Security
Headlines
HeadlinesLatestCVEs

Headline

We Hunted Hidden Police Signals at the DNC

Using special software, WIRED investigated police surveillance at the DNC. We collected signals from nearly 300,000 devices, revealing vulnerabilities for both law enforcement and everyday citizens alike.

Wired
#vulnerability#ios#android#mac#git#wifi

As thousands took to the streets during August’s Democratic National Convention in Chicago to protest Israel’s deadly assault on Gaza, a massive security operation was already underway. US Capitol Police, Secret Service, the Department of Homeland Security’s Homeland Security Investigations, sheriff’s deputies from nearby counties, and local officers from across the country had descended on Chicago and were all out in force, working to manage the crowds and ensure the event went off without any major disruptions.

Amid the headlines and the largely peaceful protests, WIRED was looking for something less visible. We were investigating reports of cell site simulators (CSS), also known as IMSI catchers or Stingrays, the name of one of the technology’s earliest devices, developed by Harris Corporation. These controversial surveillance tools mimic cell towers to trick phones into connecting with them. Activists have long worried that the devices, which can capture sensitive data such as location, call metadata, and app traffic, might be used against political activists and protesters.

Armed with a waist pack stuffed with two rooted Android phones and three Wi-Fi hot spots running CSS-detection software developed by the Electronic Frontier Foundation, a digital-rights nonprofit, we conducted a first-of-its-kind wireless survey of the signals around the DNC.

WIRED attended protests across the city, events at the United Center (where the DNC took place), and social gatherings with lobbyists, political figures, and influencers. We spent time walking the perimeter along march routes and through planned protest sites before, during, and after these events.

In the process we captured Bluetooth, Wi-Fi, and cellular signals. We then analyzed those signals looking for specific hardware identifiers and other suspicious signs that could indicate the presence of a cell-site simulator. Ultimately, we did not find any evidence that cell-site simulators were deployed at the DNC. Nevertheless, when taken together, the hundreds of thousands of data points we accumulated in Chicago reveal how the invisible signals from our devices can create vulnerabilities for activists, police, and everyone in between. Our investigation revealed signals from as many as 297,337 devices, including as many as 2,568 associated with a major police body camera manufacturer, five associated with a law enforcement drone maker, and a massive array of consumer electronics like cameras, hearing aids, internet-of-things devices, and headphones.

WIRED often observed the same devices appearing in different locations, revealing their operators’ patterns of movement. For example, a Chevrolet Wi-Fi hotspot, initially located in the law-enforcement-only parking lot of the United Center, was later found parked on a side street next to a downtown Chicago demonstration. A Wi-Fi signal from a Skydio police drone that hovered above a massive anti-war protest was detected again the next day above the Israeli consulate. And Axon police body cameras with identical hardware identifiers were detected at various protests occurring days apart.

“Surveillance technologies leave traces that can be discovered in real time,” says Cooper Quintin, a senior staff technologist at the EFF. Regardless of the specific technologies WIRED detected, Quintin notes that the ability to identify police technology in real time is significant. “Many of our devices are beaconing in ways that make it possible to track us through wireless signals,” he says. While this makes it possible to track police, Quintin says, “this makes protesters similarly vulnerable to the same types of attacks.”

The signals we collected are a byproduct of our extremely networked world and demonstrate a pervasive and unsettling reality: Military, law enforcement, and consumer devices constantly emit signals that can be intercepted and tracked by anyone with the right tools. In the context of high-stakes scenarios such as election events, gatherings of high-profile politicians and other officials, and large-scale protests, the findings have implications for law enforcement and protesters alike.

WIRED initially focused on finding cell-site simulators due to the secrecy around their use, especially at protests. Cell-site simulators work by tricking nearby phones, cars, and other devices that use cellular infrastructure into connecting to them. They can be used on planes or retrofitted onto trucks.

The dragnet surveillance tool has largely been used by law enforcement to track a specific target’s location, but due to the indiscriminate way it functions, the devices will log the IMSI (international mobile subscriber identity) numbers, unique to each SIM card, of every single device that connects to it.

For years, protesters have suspected that the surveillance technology has been deployed against them during demonstrations. In 2014, following a wave of protests in Chicago over a grand jury’s decision not to indict Ferguson, Missouri, police officer Darren Wilson for fatally shooting Michael Brown, a Black teenager, activists overheard a police officer on a scanner asking another officer if he was gathering information from the protest organizer’s phone. Protesters at the time believed this to be a sign that an IMSI-catcher was deployed.

In Illinois, local law enforcement is required to obtain a warrant to use cell-site simulators. However, according to the ACLU of Illinois, the public is not able to verify whether the Chicago Police Department complies with this law, as CPD lawyers have instructed technicians managing cell-site simulators not to keep a log of their use.

Similarly, federal agents, including those from Homeland Security at the DNC, are also required to secure warrants before deploying one of the devices, except in the in cases of immediate threats to national security. A 2023 DHS Inspector General report found, however, that both the Secret Service and Homeland Security Investigations did not always do so.

