details of these partnerships are not available). The IACP did not respond to a request for comment. ODIN also created a product called the Homeless Management Information System (HMIS), which according to a brochure reviewed by Vice, uses face recognition to identify people experiencing homelessness.

The company claims that its products are built by experts and secured with “state-of-the-art” security that adheres to the FBI’s Criminal Justice Information Services (CJIS) security policy for handling sensitive information. The FBI did not comment on SweepWizard’s claims of CJIS compliance. However, a policy document the agency shared with WIRED indicates that SweepWizard was likely not compliant with specific access requirements that specify who can access law enforcement information. ODIN Intelligence’s McCauley did not respond to specific questions about whether SweepWizard was CJIS-compliant.

The Yolo County District Attorney’s Office confirmed that, like the LAPD, it had used a free trial of SweepWizard during an annual sex offender sweep last November, details of which WIRED found in the exposed data. In its statement, chief deputy district attorney Jonathan Raven said that ODIN provided Yolo County with documents that explicitly stated its technology was CJIS-compliant. His office is also investigating the matter.

Ken Munro, an ethical hacker and founder of the UK-based security research firm Pen Test Partners, says that based on how we described being able to access SweepWizard data, the error was likely caused by a simple authorization oversight. While SweepWizard was taken down before he had a chance to examine the app, Munro says that, typically, when an individual logs in to a website or app, they are assigned an access token that gets checked by the app every time their device requests data from it. According to Munro, SweepWizard was likely not checking each request for these access tokens and was simply providing data to any device that asked.

“This is a bit of a basic technical oversight,” he says. “These sorts of authorization issues are not often seen in law enforcement.”

McCauley did not comment on how ODIN’s investigation concluded that a compromise had not occurred. However, after WIRED received his statement, we reviewed our methodology and findings about SweepWizard with Zach Edwards, an independent privacy and security researcher. Edwards says that WIRED’s methodology is no different than what any penetration tester would have done. He adds, “They left the front, side, and back doors open.”

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist