www.wired.com Open in urlscan Pro
151.101.194.194  Public Scan

Form analysis
1 forms found in the DOM

Name: newsletter-subscribe — POST

<form class="form-with-validation NewsletterSubscribeFormValidation-dsLZxZ knFPLP" id="newsletter-subscribe" name="newsletter-subscribe" novalidate="" method="POST"><span class="TextFieldWrapper-fyESqh jHBvgO text-field"
    data-testid="TextFieldWrapper__email"><label class="BaseWrap-sc-SJwXJ BaseText-fEohGt TextFieldLabel-gOIlYA deUlYF iMwyKu gvciiP text-field__label text-field__label--single-line" for="newsletter-subscribe-text-field-email"
      data-testid="TextFieldLabel__email">
      <div class="TextFieldLabelText-iZIfRd Vyjr">Your email</div>
      <div class="TextFieldInputContainer-ftOJqv jjmDkC"><input aria-describedby="privacy-text" aria-invalid="false" id="newsletter-subscribe-text-field-email" required="" name="email" placeholder="Enter your email"
          class="BaseInput-jOuGBm TextFieldControlInput-djZhRz kQKbFR fVFHhe text-field__control text-field__control--input" type="email" data-testid="TextFieldInput__email" value=""></div>
    </label><button class="BaseButton-bchzqy ButtonWrapper-dPnRsw bNHSqa krFfZV button button--utility TextFieldButton-hDAZno cPfSJU" data-event-click="{&quot;element&quot;:&quot;Button&quot;}" data-testid="Button" type="submit"><span
        class="ButtonLabel-eCHSuR cFpizh button__label">SUBMIT</span></button></span>
  <div id="privacy-text" tabindex="-1" class="NewsletterSubscribeFormDisclaimer-dfKtWx cKSCxS"><span>By signing up you agree to our <a href="https://www.condenast.com/user-agreement">User Agreement</a> (including the
      <a href="https://www.condenast.com/user-agreement#introduction-arbitration-notice"> class action waiver and arbitration provisions</a>), our <a href="https://www.condenast.com/privacy-policy">Privacy Policy &amp; Cookie Statement</a> and to
      receive marketing and account-related emails from WIRED. You can unsubscribe at any time.</span></div>
</form>

Text Content

Skip to main content

Open Navigation Menu
Menu
Story Saved

To revist this article, visit My Profile, then View saved stories.

Close Alert


A Police App Exposed Secret Details About Raids and Suspects
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

Story Saved

To revist this article, visit My Profile, then View saved stories.

Close Alert

Sign In

SUBSCRIBE



GET WIRED


FOR JUST $29.99 $5

SUBSCRIBE


Search
Search
 * Backchannel
 * Business
 * Culture
 * Gear
 * Ideas
 * Science
 * Security

 * Podcasts
 * Video
 * Artificial Intelligence
 * Climate
 * Games
 * Newsletters
 * Magazine
 * Events
 * Wired Insider
 * Jobs
 * Coupons

Chevron
Flash Sale: Get WIRED for $29.99 $5.Get unlimited access to WIRED.com and
exclusive subscriber-only content for less than $1 per month. Plus, get free
stickers! Ending soon.SUBSCRIBE NOW
Already a subscriber? Sign in

Flash Sale: Get WIRED for just $29.99 $5. Plus, get free stickers! SUBSCRIBE NOW



Photograph: Katarzyna Bialasiewicz/Getty Images

Dhruv Mehrotra

Security
Jan 11, 2023 9:12 AM


A POLICE APP EXPOSED SECRET DETAILS ABOUT RAIDS AND SUSPECTS

SweepWizard, an app that law enforcement used to coordinate raids, left
sensitive information about hundreds of police operations publicly accessible.
 * Facebook
 * Twitter
 * Email
 * Save Story

   To revist this article, visit My Profile, then View saved stories.

 * Facebook
 * Twitter
 * Email
 * Save Story

   To revist this article, visit My Profile, then View saved stories.



Last September, law enforcement agents from five counties in Southern California
coordinated an operation to investigate, raid, and arrest more than 600
suspected sex offenders. The mission, Operation Protect the Innocent, was one of
the largest such raids in years, involving over 64 agencies. According to the
Los Angeles Police Department, it was coordinated using a free trial of an app
called SweepWizard.

CONTENT

To honor your privacy preferences, this content can only be viewed on the site
it originates from.

The raid was hailed as a success by Chief Michael Moore of the LAPD at a press
conference the following week. But there was a problem: Unbeknownst to police,
SweepWizard had been leaking a trove of confidential details about the operation
to the open internet.  

The data, which the LAPD and partners in the regional Internet Crimes Against
Children (ICAC) Task Force uploaded to SweepWizard, included private information
about the suspects as well as sensitive details that, in the wrong hands, could
tip off suspects as to when they were going to be raided and cast suspicion on
people who had not yet been convicted of any crime. 



The SweepWizard app, built by a company called ODIN Intelligence, is meant to
help police manage multi-agency raids. But WIRED found that it didn’t just
expose data from Operation Protect the Innocent; it had already leaked
confidential details about hundreds of sweeps from dozens of departments over
multiple years. The data included personally identifying information about
hundreds of officers and thousands of suspects, such as geographic coordinates
of suspects’ homes and the time and location of raids, demographic and contact
information, and occasionally even suspects’ Social Security numbers. All this
data was likely exposed due to a simple misconfiguration in the app, according
to security experts.

The Los Angelese Police Department said it was unaware of the problem until
WIRED reached out for comment. In a phone call, Captain Jeffery Bratcher,
commanding officer of the LAPD Juvenile Division and project director for the
ICAC Task Force, said the department is concerned and is taking the matter
seriously. “Operational security is always paramount to us. We don’t want people
to know when and if we are coming,” he says. 



In a separate statement, Captain Kelly Muniz of the LAPD’s Media Relations
Division, said the department has suspended the use of SweepWizard until a
thorough investigation is complete. According to their statement, “the
department is working with federal law enforcement to determine the source of
the unauthorized release of information, which is currently unclear. At this
point in the investigation, it has not been determined if the third-party
application or another means is the source of the unauthorized release.”

Featured Video



Forensics Expert Answers Crime Scene Questions From Twitter



Most Popular
 * Security
   How to Use Apple’s New All-In-One Password Manager
   
   Justin Pot

 * Science
   Stem Cell ‘Junk Yards’ Reveal a New Clue About Aging
   
   Max G. Levy

 * Business
   Dashcam Footage Shows Driverless Cars Clogging San Francisco
   
   Paresh Dave

 * Culture
   The 45 Best Shows on Netflix Right Now
   
   WIRED Staff

 * 





The exposed data contained the location and names of 5,770 suspects, mostly
located in California. In some instances, the data included their height,
weight, and eye color and indicated whether they were experiencing homelessness.
For more than 1,000 of these suspects, SweepWizard also exposed their Social
Security numbers. According to the data, several of these suspects were
juveniles at the time of the sweeps. Arrest records and press releases confirm
that several people whose names appeared in the leaked data were arrested after
the raid. 



SweepWizard also appeared to have revealed the names, phone numbers, and email
addresses of hundreds of law enforcement officers, as well as the operational
details of nearly 200 sweeps. These details included the exact date and time of
the sweep, the organizing officers, as well as information like where the
pre-sweep briefings were to occur.



After verifying the data exposure, WIRED notified ODIN Intelligence, which
quickly took down the app and began an investigation. After declining an
interview, Erik McCauley, the CEO and founder of the company, said in a
statement, “ODIN Intelligence Inc. takes security very seriously.  We have and
are thoroughly investigating these claims.” He added, “Thus far, we have been
unable to reproduce the alleged security compromise to any ODIN system. In the
event that any evidence of a compromise of ODIN or SweepWizard security has
occurred, we will take appropriate action.” McCauley did not respond to specific
questions about the issue.

At the time of publication, SweepWizard’s website is no longer accessible, and
the app has been removed from Google Play and Apple’s App Store.


SEE WHAT’S NEXT IN TECH WITH THE FAST FORWARD NEWSLETTER

A weekly dispatch from the future by Will Knight, exploring AI advances and
other technology set to change our lives. Delivered every Thursday.
Your email

SUBMIT
By signing up you agree to our User Agreement (including the class action waiver
and arbitration provisions), our Privacy Policy & Cookie Statement and to
receive marketing and account-related emails from WIRED. You can unsubscribe at
any time.

WIRED received a tip that there was a flaw in SweepWizard’s application
programming interface, or API, that allowed anyone with a specific URL to
retrieve confidential law enforcement data from the app. WIRED downloaded the
Android version of the app from Google Play and verified that its API endpoints
were in fact returning data regardless of authentication—in other words, you
didn’t need to be logged in to the app to view sensitive data about years’ worth
of raids and other police operations. The data could be viewed in any web
browser simply by visiting a SweepWizard URL. 

While the SweepWizard mobile app first launched in 2016, according to app store
information, WIRED found data from sweeps going back to 2011, including more
than 20 sweeps on Halloween over the years with names like Operation Boo,
Operation Hocus Pocus, and Halloween Havoc. (Archived versions of the
SweepWizard website date back to 2011.) The most recent data WIRED reviewed
includes sensitive information about raids that took place on December 19,
2022. 

It’s unclear whether all SweepWizard data was exposed ahead of scheduled raids,
and ODIN Intelligence did not respond to specific questions about when the data
may have been publicly accessible. However, while confirming the API
vulnerability, WIRED observed that data from at least one scheduled sweep had
been made public. It is also unclear whether anyone used the data SweepWizard
leaked to the open web for nefarious purposes.

Most Popular
 * Security
   How to Use Apple’s New All-In-One Password Manager
   
   Justin Pot

 * Science
   Stem Cell ‘Junk Yards’ Reveal a New Clue About Aging
   
   Max G. Levy

 * Business
   Dashcam Footage Shows Driverless Cars Clogging San Francisco
   
   Paresh Dave

 * Culture
   The 45 Best Shows on Netflix Right Now
   
   WIRED Staff

 * 





ODIN Intelligence advertises itself as a company that develops high-tech
solutions for law enforcement that “enable our communities to be safer, better
informed, more organized, and crime free.” On its website, the company claims to
partner with organizations like the International Association of Chiefs of
Police (details of these partnerships are not available). The IACP did not
respond to a request for comment. ODIN also created a product called the
Homeless Management Information System (HMIS), which according to a brochure
reviewed by Vice, uses face recognition to identify people experiencing
homelessness. 

The company claims that its products are built by experts and secured with
“state-of-the-art” security that adheres to the FBI’s Criminal Justice
Information Services (CJIS) security policy for handling sensitive information.
The FBI did not comment on SweepWizard’s claims of CJIS compliance. However, a
policy document the agency shared with WIRED indicates that SweepWizard was
likely not compliant with specific access requirements that specify who can
access law enforcement information. ODIN Intelligence’s McCauley did not respond
to specific questions about whether SweepWizard was CJIS-compliant.

The Yolo County District Attorney’s Office confirmed that, like the LAPD, it had
used a free trial of SweepWizard during an annual sex offender sweep last
November, details of which WIRED found in the exposed data. In its statement,
chief deputy district attorney Jonathan Raven said that ODIN provided Yolo
County with documents that explicitly stated its technology was CJIS-compliant.
His office is also investigating the matter. 



Ken Munro, an ethical hacker and founder of the UK-based security research firm
Pen Test Partners, says that based on how we described being able to access
SweepWizard data, the error was likely caused by a simple authorization
oversight. While SweepWizard was taken down before he had a chance to examine
the app, Munro says that, typically, when an individual logs in to a website or
app, they are assigned an access token that gets checked by the app every time
their device requests data from it. According to Munro, SweepWizard was likely
not checking each request for these access tokens and was simply providing data
to any device that asked. 

“This is a bit of a basic technical oversight,” he says. “These sorts of
authorization issues are not often seen in law enforcement.”