Given that some lawmakers have attempted to link American anti-war demonstrators to groups like Hamas, which is classified as a terrorist organization by the US government, demonstrators have been concerned that cell-site simulators will get deployed against them. “They think we are terrorists, so they treat us like terrorists,” an anti-war protester who declined to give their name told WIRED at a protest on the first day of the DNC. They say that they wouldn’t be surprised if any of the law enforcement agencies present at the DNC were using an IMSI-Catcher. “I feel my phone getting hot, and I know they are watching.”

For years, the EFF has been developing tools to detect cell-site simulators. In 2019, it released Crocodile Hunter, which uses software-defined radios to identify unusual activity from 4G towers in a specific area. More recently, Quintin, and Will Greenberg, another staff technologist at the EFF, started working on a cheaper and more user-friendly tool called Ray Hunter, designed to detect unusual cellular activity in a similar way.

WIRED worked with Quintin and Greenberg to install Ray Hunter on three wireless hots pots, which allowed reporters to walk around the DNC and related events in Chicago to attempt to detect whether the devices connected to cell-site simulators.

The Rayhunter software works by detecting three key indicators based on a review of academic literature about how cell-site simulators work. First, it checks if the network you’re connected to tries to force a downgrade to 2G, which has less security than a 4G or 5G connection. Second, it detects if the network asks your device for an IMSI number. Finally, the software checks if the network requests a “null cipher,” a technical term for asking your phone not to use encryption between the phone and the tower.

According to CSS documentation obtained through public records requests, some CSS allow users to connect via Bluetooth or Wi-Fi. So alongside Ray Hunter, WIRED used two rooted Android phones running an app called Wigle, which logs the GPS coordinates of Bluetooth, mobile, and Wi-Fi signals that the phone encounters. This setup enabled us to collect and store data on observed Wi-Fi and Bluetooth activity. Neither phone connected to any Wi-Fi or cellular network, nor did they upload any data to the cloud. We analyzed the data locally.

WIRED focused on identifying MAC addresses, which are unique identifiers assigned to network devices, and OUIs (organizationally unique identifiers), which are usually the first three bytes of a MAC address. We looked for any OUIs of known CSS manufacturers like Harris, KeyW, Jacobs, and Digital Receiver Technology.

One of our first stops in Chicago was at Union Park, where a coalition of political and community organizations had planned a march to call for an end of US aid to Israel.

On Monday afternoon, a smaller-than-expected but still massive crowd of thousands of protesters prepared to march toward the DNC to protest Israel’s deadly siege of Gaza. Hundreds of Chicago police on bicycles lined the approved route, ready to respond. Farther down the planned route, Secret Service agents and other DHS officers observed the demonstration. The march started off peacefully, but by 4:30 pm local time, tensions escalated.

A small group of protesters breached the first of two security fences around the United Center. As some tore down sections of the fence, others climbed over and faced off with law enforcement standing behind the second barrier. Police began photographing the protesters tearing down the barricades, and a CPD helicopter circled as low as 650 feet, according to publicly available flight data WIRED reviewed at the time. CBS later reported 13 arrests from the first day of the convention.

While Rayhunter didn’t pick up any suspicious cellular infrastructure, our other equipment detected three new cell towers that hadn’t been there the day before. According to Quintin, because Rayhunter did not detect any suspicious behaviors, these towers were likely “cell on wheels,” aka COWs, temporary cell towers that companies roll out to provide extra cellular coverage during large events.

Leaving the protest, our Android detected a Wi-Fi network named Skydio X10-c9z2 with a hardware identifier associated with Skydio, a California-based company that sells drones to law enforcement. Skydio equipment has been used as part of Drone as First Responder programs around the country for years. According to marketing material, the Skydio X10 is equipped with multiple high-resolution cameras, including thermal imaging, powerful zoom capabilities, and onboard AI. It’s unclear which agency the drone belongs to.

CPD did not respond to WIRED’s questions about the Skydio drone.

It wasn’t just American law enforcement we suspected may deploy cell-site simulators. In 2019, the FBI alleged that Israel had placed one near the White House—a claim Israel has denied. Similarly, in 2016, protesters opposing the Dakota Access Pipeline suspected that a private security firm, TigerSwan, had used one against them.

On Tuesday of the DNC, an unpermitted protest organized by a self-described militant anti-imperialist group called Behind Enemy Lines was scheduled to take place outside the Israeli Consulate at the Accenture Tower, located two miles east of the United Center. Hours before the planned demonstration, police had already saturated the area. CPD officers on bicycles lined both sides of Madison Street in front of the building’s entrance, while the surrounding plaza served as a staging area for additional officers, who mingled with Secret Service and other DHS personnel.

Data collected by our fanny pack detected a Skydio drone near the Israeli consulate matching the hardware identifiers we identified the previous day. WIRED detected no cell-site simulators near the Israeli consulate.

By 7 pm, approximately 200 protesters had gathered outside the consulate. After a few speeches, tensions escalated as some protesters attempted to continue marching, leading to confrontations with the officers. Outnumbered by both police and journalists, more than 50 people were arrested, including three reporters.

WIRED could not determine the exact number of officers deployed at the protest, and CPD has yet to respond to our request for comment. However, our analysis of Bluetooth signals collected from the Android devices detected hardware identifiers associated with Axon, formerly Taser International, from as many as 720 different devices. Axon develops technology for law enforcement, including Tasers, body cameras, evidence management systems, and other software. The signals we observed were most likely from body-worn cameras used by officers during the demonstration.

The trackability of Axon’s body cameras is a known vulnerability. Last year at the Defcon hacker conference, Alan “Nullagent” Meekins and Roger “RekcahDam” Hicks, cofounders of the Bluetooth tracking platform RFParty, demonstrated that their platform could decipher signals emitted by body cameras, allowing them to detect the presence and approximate position of police officers.

In an email, Axon spokesperson Victoria Keough said that some Axon products have wireless features that enable real-time monitoring of officers during patrols and critical incidents. “While BLE [ Bluetooth Low Energy ] and other wireless communications can be susceptible to monitoring from other nearby devices, the benefits of BLE in ensuring incidents are captured with maximum visibility are crucial to public safety,” she wrote. Keough added that the current generation body-worn cameras offer the ability to be in “airplane mode” for specific tactical situations.

WIRED’s wireless survey appears to confirm Meekins and Hicks’ findings. Over the course of six days at the DNC, we detected signals from as many as 2,568 different Axon devices. Mapping these signals reveals information about where we encountered police and how they were deployed. For instance, the day after the incident at the Israeli consulate, we returned to the park where protesters had broken through barricades on Monday. Ahead of another planned protest, we found officers blocking entry to the park, designated a “free speech zone” by the city. On a map, a chain of closely clustered circles shows how tightly officers on bikes had formed a perimeter around the side of the park facing the expected protest route.

CPD did not respond to WIRED’s request for comment.

WIRED is not publishing the data collected for this story, partially because of how law enforcement could be able to use that data to identify devices at protests. “This is a known issue within the cybersecurity community,” Quintin of the EFF says. “I think police are starting to get wise to the fact that this is a technique they can use to find people. I wouldn’t be surprised if Bluetooth and wireless tracking is the next big wave of police technology.”

A company called Latent Wireless may be a pioneer in Wi-Fi signal tracking for law enforcement. Founded in 2019 by David Schwindt, a former police officer, Jeff Bromberger, and Peter Scott, both computer scientists, the company developed a Wi-Fi dongle that connects to patrol car computers. This device passively scans and analyzes metadata from Wi-Fi signals encountered by the car and matches detected MAC addresses against a list of stolen electronics or devices linked to criminals or missing persons. If a match is found, the system alerts officers, who can then use a directional antenna to locate the signal’s source.

In one instance that Schwindt and Bromberger shared with WIRED, local police used software from Latent Wireless to locate a suspect in an office building knowing only the MAC address of the employee’s device. In another case, a robber connected to a Wi-Fi network at a local coffee shop before committing a crime. Police identified the MAC address of his device through the coffee shop’s router logs and eventually tracked him down by detecting the signal from that device as they drove around.

Schwindt and Bromberger emphasize that privacy is a priority for the Latent Wireless. They avoid bulk data collection, do not attempt to decrypt traffic, and do not store the locations of observed MAC addresses unless they’re on the hot list.

On Wednesday evening, hundreds of protesters gathered for another march toward the United Center. Thirty minutes after the speakers began addressing the crowd, the thumping of a CPD helicopter’s rotors overhead interrupted them. The aircraft, a Bell 206L-4 LongRanger IV or a similar model, circled low—at 500 feet, according to flight data. Its tail number, N911YY, was clearly visible. Something appeared to protrude from a window.

Among the demonstrators, a man in a DHS vest weaved through the crowd, eyes scanning as he spoke into his phone. Curious about what the helicopter might be up to, I asked a freelance photographer, Wali Khan, to try to capture an image with his telephoto lens of whatever was sticking out of the door. Unfortunately, the helicopter was too far away to get a clear picture.

The helicopter circled for about half an hour. Despite my repeated attempts, the Chicago Police Department has yet to respond to my request for records regarding the helicopter’s mission that evening. What is clear, however, is the impact it had on those below. The hovering presence interrupted speeches, causing more than one protester I spoke with to wonder whether they were being singled out. Some people thought the officer was sticking a rifle out the window, while others assumed it was a camera.

None of WIRED’s devices picked up the hidden connections of cell-site simulators that day, or throughout the entire trip, but there were times like this when the surveillance was impossible to miss. “If what comes out of this is that activists spend less time worrying about protecting themselves from IMSI catchers and more time protecting themselves from drones, cameras, and things we know are being used,” Quintin says, “that’s a good outcome.”

Additional reporting by Makena Kelly

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist