A team of researchers found that, by not encrypting the data broadcast by Tile tags, users could be vulnerable to having their location information exposed to malicious actors.

Tile trackers, used to locate everything from lost keys to stolen pets, are used by more than 88 million people worldwide, according to Tile’s parent company, Life360. But researchers who examined the tracking technology have found design flaws that would let stalkers—or potentially the manufacturer itself—track the location of Tile users and their devices, contrary to claims the company has made about the security and privacy of its devices.

The researchers—Akshaya Kumar, Anna Raymaker, and Michael Specter of Georgia Institute of Technology—found that each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices or radio-frequency antennas in a tag’s vicinity to track the movements of the tag and its owner. The location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile’s servers, where the researchers believe this information is stored in cleartext, giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability.

The researchers say this would give Tile the ability to conduct “mass surveillance” on its users and potentially provide that information to law enforcement and others.

The researchers also found that Tile’s anti-stalking protection can be easily undermined if a stalker enables an anti-theft feature that Tile offers with its tags. Additionally, someone could falsely frame a Tile owner for stalking by recording the unencrypted broadcasts their Tile device makes and replaying these broadcasts in the vicinity of another Tile user, making it seem like the former is stalking the latter.

The researchers reported their findings to Tile’s parent company, Life360, last November, but they say the company stopped communicating with them in February. WIRED sent Life360 an email asking for a response to the issues raised by the researchers, but a spokesperson sent a reply that did not explicitly address the problems. The email said only that the company had “made a number of improvements” since receiving the researchers’ report, without specifying what those were.

Tile sells stand-alone tags, but its tracking technology is also embedded in laptops, headphones, smartwatches, and other products made by companies like Dell, Bose, and Fitbit. The researchers reverse engineered Tile’s protocol and Android mobile app used with the Tile Mate, the company’s most popular tracker tag. They say their findings may not apply to other models of Tile tags or the Tile technology used in products made by third parties.

**How Tile Tags Work**

Tile trackers operate similarly to tracking tags made by Apple, Google, and Samsung. But Tile’s system differs in important ways. Like the others, Tile tags are battery-powered and use Bluetooth to broadcast their location to a user’s phone. Users can slip a tag into a briefcase, luggage, or vehicle, or attach it to keys, a phone, laptop, or even a pet collar to track the location of these items.

Each Tile tag broadcasts the tag’s MAC address and a unique ID, which changes periodically. If an item paired with the tag goes missing the owner, using their Tile app, can instruct the tag to emit a sound to locate it. For items farther away, the system relies on the network of phones belonging to other Tile users. These also pick up the broadcast of any Tile device near them. And since 2021, Ring cameras, Echo devices, and Tile tags have been integrated into Amazon’s Sidewalk network, meaning Ring and Echo devices can pick up the location of Tile tags as well.

Each time these devices pick up the broadcast from a Tile tag, the location, MAC address, and unique ID of that tag get sent to a Tile server where it’s stored in a database, the researchers found. The owner of a lost tag and item can then use their Tile app to query the database for their latest location. The problem, according to the researchers, lies in how Tile has implemented this system.

Tile claims that user information transmitted across its network can’t be seen by anyone. “You are the only one with the ability to see your Tile location and your device location,” the company states in its privacy policy. But the researchers found that the MAC address and unique ID that a Tile tag broadcasts is not encrypted, allowing someone in the vicinity of a tag with a Tile app on their phone or a radio frequency antenna to intercept this information as its transmitted and track the location of the tag and associated item or its owner.

Other tag makers replace the MAC address with a rotating unique ID and only transmit the ID. By changing the ID periodically, someone recording broadcasts from a tag cannot easily link multiple broadcasts to the same tag to track the movement of that tag and associated item or owner.

But because Tile’s system transmits both the MAC address and the unique ID, and does not encrypt this transmission, someone can intercept this information. Tile’s unique ID also rotates—it changes every 15 minutes if the tag is near the owner’s phone or once in 24 hours if not—but because the MAC address is static and does not change, it can be used to track a tag regardless of the changing ID. Even if Tile chose to not transmit the MAC address, the researchers say, the way Tile generates the changing ID is not secure and can still be used to track a tag.

“An attacker only needs to record one message from the device … to fingerprint it for the rest of its lifetime,” says Kumar, who says this creates a risk of systemic surveillance for anyone whose tag is caught up in a scan.

Law enforcement could potentially use this to identify anyone in an area that has a Tile tag or Tile-enabled device. And because this location information seems likely to be stored unencrypted on Tile’s server, researchers say, Tile could also track the location of tags or share this information with any third party.

“These issues transform Tile’s infrastructure into a global tracking network,” the researchers claim in a paper they wrote about their findings.

When an Apple, Google, or Samsung tag gets detected in a scan, the report that gets sent to the company servers containing the tag’s ID and location information is end-to-end encrypted so that no one can intercept the broadcasts as they’re transmitted, and the companies themselves cannot see the location information to track the movement of the tags. Only a tag owner can see this information because a key on their phone decrypts the location data on the company’s server that is associated with their tag ID.

“They have designed their system intentionally such that they aren’t able to recover your location or the location of where your items are,” says Specter. “Because they don’t want to be in the business of knowing where all people are at all times.”

**Talking Anti-Stalking**

In a study published last year, researchers measuring the misuse of Bluetooth location trackers—including devices from Apple, Tile, Samsung, and Chipolo—found that more than 40 percent of stalking victims had been tracked with Bluetooth tags hidden in their cars, purses, or backpacks.

To address this, makers of location-tracking technology have implemented solutions to alert users when a tracking device they don’t own appears to be moving with them. But the researchers say that Tile’s implementation is flawed in ways that both undermine its effectiveness and make it susceptible to being used to track the movement of other users.

Unlike other trackers—which conduct a continuous scan for trackers in a user’s vicinity that they don’t own and automatically alert the user to the presence of these trackers—Tile’s so-called Scan and Secure system has to be manually initiated by a user through the Tile app. The scan lasts only 10 minutes, and the user has to be moving around an area while the scan is in progress to detect tags that are moving with them. Users have to also remember to re-initiate scans periodically to detect any rogue devices that might be traveling with them since their last scan.

Tile’s app performs six Bluetooth scans during the 10 minutes and extracts the MAC address and unique ID from each broadcast it detects. The app then checks these addresses against a database to determine if they are paired with the phone of the person doing the scan. Any address or ID that is not paired with their phone is designated “unknown.” The app produces a report of these tags for the person to view. It also sends a message to the Tile server with all the MAC addresses and unique IDs detected during the six scans, and the number of times they appeared.

But the researchers found that the Scan and Secure feature is undermined by another feature Tile offers for preventing theft. The researchers say this anti-theft mode is unique to Tile, and the problems it presents for Tile users may be the reason.

The aim of anti-theft is to prevent would-be thieves from running a scan using a Tile mobile application to see if there is a Tile tag paired with an item they plan to steal. But when a tag owner enables anti-theft to make their tag invisible to would-be thieves, those tags also won’t be visible to someone running a scan to determine if they are being stalked with a rogue tag. This means a stalker could hide their stalking tag by putting it in anti-theft mode. A scan will still detect the tag and send its MAC address, unique ID, and location to Tile’s servers, but the tag won’t be included in the scan results that are displayed to the user who initiated the scan, effectively making potential stalking victims blind to rogue devices that may be following them.

Kumar says other makers of location trackers avoid this by not even offering anti-theft mode for their products.

“They never say, ‘Here’s a tag that can prevent your devices from being stolen.’ They say it helps recover lost devices. Anti-theft is just not a feature,” she says. “That’s a compromise that these companies are willing to make in order to have stronger anti-stalking properties.”

The researchers also say that the anti-theft mode isn’t foolproof because a user with a modified Tile app can easily circumvent it to collect and display all MAC addresses and unique IDs recorded during a scan, regardless of whether any of those tags are using anti-theft mode.

Tile believes it solves the anti-theft abuse problem by requiring that anyone who enables anti-theft mode for their tag provide a government-issued ID and live photo of their face to Tile before anti-theft mode will be enabled. Users of this mode also have to consent to a $1 million fine if they are convicted of using Tile for stalking—though the researchers point out that it’s unclear if this is enforceable.

Tile states in its terms that the identity information users provide will be shared with law enforcement if Tile believes someone has abused the feature for stalking. But the company is inconsistent about whether law enforcement needs a warrant to get this information. In a FAQ the company says it will “work with law enforcement through a properly issued court order to identify the owner of a suspicious Tile.” But in the terms for its anti-theft mode, users agree that their “personal information can and will be shared with law enforcement at our discretion, even without a subpoena” to aid investigations of suspected stalkers.

Lastly, the researchers say someone can abuse the Scan and Secure feature to frame someone else for stalking by executing a replay attack to impersonate their Tile tag. Using a radio-frequency antenna to collect the unencrypted broadcasts from another user’s tag, an attacker can extract the MAC address and unique ID from these broadcasts, and transmit that in another location. If a user conducts an anti-stalking scan in that location, they would see this MAC address and unique ID in the scan, and this information and the location of where it was scanned would be sent to Tile’s server, making it appear as if that tag was near the person who did the scan. There is no way to determine, the researchers say, if a MAC address and unique ID was emitted by a legitimate Tile device or someone maliciously replaying that information.

The researchers say many of the problems they found could be addressed simply by Tile encrypting the broadcasts from its tags, and they don’t understand why the company apparently hasn’t followed the example of its competitors.

Tile Tracking Tags Can Be Exploited by Tech-Savvy Stalkers, Researchers Say

Harry Jackson went into Kathmandu as a tourist. He ended up being one of the main international sources of news on Nepal’s Gen Z protests.

When Harry Jackson pulled his small motorcycle into Kathmandu on September 8, he had no idea the city was exploding in protests. He didn’t even know there was a curfew. People in Nepal, largely driven by Gen Z youth, had taken to the streets, and that day riots broke out when nearly two dozen people were shot and killed by authorities. In the middle of it all was Jackson, a travel vlogger riding from Thailand to the United Kingdom on his bike.

Within a day, the mass demonstrations that filled the capital would do the seemingly impossible: defy trigger-happy law enforcement, storm the grounds of parliament and set fire to the building, and oust a prime minister. Jackson, who had been documenting his journey for months on YouTube, Instagram, and other social media under the @wehatethecold channel, became one of the main ways people around the world saw what was happening in Nepal as youth-led protests toppled the government.

Anger had been simmering in Nepal for months, much of it driven by widespread corruption among politicians. Many of those politicians’ children also flaunted their wealth, often on social media. They in turn were called out online by Nepali people, and on September 4, the government banned 26 social media platforms. Protests started, and large demonstrations broke out on September 8, with police using tear gas, rubber bullets, and live ammunition on crowds of largely young demonstrators. That’s when Jackson arrived, filming his way through marches and capturing the sounds of gunshots.

Video still courtesy of @wehatethecold

Jackson had been in Nepal earlier in June but returned due to other geopolitical issues. He had planned to be in Kathmandu for a short, easy stop to get his Honda CT125 shipped for the next leg of his journey. He had been in India, trying to cross into Pakistan. But the border was closed, so he headed north to Nepal. After getting a hotel and catching up on events, he decided to tag along with some people and see the protests the next day. He’d been told it wasn’t safe for tourists but said he was willing to roll the dice, especially after having ridden his bike through some unsafe roads for weeks. On September 9 he was out among the protests for several hours, and by midafternoon decided to get back to his hotel to quickly edit the footage and get it published.

“This footage just has to go online. I was watching it back and reliving the time and thinking, wow, this is insane,” he tells WIRED. “They’re burning parliament, this is huge!”

Jackson was with crowds as they moved through narrow streets, eventually descending on the large area around the parliament building. The footage Jackson captured that day shows a mix of chaos—including hundreds fleeing gunshots—and mutual aid, with people stopping to hand out water, check in on each other, and help those hurt by tear gas. In the video, Jackson, 28, moves through the protesters, asking what the latest is, following the crowds as they get closer to the seat of power. His video took off, racking up millions of views in just hours, and it has more than 30 million views on YouTube alone.

Video still courtesy of @wehatethecold

“I have truly witnessed history, on a stupid trip from Thailand to England on a fucking moped!” Jackson shouts into the camera over the sound of chants, drums, fire, and upheaval.

Over the course of those two days, more than 70 people were killed and more than 21,000 injured. Several buildings were burned, including the parliament building and the homes of several politicians—busy shopping areas and popular neighborhood spots were left untouched, however, as Jackson’s videos show. The protests got results fast. K.P. Sharma Oli stepped down as prime minister after retaking office last summer. Nepal’s president dissolved the government and set new elections for March. Sushila Karki, a former chief justice, was named interim prime minister, in part following heavy debate and votes on the Discord messaging app, which activists had turned to regularly to communicate ahead of and during the protests.

After he started filming the protests, Jackson said in his videos and on social media that he does not consider himself a journalist, just a tourist filming what’s around him. “I don’t know what constitutes journalism and what doesn’t. I could be filming temples and asking people about temples; is that journalism? I went into this with the intention of being a YouTuber. I don’t have a journalist visa. I don’t have a journalism degree.”

Video still courtesy of @wehatethecold

As for why his videos took off, he admits that being a foreigner—specifically, a white, British one—probably played a small element in the international attention. But he put it more on him being a foreigner who was able to get up close to the events and capture dramatic footage. Jackson notes that there were plenty of local Nepali media and foreign news outlets there, but especially on September 9, many seemed to be hanging back, filming from a distance as fires raged. Jackson says that he asked many of his new Nepali friends about that dynamic. He said he was told it was in part because he showed up genuinely out of the loop, so he came into the protests without any bias or political lens, just filming the protests raw.

Since that day at parliament and after Oli was ousted, the protests have gotten attention in international media, but Jackson is surprised it hasn’t become a bigger story. He notes that other protests around the world had gotten some larger attention, but not the successful ones in Nepal. “It didn’t spread as much as it should—that was the literal collapse of a government,” he says.

Video still courtesy of @wehatethecold

The coverage that did come out, Jackson says, seemed to boil it down to singular causes, like the social media ban. “Trust Gen Z to protest—they’re without dopamine for a day,” he says sarcastically. Jackson says he had no intention of trying to speak for the people of Nepal, but from the conversations he’d had since arriving in Kathmandu, people told him that it was more about long-simmering issues over corruption that drove the organizing. He pointed to the nearly 20 people killed on September 8 as a catalyst for the escalation on the streets that led to the major government upheaval. “You know, ‘You shot 20 people, so we’re going to go harder,’” he says.

The massive surge in viewers also turned Jackson into a “weird local celebrity,” he says, bemused. In his videos since September 9, he says, people keep coming up to say hi, grab a selfie, or ask if he’s the guy from @wehatethecold. And there are the memes, both in Nepal and elsewhere. Edits of his protest videos, with Jackson running around the chaos, have spread, often with captions like “Guy goes on a holiday and ends up at a revolution.”

Video still courtesy of @wehatethecold

In the aftermath of the protest, Nepal’s new government is looking to investigate what led to the police violence earlier in September. The new prime minister set up a commission to investigate the assaults, deaths, and arsons.

Since those two chaotic days, Jackson has continued filming, using the new attention to his channels to show the people he met in Kathmandu and parts of the city that aren’t burning or surrounded by armed security forces. Shops are reopening, people are going out, and there is a positivity around the city, he says. After initially intending to get in and out of Nepal quickly for his journey, Jackson now says he’s going to stick around a little longer. He wants to show what’s going on in Nepal after the chaos from his first videos in the country, and some of the connections he has made since coming back have opened up new opportunities for what kind of places he can visit.

Video still courtesy of @wehatethecold

“I haven't had any bad experiences,” he says. “And it was kind of my duty to do that, to keep filing. They’ve helped me so much.”

How a Travel YouTuber Captured Nepal’s Revolution for the World

Plus: A ransomeware gang steals data on 8,000 preschoolers, Microsoft blocks Israel’s military from using its cloud for surveillance, call-recording app Neon hits pause over security holes, and more.

New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

The US Secret Service said on Tuesday that it had discovered facilities across the “New York tristate area” running so-called SIM servers—devices that manage and coordinate 100,000 SIM cards at a time for illicit operations. The Secret Service warned, though, that in addition to being used by cybercriminals for scamming, the apparatuses could also be used to launch critical infrastructure attacks that could disrupt mobile networks.

A cyberattack on the UK-based automaker Jaguar Land Rover has been causing a supply chain meltdown, halting vehicle production, costing JLR tens of millions of dollars, and forcing its parts suppliers to lay off workers. The beleaguered company will have to shoulder the full cost of the attack because of inadequate insurance coverage, prompting talks of possible UK government assistance.

If you’re worried about phone searches while traveling or doing specific activities, the password manager known as 1Password has a Travel Mode feature that can help you manage sensitive data and temporarily remove it from your device. We’ve got advice on how to use the tool most effectively.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

An app used to out those who spoke ill of the murdered right-wing activist Charlie Kirk was found to be leaking its users’ personal information, doxing the very people it had invited to dox its targets.

The app Cancel the Hate, founded in the wake of Kirk’s September 10 assassination, suspended its services this week after it was revealed that security flaws in the website where the app was hosted exposed users’ email addresses and phone numbers. That site had asked its users to collect and share employment and other personal information of critics of Kirk and others “supporting political violence.” But a security researcher who identified themselves only as BobDaHacker demonstrated to news outlet Straight Arrow News that privacy settings on the site didn’t work as advertised, publicly leaking users’ information even when it was set to private. The hacker also reportedly had the ability to delete users’ accounts at will.

Cancel the Hate, which displayed a photo of Kirk on its homepage and was founded by a Kirk supporter who cited his death as the motivation for creating the site, has since taken down its reporting features. It now displays a message on its homepage that it’s moving to a “new service provider.” The page that allows visitors to buy a $23 T-shirt remains online.

**Ransomware Hackers Steal Kids’ Personal Info and Photos in Preschool Breach**

Ransomware groups continued to plumb the depths of abject immorality this week with a new tactic: extorting preschools by stealing toddlers’ personal information and threatening their parents. The BBC reports that a hacker group says it has stolen the names, addresses, and photos of around 8,000 children from the preschool chain Kido, which has sites largely around London but also in the US and India. The hackers are threatening to leak the data if a ransom isn’t paid, going so far as to contact some of the children’s parents to reinforce their threat. The group has also posted sample information and photos of 10 children on their dark-web site.

**Microsoft Blocks Israeli Military From Using Cloud Services for Surveillance**

In August, The Guardian, Israeli-Palestinian publication +972 Magazine, and Hebrew-language publication Local Call revealed how Israeli signals intelligence agency Unit 8200 had built a comprehensive surveillance system to intercept and store Palestinian phone calls. More than “a million calls an hour” could be collected by the system, which reportedly amassed around 8,000 terabytes of call data and stored it in Microsoft’s Azure cloud service in the Netherlands, the publications reported.

This week, following an external investigation commissioned by Microsoft, the company pulled some of the Israeli military’s access to its technology. In a statement, Microsoft president Brad Smith said the firm has taken the decision to “cease and disable” some “specific cloud storage and AI services and technologies” that it was providing to Israeli forces. Microsoft’s action—its investigation is still ongoing—follows a wave of staff protests at its ties to Israel and its ongoing war in Gaza. “We do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades,” Smith wrote in a statement.

However, while Microsoft has pulled some of the services it provides, The Guardian reports that the surveillance data was likely moved days after its initial investigation was published. Sources told the publication that Unit 8200 was planning to move the data to Amazon’s cloud storage, and move it outside of the European Union, which has strong data protection laws.

**Call-Recording App Neon Pauses Service Over Security Holes**

This week, call-recording app Neon has raced up the free iPhone app charts. But far from being an app for personal use, Neon is one the latest efforts to collect training data for generative AI systems. The startup claims it will sell your call recordings to AI companies and pay you up to $30 per day for the data, raising more than a few privacy and ethics questions.

However, after probing the app, reporters at TechCrunch found that it was possible for “anyone to access the phone numbers, call recordings, and transcripts of any other user” due to security holes in its setup. The app’s creator “temporarily” paused Neon’s operations after TechCrunch got in touch. “Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth,” Neon founder Alex Kiam said in an email to the app’s users, adding “extra layers of security” would be added in the future.

**Chinese Hackers Have a Stealthy New Backdoor to Help Them Steal Data**

For decades, China’s hackers have been breaking into companies around the world and stealing data and intellectual property. Over the past few months, they’ve been using a stealthy new backdoor as part of their hacking operations, Google’s security firm Mandiant reported this week. The malware campaign, dubbed Brickstorm, is linked to the Chinese hacking group UNC5221, Mandiant says, and the company first spotted it being used in March against legal companies, software-as-a-service firms, and tech companies.

“It’s very hard to detect them and to investigate them,” Google threat researcher Austin Larsen told Cyberscoop, and the hackers have been seen to have access to systems for more than 400 days. “These intrusions are conducted with a particular focus on maintaining long-term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” the company wrote in a brief about Brickstorm.

**Crypto Stablecoins Are Helping Russia Evade Sanctions and Interfere in Moldova’s Election**

The A7 group, cofounded by Moldovan fugitive politician and Vladimir Putin ally Ilan Shor, has long been suspected of serving as a vehicle for cryptocurrency-based sanctions evasion. A new leak of internal communications from the company shows the scale of that alleged sanctions circumvention and also spells out how the company, half-owned by Russian state banks, has facilitated Russian interference in Moldovan politics ahead of its election on Sunday. Crypto-tracing firm Elliptic found references to crypto addresses in the leak that allowed it to track nearly $8 billion in payments of crypto stablecoins to the company, including Tether and A7’s own ruble-backed stablecoin A7A5. Most of that money likely passed through A7, says Elliptic’s founder Tom Robinson, and was used to carry out international deals that would otherwise have been blocked by the West’s sanctions on Russia following its 2022 full-scale invasion of Ukraine. But Robinson says some portion of the money has also been used to interfere in Moldovan politics, such as an app called Taito that Moldovan police say was used for illegal campaign financing and bribery of voters.

An App Used to Dox Charlie Kirk Critics Doxed Its Own Users Instead

Companies are going to great lengths to protect the infrastructure that provides the backbone of the world’s digital services—by burying their data deep underground.

Inside the Nuclear Bunkers, Mines, and Mountains Being Retrofitted as Data Centers

By inflating numbers and narrowing definitions, Heritage promotes a false link between transgender identity and violence in its push for the FBI to create a new terrorism category.

In the wake of Charlie Kirk’s killing, the Republican policy apparatus went immediately to work. The Heritage Foundation, which published Project 2025, and its spinoff, the Oversight Project, issued a call for the Federal Bureau of Investigation to designate “Transgender Ideology-Inspired Violent Extremism,” or TIVE, as a domestic terrorism threat category. The push comes as President Donald Trump just signed an executive order that seeks to mobilize federal law enforcement against vaguely defined domestic terror networks.

The Heritage Foundation and Oversight Project document, which defines “transgender ideology” as “a belief that wholly or partially rejects fundamental science about human sex being biologically determined before birth, binary, and immutable," grounds its policy recommendations in a startling claim: “Experts estimate that 50% of all major (non-gang related) school shootings since 2015 have involved or likely involved transgender ideology.”

When WIRED asked for the data behind this claim, the Oversight Project did not respond; the Heritage Foundation pointed to a tweet from one of its vice presidents, Roger Severino, claiming that “50% of major (non-gang) school shootings since 2015” involve a transgender shooter or trans-related motive. Severino also lays out what appears to be his entire dataset: eight shootings, four of which, he claims, involve “a trans-identifying shooter and/or a likely trans-ideology related motivation.”

The data tell a different story.

Since 2015, at least four dozen shootings have taken place on school grounds, according to data from the K-12 School Shooting Database, which has tracked every incident involving a gun on school grounds since 1966. Only three perpetrators in the database—the 2019 shooter at STEM School Highlands Ranch in Colorado and the Covenant School shooter in Nashville in 2023 among them—have been credibly identified in public reporting as transgender or undergoing gender-affirming care. Nashville police concluded the shooter there was not motivated by a clear political or ideological agenda, but prioritized notoriety and infamy. In Colorado, investigators say one of the shooters, a transgender boy, cited bullying and long-standing mental health struggles as motivations.

In an August shooting, a 23-year-old individual opened fire outside Annunciation Catholic Church in Minneapolis. The shooter had legally changed their name and written about conflict over gender identity, but there is no public evidence they consistently identified as transgender, making classification uncertain. Police say the attack was fueled by hostility toward Jews, Christians, and minorities, along with a quest for notoriety. Prosecutors added the animus was sweeping, saying the shooter “expressed hate towards almost every group imaginable.”

The K-12 database, the most comprehensive of its kind, does not include gender data for about 12.5 percent of school shooters since 2015, which only makes it more difficult to draw firm conclusions about broader patterns.

Other mass shootings at schools, including Parkland in 2018 and Uvalde in 2022, were carried out by young men with histories of grievance, misogyny, or violent ideation. None were tied to “transgender ideology.”

The larger pattern, researchers say, points in the opposite direction: White supremacist, anti-government, and misogynist beliefs account for the lion’s share of ideologically motivated gun violence. Targeting “transgender ideology” as a terrorism category, they warn, confuses identity with ideology, risks licensing violence against anyone who defies gender norms, and shifts attention away from the real drivers of schoolyard violence.

“There are no legitimate studies that suggest that a majority of school shootings since 2015 involve trangender people,” said Rachel Carroll Rivas and R. G. Cravens of the Southern Poverty Law Center’s Intelligence Project in an email. “Trans people are far more likely to be victimized by gun violence than to perpetrate it.”

The FBI defines a “mass shooting” as an incident in which four or more victims are killed by gunfire, not including the shooter or shooters. However, other less restrictive definitions are more widely accepted. The Gun Violence Archive, which has tracked gun violence in the US since 2013, includes incidents in which four or more victims are killed or injured in its “mass shooting” definition. There is no consensus on the definition of a “major” shooting, as described by the Heritage Foundation’s Severino.

Severino did not immediately respond to a request for comment.

According to a WIRED analysis of data provided by data scientist David Riedman, creator of the K-12 School Shooting Database, there have been 48 school shootings with four or more victims—injured or killed—since the start of 2015. (Just six of those meet the FBI’s definition of a mass shooting.) Of the 48 shootings, 45 have no known connection to gang activity. Three were by shooters identified in public reporting as being or having been transgender or having undergone gender-affirming care. Six of the 48 shootings since 2015 do not list the gender of the shooter, primarily because their identity was unknown to authorities.

There have been 74 total active school shooter incidents since 2015; of those, three of the perpetrators have identified as transgender, according to Riedman’s data. Data collected by the Gun Violence Archive shows that there were 5,748 mass shootings at any location in the US between January 1, 2013, and September 15, 2025; of those, five of the shooters identified as transgender people, nonbinary, or having undergone gender-affirming care—less than 0.087 percent.

In other words, Heritage’s “50 percent” claim is not just unsupported, it appears misleading by design, arbitrary in scope, and unscientific at its core.

“A methodology that limits the pool of potential observations in this way suggests researchers have a predetermined outcome in mind,” Cravens and Carroll Rivas say. “It's a method that suggests the researchers are committing an error called selecting on the dependent variable—choosing a sample that ensures the study will produce the desired outcome. In combination with the use of ‘trans ideology,’ this suggests that the desired outcome is the further scapegoating and demonization of transgender people.”

Heritage reaches its 50 percent figure by shrinking the universe of school shootings to a hand-picked few. Severino first rules out incidents rooted in crime, personal disputes, or workplace grievances. He then defines “major” school shootings as those he says are intended to “send a public message.” Applying those filters, Heritage crops down decades’ worth of incidents into fewer than 10 cases—a sample small enough that even a few shooters with one or two shared traits can be made to look like half. Broader databases, which count school shootings by more consistent criteria, show dozens of incidents each year and make clear that Heritage’s figures rest on a frame built to exaggerate, not measure—to reflect a narrative, not reality.

The Heritage Foundation did not respond to questions about the discrepancies between Severino’s conclusions and those of other researchers.

Experts say Heritage's push not only distorts the data but also diverts attention from the extremist movements actually driving violence: nihilistic violent extremist networks, accelerationist neo-fascist movements, and lone actors motivated by any number of far-right culture war grievances. Jonathan Lewis, a researcher at George Washington University’s Program on Extremism, tells WIRED: “There is no academic publication I am aware of which has found any causal relationship between an individual’s gender identity and their radicalization or mobilization, nor which establishes any basis for such an argument.”

“Any definitional framework that only includes eight of the hundreds of school shootings in the last decade,” he adds, “is certainly of questionable analytic value.”

Civil rights advocates see the proposal and Trump’s executive order as working hand in hand—moves that redefine political opposition as extremism and open the door to targeting marginalized communities. “Today we saw this administration’s latest attempt to divide, scare, and intimidate those who work to advance freedom and equality,” says Kelley Robinson, president of the Human Rights Campaign. She called the effort to label opponents as extremists “dangerous, unconstitutional, and un-American,” and part of a broader escalation by the administration to turn people’s identity into suspicious characteristics and grounds for targeting.

The timing is also notable, as federal resources for countering domestic terrorism are being steadily cut back.

The FBI has consistently diverted resources away from domestic terrorism investigations this year, pulling staff from specialized units and discounting tools long used to track extremist cases. By May, agents in field offices had been ordered to devote at least a third of their time to immigration enforcement instead, moving national security specialists into work far outside the bureau’s traditional role. Some counterterrorism agents were abruptly recalled to their posts after a US strike on Iranian nuclear facilities—a reversal that only underscored the chaos created by constant shifts in priorities.

The administration previously gutted tens of millions of dollars from federal terrorism-prevention grants at the same time, shuttering key programs at the Department of Homeland Security’s Center for Prevention Programs and Partnerships. Senator Dick Durbin, the ranking member of the Senate Judiciary Committee, called it a “broad institutional pullback” from investigating domestic terrorism, even as, he noted, “experts continue to warn about intensifying danger.”

Other experts say the retreat amounts to abandoning the fight against homegrown extremism altogether—at one of the worst possible moments.

The Heritage Foundation, whose Project 2025 policy recommendations have been widely adopted by the Trump administration, is urging the FBI to create the “TIVE” terrorism designation amid increasingly fervent anti-trans propaganda from right-wing groups.

A super PAC associated with the American Principles Project, a socially conservative group often aligned with Heritage on cultural and transgender policy, has rolled out aggressive campaign ads this week targeting, for example, US representative Mikie Sherrill, a Democrat of New Jersey, over her support for transgender rights. The spot portrays Sherrill’s positions, and trans people, in lurid, grotesque terms—a hallmark of APP’s approach in recent years as it seeks to turn transgender issues into a wedge in congressional races.

The group, led by Terry Schilling, has made opposition to trans rights central to its political strategy, running provocative ads in multiple states with the aim of stirring backlash among voters who reject transgender people’s right to exist. It did not immediately respond to a request for comment.

Heritage Foundation Uses Bogus Stat to Push a Trans Terrorism Classification

The agency says it found a network of some 300 servers and 100,000 SIM cards—enough to knock out cell service in the NYC area. Experts say it mirrors facilities typically used for cybercrime.

The recent discovery of a sprawling SIM farm operation in the New York City area has revealed how these facilities, typically used by cybercriminals to flood phones with spam calls and texts, have grown large enough that the US government is warning it could have been used not just for crime, but large-scale disruption of critical infrastructure.

On Tuesday morning, the US Secret Service revealed that it had found a collection of facilities across the “New York tristate area” holding more than 100,000 SIM cards housed in “SIM servers,” devices that allow them to be managed and operated simultaneously. Due to the sheer scale of the infrastructure of this single SIM farm—and the fact that it reportedly came onto the Secret Service’s radar after it was exploited in “swatting” attacks that targeted US members of Congress around Christmas of 2023—the agency has warned that the operation, which has been at least partially dismantled, posed a serious threat of a disruptive attack on cellular service.

Given the number of SIM cards all under the control of a single operation, it could have “disabled cell phone towers and essentially shut down the cell phone network in New York City,” according to Matt McCool, the special agent in charge of the Secret Service New York field office.

“This network could be used to overwhelm cell towers,” according to a law enforcement source familiar with the Secret Service’s investigation, who asked not to be named due to the sensitivity of the ongoing investigation. “To give you an idea of capacity for disruption, this network could be used to send approximately 30 million text messages per minute, meaning it could anonymously text the entire United States in around 12 minutes.”

The source tells WIRED that the Secret Service has confirmed that the SIM farm was used by organized crime, nation-state threat actors, and other individuals known to law enforcement.

Photos of “SIM blocks” discovered by Secret Service agents. These devices can connect around a hundred SIM cards simultaneously.

