An app used by police agencies to coordinate raids on suspects was recently discovered to contain a serious security flaw that may have exposed sensitive data from hundreds of police raids dating back to 2011.
According to experts, a technical misconfiguration in an app called SweepWizard revealed the location and names of 5,770 suspects, as well as personally identifiable information and even the Social Security numbers of some suspects.
The app, which is used by law enforcement agencies to manage multi-agency raid operations, also left vulnerable the identities of officers in the operations and their email addresses and phone numbers, as well information about the timing of raids and pre-raid briefings.
Although the SweepWizard mobile app first launched in 2016, its website has been around for even longer, and data was discovered from sweeps as far back as 2011.
Most recently, the LAPD used a free trial of SweepWizard to help coordinate a series of raids carried out by 64 Southern California agencies to arrest 600 sex offenders in a massive operation called Operation Protect the Innocent. It was this mission that brought attention to the security flaw in the app.
“Operational security is always paramount to us. We don’t want people to know when and if we are coming,” Captain Jeffery Bratcher, who leads the regional Internet Crimes Against Children (ICAC) Task Force and the LAPD Juvenile Division, told Wired.
In a follow-up statement, the LAPD said it had suspended use of the app and was working to address the issue.
“The department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release,” said Captain Kelly Muniz of the LAPD’s Media Relations Division.
Experts said the security problem lay in the app’s API. By plugging a specific SweepWizard URL into a web browser, anyone could access private data in the app regardless of whether they were logged in.
“They left the front, side, and back doors open,” independent privacy and security researcher Zach Edwards said.
Ken Munro, founder of the U.K.-based security research firm Pen Test Partners, said the error was due to a simple authorization issue.
“This is a bit of a basic technical oversight,” he said. “These sorts of authorization issues are not often seen in law enforcement.”
ODIN Intelligence, the company that created the app, did not answer questions about when the data may first have been publicly accessible.
“ODIN Intelligence Inc. takes security very seriously. We have and are thoroughly investigating these claims,” company CEO and founder Erik McCauley said in a statement. “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.”
Shortly after news regarding SweepWizard broke, the company’s website was hacked, defaced and taken offline. The unknown hackers leaving a note saying that they “shredded” 16 GB of backups and data, apparently in response to the news of the security flaw. They leaked a huge cache of data — not only the company’s source code and internal database but also thousands of law enforcement files, including detailed tactical plans for upcoming police raids and confidential police reports with descriptions of alleged crimes and suspects, according to TechCrunch.
According to the company’s website, ODIN Intelligence develops high-tech solutions for law enforcement that “enable our communities to be safer, better informed, more organized, and crime free.” The company says its products (among them a controversial software that uses facial recognition software to identify and track the homeless) adhere to the FBI’s Criminal Justice Information Services (CJIS) security policy regarding the handling of sensitive information.
The FBI did not comment on this claim.