During the Democratic National Convention in Chicago in August, amidst widespread protests against Israel’s actions in Gaza, an extensive security presence was notable. This included personnel from the US Capitol Police, Secret Service, Department of Homeland Security’s Homeland Security Investigations, local sheriff’s deputies, and police officers from various regions, who collectively aimed to maintain order and oversee the multitude of demonstrators. Their efforts were intensely coordinated to prevent disruptions.
While covering the predominantly peaceful protests, WIRED delved into less apparent topics, specifically the suspected use of cell site simulators, commonly known as IMSI catchers or Stingrays. These devices, controversial for their ability to mimic cell towers and harvest data from phones such as locations, call metadata, and app activity, have raised concerns about their potential deployment against demonstrators.
Equipped with sophisticated technology, including two rooted Android phones and three Wi-Fi hotspots loaded with CSS-detection software from the Electronic Frontier Foundation, our team executed an unprecedented survey of wireless signals around the DNC.
Our investigation spanned various settings including the streets where protests were rampant, the United Center, the main venue for the DNC, and social functions featuring lobbyists and political insiders. We closely monitored the environment before, during, and after these gatherings.
In this investigation, we monitored Bluetooth, Wi-Fi, and cellular signals to search for clues of cell-site simulators. Although no evidence of such technology at the DNC was discovered, our data collection revealed potential security risks for various groups including activists and police, through the signals emitted by their devices. We gathered signals from approximately 297,337 devices, some linked to police body cameras and law enforcement drones, among many consumer electronics.
Our observations noted repeated appearances of certain devices across multiple locations, exposing movement patterns of their users. Notable instances included a Chevrolet Wi-Fi hotspot traced from a law enforcement parking area to a street near a Chicago protest, a Skydio police drone over consecutive protest sites, and identical Axon police body cameras at different demonstrations.
“Surveillance technology leaves detectable traces,” stated Cooper Quintin, a senior technologist at the EFF. He highlighted the significant real-time identification of police technologies, but also pointed out the vulnerability of civilians due to the pervasive beaconing of personal devices.
The wide-reaching collection of signals is a side effect of our highly connected society and emphasizes a disturbing aspect: military, law enforcement, and civilian gadgets continuously send signals that could be captured and tracked by anyone with appropriate technology, bringing significant implications for both law enforcement and civilians, particularly in sensitive situations like elections and major protests.
WIRED initially focused on uncovering the usage of cell-site simulators due to the mystery surrounding their deployment, particularly during protests. These simulators deceive nearby mobile phones, vehicles, and other cellular-connected devices into connecting with them. They can be mounted on planes or installed on trucks.
This surveillance tool has predominantly been utilized by law enforcement to trace specific individuals’ locations. However, its nondiscriminatory nature means it also captures the IMSI numbers, unique to each SIM card, of every device that connects to it.
For many years, demonstrators have conjectured that this surveillance technology was being used against them during protests. In 2014, amidst protests in Chicago after a grand jury chose not to indict Ferguson, Missouri, police officer Darren Wilson for the fatal shooting of Michael Brown, a Black teenager, activists overheard a police discussion about collecting data from the protest organizer’s phone, leading them to suspect the presence of an IMSI-catcher.
In Illinois, law enforcement is mandated to secure a warrant for the use of cell-site simulators. Yet, as per the ACLU of Illinois, it remains uncertain whether the Chicago Police Department adheres to this requirement, with CPD legal advisors directing technicians to not maintain a log of the simulators’ application.
Similarly, federal agents, including those from Homeland Security at the DNC, are required to secure warrants before using certain surveillance devices, unless there are immediate threats to national security. A 2023 DHS Inspector General report indicated that both the Secret Service and Homeland Security Investigations sometimes failed to obtain these warrants.
As some lawmakers have tried to associate American anti-war protesters with groups like Hamas, which the US government designates as a terrorist organization, protesters fear the use of cell-site simulators against them. An unnamed anti-war protester expressed at a DNC protest, “They think we are terrorists, so they treat us like terrorists,” noting the overheating of their phone as a sign of surveillance.
For years, the EFF has developed tools to detect cell-site simulators. In 2019, they launched Crocodile Hunter, which utilizes software-defined radios to spot unusual signals from 4G towers. More recently, EFF technologists Quintin and Will Greenberg have been developing Ray Hunter, a more affordable and accessible tool aimed at identifying abnormal cellular activities.
WIRED collaborated with Quintin and Greenberg to implement Ray Hunter across three wireless hotspots during the DNC, allowing journalists to survey the area and events in Chicago to determine if the devices were connecting to cell-site simulators.
The Rayhunter software evaluates three major indicators derived from scholarly research on cell-site simulator operations. Firstly, it checks whether the connected network is attempting to downgrade to 2G, less secure compared to 4G or 5G. Secondly, it probes whether the network requires an IMSI number from the device. Lastly, Rayhunter assesses if the network requests a “null cipher,” which essentially means your phone would not utilize any encryption when communicating with the tower.
As per documentation from CSS obtained via public record inquiries, it’s noted that some CSS setups can connect through Bluetooth or Wi-Fi. In our experiment with WIRED, we utilized two rooted Android phones equipped with an app called Wigle, which records the GPS details of encountered Bluetooth, mobile, and Wi-Fi signals. Throughout this experiment, these phones did not connect to any networks or upload data externally, ensuring all data analysis occurred locally.
Our primary focus was on pinpointing MAC addresses, which are unique identifiers for network devices, and OUIs (organizationally unique identifiers), generally representing the first three bytes of a MAC address. We specifically searched for any OUIs associated with known CSS manufacturers like Harris, KeyW, Jacobs, and Digital Receiver Technology.
One notable location visited during our examination in Chicago was Union Park, where a coalition of political and community groups had organized a march advocating for the cessation of US aid to Israel.
On a Monday afternoon, a sizable crowd, though smaller than anticipated, gathered and prepared to march toward the DNC to address the severe situation in Gaza. Numerous Chicago police officers on bicycles were stationed along the planned march path to manage the situation. Additionally, Secret Service and DHS agents were present to monitor the event. The march began calmly but escalated around 4:30 pm.
A handful of protesters managed to get past the first of two security barriers around the United Center. Some demolished parts of the fence while others climbed it, confronting law enforcement behind the second fence. Authorities began taking photos of the protesters who were dismantling the barriers and a CPD helicopter hovered at about 650 feet above, as per flight data analyzed by WIRED. A CBS report later detailed 13 arrests from the initial day of the convention.
Although no suspicious cellular equipment was detected by Rayhunter, our other devices discovered three new cell towers which appeared overnight. According to our expert, Quintin, these were presumed to be “cell on wheels” or COWs, which are temporary cellular towers deployed to enhance coverage for large-scale events.
As we departed the protest, our Android device identified a Wi-Fi network named “Skydio X10-c9z2” tied to Skydio, a drone manufacturer from California widely utilized by law enforcement. A report from Wired explains that Skydio drones have been actively used in “Drone as First Responder” programs across the nation for several years. The Skydio X10 model, according to promotional materials, features multiple high-definition cameras, thermal imaging, substantial zoom abilities, and integrated AI, though the specific agency operating the drone was not verified.
CPD did not respond to WIRED’s inquiries regarding their use of the Skydio drone.
Concerns about the deployment of cell-site simulators extended beyond American borders. In 2019, the FBI claimed that Israel had installed such devices near the White House, a claim that Israel disputed. In a related vein, during 2016, demonstrators against the Dakota Access Pipeline suspected that the private security company TigerSwan was using such technology against them.
At the DNC on Tuesday, a protest was planned by Behind Enemy Lines, a self-proclaimed militant anti-imperialist group. This was to occur outside the Israeli Consulate at the Accenture Tower, approximately two miles east of the United Center. Before the event, police presence was heightened around the venue. CPD officers on bicycles were stationed along Madison Street at the entrance of the building, and the nearby plaza was used as a staging ground for more officers who were seen interacting with Secret Service and other DHS agents.
A Skydio drone, which matched the identifiers detected previously, was observed by our equipment near the Israeli consulate. However, no cell-site simulators were detected nearby.
By 7 pm, around 200 protesters had assembled outside the consulate. Following initial speeches, a push by some participants to march further led to altercations with law enforcement officials. With a significant presence of both police and media, over 50 individuals were taken into custody, including three journalists.
WIRED was unable to confirm the precise number of law enforcement officers present at the protest, and responses from CPD were still pending. Further investigations involving Bluetooth data from Android devices revealed the presence of Axon hardware, historically linked to Taser International, detectable across roughly 720 devices. Axon’s portfolio includes law enforcement technologies like Tasers, body cameras, evidence-handling systems, and more. The noted Bluetooth signals likely originated from the body cameras worn by policemen and -women at the scene.
The vulnerability of tracking Axon’s body cameras has been well-documented. Last year at the Defcon hacker conference, Alan “Nullagent” Meekins and Roger “RekcahDam” Hicks of the RFParty Bluetooth tracking platform showcased techniques for intercepting signals from such cameras, enabling them to track the locations of officers.
An Axon representative, Victoria Keough, communicated via email that certain Axon products include wireless capabilities facilitating real-time oversight of patrols and crucial occurrences. She highlighted that while Bluetooth Low Energy (BLE) and similar wireless technologies can be susceptible to external interceptions, the implementation of BLE is vital for optimal transparency in event recording, crucial for public safety. Keough mentioned that modern body cameras from their line also support a ‘airplane mode’ for use in specific tactical contexts.
WIRED’s wireless study supports the results found by Meekins and Hicks. During a six-day span at the DNC, up to 2,568 Axon devices were detected. Analyzing these signals provided insight into police locations and deployment patterns. Following an event at the Israeli consulate, our team observed a return to the park where protesters had previously bypassed barricades. Before another scheduled demonstration, police were seen blocking park access, an area designated as a “free speech zone” by the city. The tight grouping of officers around the park’s side closest to the anticipated protest route was evident on our map.
WIRED did not receive a reply from CPD when requested for a comment.
WIRED has chosen not to publish the data gathered during this investigation. This decision is partly due to potential misuse by law enforcement to track individuals at protests. “This is a recognized concern within the cybersecurity community,” notes Quintin from the EFF. “Police may be catching on to using this method to locate individuals. It wouldn’t be surprising if Bluetooth and wireless tracking become a major tool in law enforcement technology.”
A company named Latent Wireless might be leading the innovation in Wi-Fi signal surveillance for law enforcement. Established in 2019 by former police officer David Schwindt, along with computer scientists Jeff Bromberger and Peter Scott, this company crafted a Wi-Fi dongle that links to computers in patrol cars. This device passively captures and interprets metadata from Wi-Fi signals that the car encounters, matching detected MAC addresses with those of stolen or known criminal devices, or devices owned by missing persons. When a match occurs, the system notifies officers, enabling them to pinpoint the signal’s origin using a directional antenna.
In one situation described by Schwindt and Bromberger to WIRED, local police utilized Latent Wireless technology to pinpoint a suspect within an office building using just the MAC address of the employee’s device. In a separate incident, a criminal connected to a Wi-Fi network at a local coffee shop before carrying out a robbery. Utilizing the router logs of the coffee shop, the police identified the MAC address of the criminal’s device and successfully tracked its signal as they patrolled the area.
According to Schwindt and Bromberger, protecting privacy is essential for Latent Wireless. They intentionally avoid collecting data in bulk, choose not to decrypt communications, and do not keep records of the locations linked to MAC addresses unless they are marked as critical.
On a recent Wednesday evening, a large group of protesters marched toward the United Center. About half an hour into the gathering, as speakers engaged the audience, the loud sound of a Chicago Police Department helicopter’s rotors disrupted the event. The helicopter, resembling a Bell 206L-4 LongRanger IV, hovered at about 500 feet, as revealed by flight data, with its tail number, N911YY, clearly visible. Observers noticed an unusual object extending from a window of the aircraft.
Within the crowd, a man wearing a DHS vest moved around, continuously scanning the area while speaking into his cellphone. Curious about the helicopter’s activities, I approached Wali Khan, a freelance photographer, and requested him to try capturing a photo of the object protruding from the helicopter using his telephoto lens. However, the distance made it too challenging to obtain a clear image.
The helicopter hovered for around thirty minutes. Despite my efforts to obtain information from the Chicago Police Department regarding the purpose of the helicopter that evening, I have received no response. It was evident, however, that its presence was felt strongly by those on the ground. The constant drone disrupted speeches, leading several protesters to feel targeted. While some speculated that the helicopter might be equipped with a rifle, others believed it carried a camera.
Throughout our journey, none of the devices utilized by WIRED detected any hidden cell-site simulators. Nevertheless, instances like these made the surveillance incredibly apparent. “If the outcome of this situation is that activists reduce their focus on shielding themselves from IMSI catchers and instead concentrate more on defending against drones, cameras, and other known surveillance tools,” suggests Quintin, “that would be a beneficial result.”
Additional reporting by Makena Kelly