Courtesy of The U.S. Secret Service

The Secret Service’s Advanced Threat Interdiction Unit seized the equipment found in the SIM farm sites, which the agency described as all being within 35 miles of midtown Manhattan. The Secret Service says its investigation is ongoing as it combs through the calling and texting records of the massive collection of SIMs. No arrests have been made, according to the law enforcement source. In its announcement of the bust, the Secret Service noted that it acted now to head off any potential use of the SIM operation to target the United Nations General Assembly in Manhattan this week—though it didn’t offer any evidence to suggest that was the operation’s intent.

“Given the timing, location and potential for significant disruption to New York telecommunications posed by these devices, the agency moved quickly to disrupt this network,” reads a statement from the agency.

Despite speculation in some reporting about SIM farm operation that suggests it was created by a foreign state such as Russia or China and used for espionage, it’s far more likely that the operation’s central focus was scams and other profit-motivated forms of cybercrime, says Ben Coon, who leads intelligence at the cybersecurity firm Unit 221b and has carried out multiple investigations into SIM farms. “The disruption of cell services is possible, flooding the network to the degree that it couldn’t take any more traffic,” Coon says. “My gut is telling me there was some type of fraud involved here.”

In this case, according to a CNN report on the Secret Service’s investigation, the agency got onto the trail of the New York area SIM farm after it was used in a pair of swatting incidents around Christmas Day in 2023 that targeted congresswoman Marjorie Taylor Greene and US senator Rick Scott. Those incidents appear to have been tied to a pair of Romanian men, Thomasz Szabo and Nemanja Radovanovic, who were working with the American serial swatter Alan Filion, also known as Torswats.

Though all three men have since been convicted on swatting-related charges, the Secret Service’s McCool noted in his statement that the agency’s investigation followed “telecommunications-related imminent threats directed towards senior US government officials this spring.”

MobileX SIM card packages discovered by the US Secret Service.

Courtesy of The U.S. Secret Service

The phenomenon of SIM farms, even at the scale found in this instance around New York, is far from new. Cybercriminals have long used the massive collections of centrally operated SIM cards for everything from spam to swatting to fake account creation and fraudulent engagement with social media or advertising campaigns. The SIM cards are typically housed in so-called SIM boxes that can control more than a hundred cards at a time, which are in turn connected to servers that can then control thousands of SIMs each.

SIM farms allow “bulk messaging at a speed and volume that would be impossible for an individual user,” one telecoms industry source, who asked not to be named due to the sensitivity of the Secret Service’s investigation, told WIRED. “The technology behind these farms makes them highly flexible—SIMs can be rotated to bypass detection systems, traffic can be geographically masked, and accounts can be made to look like they’re coming from genuine users.”

The telecom industry source adds that the images of SIM servers and boxes published by the Secret Service indicate a “really organized” criminal operation may have been behind the setup. “This means that there is great intelligence and significant resources behind it,” the person added.

The SIM farm found by the Secret Service, Unit 221b’s Coon says, isn’t the biggest operation he’s learned of in the US. But it’s the most concentrated in such a small single geographic area. SIM boxes, he notes, are illegal in the US, and the hundreds of them found in the Secret Service’s investigation must have been smuggled into the US. In one case he was involved in, Coon says, the boxes were imported from China, disguised as audio amplifiers.

The “clean, tidy racks” of equipment in a well-lit room shows that the operation may be well-organized and professional, says Cathal Mc Daid, VP of technology at telecommunication and cybersecurity firm Enea. Photos released by the Secret Service show multiple racks of telecom equipment neatly set up, with individual pieces of tech numbered and labeled, plus cables on the floor being covered and protected with tape. Each SIM box, Mc Daid says, appears to include around 256 ports and associated modems. “This looks more professional than many of the SIM farms you see,” says Mc Daid.

Mc Daid notes, however, that he’s tracked similar operations discovered in Ukraine—some of which have been as large or even larger than the one revealed on Tuesday by the Secret Service. Over the course of the last few years, law enforcement officials in Ukraine have discovered tens of thousands of SIM cards being used in SIM farms allegedly set up by Russian actors. In one case in 2023, around 150,000 SIM cards were reportedly found. These SIM farms have been used to operate fake social media profiles that can spread disinformation and propaganda.

Additional equipment found in the New York–area SIM farm sites.

Courtesy of The U.S. Secret Service

In one photo released by the Secret Service, packaging from hundreds of SIM cards belonging to telecom service MobileX is visible. “We are aware of recent reports that MobileX SIM cards, along with those of other providers, were recovered during a federal investigation,” Peter Adderton, the CEO and founder of MobileX, says in a statement. “Our platform is designed to be easy to use and cost-effective, qualities that unfortunately can also attract occasional bad actors.” Adderton adds that MobileX is prepared to work with law enforcement and has systems in place to shut down suspicious activity.

Since SIM farms are typically used for indiscriminate fraud rather than swatting or other more disruptive threats, the unusual use of this particular SIM farm to swat US officials was likely the source of its downfall, notes Allison Nixon, the chief research officer for Unit 221b. “Swatters are also fraudsters, so they know how to use criminal proxy services. The owners of criminal proxy infrastructure make significant investments predicated on the idea that arrest rates for cybercrime are low,” Nixon says. “But they fail to anticipate the fact that cybercrime, allowed to fester, always leads to terrorism. So the first time the feds see this, the operation is already massive.”

‘SIM Farms’ Are a Spam Plague. A Giant One in New York Threatened US Infrastructure, Feds Say

Newly released data shows Customs and Border Protection funneled the DNA of nearly 2,000 US citizens—some as young as 14—into an FBI crime database, raising alarms about oversight and legality.

For years, Customs and Border Protection agents have been quietly harvesting DNA from American citizens, including minors, and funneling the samples into an FBI crime database, government data shows. This expansion of genetic surveillance was never authorized by Congress for citizens, children, or civil detainees.