McCauley did not comment on how ODIN’s investigation concluded that a compromise
had not occurred. However, after WIRED received his statement, we reviewed our
methodology and findings about SweepWizard with Zach Edwards, an independent
privacy and security researcher.  Edwards says that WIRED’s methodology is no
different than what any penetration tester would have done. He adds, “They left
the front, side, and back doors open.” 






GET MORE FROM WIRED

 * 📧 Get the best stories from WIRED’s iconic archive in your inbox

 * A tiny blog took on Big Surveillance in China—and won

 * In the war on bacteria, it’s time to call in the phages

 * Robotaxis are going to sound weird

 * The magic and minstrelsy of generative AI

 * Artificial wombs will change abortion rights forever

 * ⛺ Embrace the new season with the Gear team’s best picks for best tents,
   umbrellas, and robot vacuums

Dhruv Mehrotra (he/him) is an investigative data reporter for WIRED. He uses
technology to find, build, and analyze datasets for storytelling. Before joining
WIRED, he worked for the Center for Investigative Reporting and was a researcher
at New York University's Courant Institute of Mathematical Sciences. At Gizmodo,
he was on... Read more
Staff Writer
 * Twitter

TopicssecurityprivacyPoliceCrime
More from WIRED
Russia Is Leaking Data Like a Sieve
Ukraine claims to have doxed Russian troops and spies, while hacktivists are
regularly leaking private information from Russian organizations.

Matt Burgess

The Best Password Managers to Secure Your Digital Life
Keep your logins locked down with our favorite apps for PC, Mac, Android,
iPhone, and web browsers.

Scott Gilbertson

Proton Is Trying to Become Google—Without Your Data
The encrypted-email company, popular with security-conscious users, has a plan
to go mainstream.

Gilad Edelman


How to Use Apple’s New All-In-One Password Manager
Your iPhone, iPad, and Mac now have a built-in password feature, complete with
two-factor authentication.

Justin Pot

A Tiny Blog Took on Big Surveillance in China—and Won
Digging through manuals for security cameras, a group of gearheads found
sinister details and ignited a new battle in the US-China tech war.

Amos Zeeberg

ChatGPT Has a Big Privacy Problem
 Italy’s recent ban of Open AI’s generative text tool may just be the beginning
of ChatGPT's regulatory woes.

Matt Burgess

The Dangerous Weak Link in the US Food Chain
Without an information sharing and analysis center, the country’s food and
agriculture sector is uniquely vulnerable to hackers.

Eric Geller

Popular Chinese Shopping App Pinduoduo Is Laced With Malware
Plus: 119 arrested during a sting on the Genesis dark-web market, the IRS aims
to buy an online mass surveillance tool, and more.

Lily Hay Newman







GET 1 YEAR FOR $29.99 $5

SUBSCRIBE
WIRED is where tomorrow is realized. It is the essential source of information
and ideas that make sense of a world in constant transformation. The WIRED
conversation illuminates how technology is changing every aspect of our
lives—from culture to business, science to design. The breakthroughs and
innovations that we uncover lead to new ways of thinking, new connections, and
new industries.
 * Facebook
 * Twitter
 * Pinterest
 * YouTube
 * Instagram
 * Tiktok

More From WIRED

 * Subscribe
 * Newsletters
 * FAQ
 * Wired Staff
 * Press Center
 * Coupons
 * Editorial Standards
 * Black Friday
 * Archive

Contact

 * Advertise
 * Contact Us
 * Customer Care
 * Jobs

 * RSS
 * Accessibility Help
 * Condé Nast Store
 * Condé Nast Spotlight
 * Manage Preferences

© 2023 Condé Nast. All rights reserved. Use of this site constitutes acceptance
of our User Agreement and Privacy Policy and Cookie Statement and Your
California Privacy Rights. WIRED may earn a portion of sales from products that
are purchased through our site as part of our Affiliate Partnerships with
retailers. The material on this site may not be reproduced, distributed,
transmitted, cached or otherwise used, except with the prior written permission
of Condé Nast. Ad Choices

Select international siteUnited StatesLargeChevron
 * UK
 * Italia
 * Japón





We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.More Information


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. Please note, preferences expressed on this site will also apply to
“es.wired.com” List of Partners (vendors)

I Accept
Show Purposes