ODIN Intelligence, a law enforcement technology vendor, has experienced a chain of security incidents as of late. The company’s “SweepWizard” app, used to coordinate raids and manage suspect information, was recently found to be leaking sensitive data to the open internet due to a database misconfiguration. This led to a defaced website (and possibly more), as the attackers replaced the normal home page with a message indicating that they may have exfiltrated and destroyed company data and indicated that the company’s sloppy security was the reason.
The company had already been a magnet for controversy before the SweepWizard breach was discovered, over some of its more privacy-invasive products including a system designed to track the location of homeless people by GPS via an app and use facial recognition technology to identify them as a condition of staying in emergency shelters.
Controversial law enforcement vendor may have had data “shredded” by hacker
The direct chain of issues that led to the defaced website began with the early January discovery of a leak in the SweepWizard app by reporters with WIRED magazine. However, it may stretch back as far as the release of the mobile app version of SweepWizard in 2016, as the reporters found operational details and personal information that they say dates back years.
SweepWizard is used when multiple law enforcement agencies coordinate raids on crime suspects, such as the Los Angeles Police Department’s “Operation Protect the Innocent” of September 2022. The WIRED reporters discovered the leak via a tip-off about information from that operation that made it out to the open web, including the personal information of both officers and suspects (to include Social Security numbers of about 1 out of 6 suspects) and intelligence used to plan the operations. A follow-up investigation found that a misconfigured database had been exposing this sort of data for years, exposing information from dozens of police departments and hundreds of similar operations.
ODIN took SweepWizard offline after being notified, and it remains unavailable for download on the major app stores at this time. However, the company’s only statements to the media thus far have indicated that it cannot replicate the “alleged security compromise” but continues to investigate. WIRED said that the vulnerability was a failure to secure API endpoints, allowing anyone who knows (or hits upon) the correct URL to access private data via a web browser.
While the SweepWizard mobile app was launched in 2016, the software had been available for computers for years before that and some of the private law enforcement information that was accessible in this way dated as far back as 2011. The full breach window remains unclear, as does the number of threat actors that may have discovered this vulnerability and made use of it.
All of this leads to the defaced website, which was discovered on January 15. The attackers defaced the main ODIN website with anti-police and open border activism messages. The hackers said that they had additionally “shredded” all of the company’s data and backups, but it remains to be seen if that claim is true. The intruders did appear to have access beyond ODIN’s web hosting, however, as the non-profit DDoSecrets said that it had received data exfiltrated from company servers and were processing it. If the claims of the hackers are accurate, they may have stolen data from ODIN’s separate sex offender monitoring software and a set of AWS keys that appear to correspond to the company’s GovCloud account.
Defaced website points to hacktivism, but perpetrators unknown
The defaced website appears to have been triggered by the ODIN CEO’s public dismissal of the “alleged security compromise,” but the hackers have not left any clues as to who they are. Thoughts naturally turn to the “Anonymous” hacker collective when themes of social justice are invoked, and the sloganeering and use of fluent English would point to a Western entity of some sort. However, the collective has not taken credit and the central “youranoncentral” Twitter account that usually publicizes such actions has not been updated since the first days of the new year.
More information is definitely needed, as this breach already has the potential to be one of the biggest and most damaging of the year if it does indeed go beyond a simple defaced website in terms of threat actor access. Law enforcement personnel around the country may have had private contact information exposed, investigation suspects may have had deeply sensitive personal information leaked, and the “bad guys” may have even been aware of this weakness and made use of it to anticipate raids or identify undercover officers. At least some of the police departments involved appear to have been tantalized into giving SweepWizard a spin by some sort of free trial period offered for the mobile app.
Dr. Ilia Kolochenko, Founder/CEO and Chief Architect at ImmuniWeb, notes that this is a call for law enforcement to realize that they are a prime target for hackers and are not above cybersecurity concerns: “Third-party vendors and suppliers are actually the Achilles’ heel of law enforcement agencies. Per se, a website defacement is a low-risk security incident, mostly carrying out reputational consequences. In this case, however, there are various indicators that the website defacement may be just the tip of the iceberg of a major data breach … If law enforcement intelligence data ends up in hands of organized crime, it may lead to tragic consequences for police officers and undercover agents. This is not to mention that years of complex and resource-consuming police investigations may be wasted and criminals eventually go unpunished. I would, however, refrain from making conclusions before ODIN Intelligence comments on the scope and nature of the incident. All law enforcement agencies that the breach could have impacted should urgently audit what kind of their data could have been stolen to understand and respond to the broad spectrum of possible implications, as well as rapidly notify concerned third parties.”
Erich Kron, security awareness advocate at KnowBe4, echoes these concerns and adds some specific advice for law enforcement agencies of all types: “Organizations that deal in sensitive information, whether it’s law enforcement-related or more typical data, need to take cybersecurity very seriously. This is especially true when a potentially significant vulnerability is reported to the organization. In addition, it’s no longer optional for organizations to not employ Data Loss Prevention (DLP) controls and to have immutable or offline backups that cannot be modified or deleted by bad actors. In addition, since email phishing is the most common method leading to data breaches, employees should be educated on the threats in an effort to build a strong, good, cybersecurity culture.”