According to newly released government data analyzed by Georgetown Law’s Center on Privacy & Technology, the Department of Homeland Security, which oversees CBP, collected the DNA of nearly 2,000 US citizens between 2020 and 2024 and had it sent to CODIS, the FBI’s nationwide system for policing investigations. An estimated 95 were minors, some as young as 14. The entries also include travelers never charged with a crime and dozens of cases where agents left the “charges” field blank. In other files, officers invoked civil penalties as justification for swabs that federal law reserves for criminal arrests.

The findings appear to point to a program running outside the bounds of statute or oversight, experts say, with CBP officers exercising broad discretion to capture genetic material from Americans and have it funneled into a law-enforcement database designed in part for convicted offenders. Critics warn that anyone added to the database could endure heightened scrutiny by US law enforcement for life.

“Those spreadsheets tell a chilling story,” Stevie Glaberson, director of research and advocacy at Georgetown’s Center on Privacy & Technology, tells WIRED. “They show DNA taken from people as young as 4 and as old as 93—and, as our new analysis found, they also show CBP flagrantly violating the law by taking DNA from citizens without justification.”

DHS did not respond to a request for comment.

For more than two decades, the FBI’s Combined DNA Index System, or CODIS, has been billed as a tool for violent crime investigations. But under both recent policy changes and the Trump administration’s immigration agenda, the system has become a catchall repository for genetic material collected far outside the criminal justice system.

One of the sharpest revelations came from DHS data released earlier this year showing that CBP and Immigrations and Customs Enforcement have been systematically funneling cheek swabs from immigrants—and, in many cases, US citizens—into CODIS. What was once a program aimed at convicted offenders now sweeps in children at the border, families questioned at airports, and people held on civil—not criminal—grounds. WIRED previously reported that DNA from minors as young as 4 had ended up in the FBI’s database, alongside elderly people in their nineties, with little indication of how or why the samples were taken.

The scale is staggering. According to Georgetown researchers, DHS has contributed roughly 2.6 million profiles to CODIS since 2020—far above earlier projections and a surge that has reshaped the database. By December 2024, CODIS’s “detainee” index contained over 2.3 million profiles; by April 2025, the figure had already climbed to more than 2.6 million. Nearly all of these samples—97 percent—were collected under civil, not criminal, authority. At the current pace, according to Georgetown Law’s estimates, which are based on DHS projections, Homeland Security files alone could account for one-third of CODIS by 2034.

The expansion has been driven by specific legal and bureaucratic levers. Foremost was an April 2020 Justice Department rule that revoked a long-standing waiver allowing DHS to skip DNA collection from immigration detainees, effectively green-lighting mass sampling. Later that summer, the FBI signed off on rules that let police booking stations run arrestee cheek swabs through Rapid DNA machines—automated devices that can spit out CODIS-ready profiles in under two hours.

The strain of the changes became apparent in subsequent years. Former FBI director Christopher Wray warned during Senate testimony in 2023 that the flood of DNA samples from DHS threatened to overwhelm the bureau’s systems. The 2020 rule change, he said, had pushed the FBI from a historic average of a few thousand monthly submissions to 92,000 per month—over 10 times its traditional intake. The surge, he cautioned, had created a backlog of roughly 650,000 unprocessed kits, raising the risk that people detained by DHS could be released before DNA checks produced investigative leads.

Under Trump’s renewed executive order on border enforcement, signed in January 2025, DHS agencies were instructed to deploy “any available technologies” to verify family ties and identity, a directive that explicitly covers genetic testing. This month, federal officials announced they were soliciting new bids to install Rapid DNA at local booking facilities around the country, with combined awards of up to $3 million available.

“The Department of Homeland Security has been piloting a secret DNA collection program of American citizens since 2020. Now, the training wheels have come off,” said Anthony Enriquez, vice president of advocacy at Robert F. Kennedy Human Rights. “In 2025, Congress handed DHS a $178 billion check, making it the nation’s costliest law enforcement agency, even as the president gutted its civil rights watchdogs and the Supreme Court repeatedly signed off on unconstitutional tactics.”

Oversight bodies and lawmakers have raised alarms about the program. As early as 2021, the DHS Inspector General found the department lacked central oversight of DNA collection and that years of noncompliance can undermine public safety—echoing an earlier rebuke from the Office of Special Counsel, which called CBP’s failures an “unacceptable dereliction.”

US senator Ron Wyden more recently pressed DHS and DOJ for explanations about why children’s DNA is being captured and whether CODIS has any mechanism to reject improperly obtained samples, saying the program was never intended to collect and permanently retain the DNA of all noncitizens, warning the children are likely to be “treated by law enforcement as suspects for every investigation of every future crime, indefinitely.”

Rights advocates allege that CBP’s DNA collection program has morphed into a sweeping genetic surveillance regime, with samples from migrants and even US citizens fed into criminal databases absent transparency, legal safeguards, or limits on retention. Georgetown’s privacy center points out that once DHS creates and uploads a CODIS profile, the government retains the physical DNA sample indefinitely, with no procedure to revisit or remove profiles when the legality of the detention is in doubt.

In parallel, Georgetown and allied groups have sued DHS over its refusal to fully release records about the program, highlighting how little the public knows about how DNA is being used, stored, or shared once it enters CODIS.

Taken together, these revelations may suggest a quiet repurposing of CODIS. A system long described as a forensic breakthrough is being remade into a surveillance archive—sweeping up immigrants, travelers, and US citizens alike, with few checks on the agents deciding whose DNA ends up in the federal government’s most intimate database.

“There’s much we still don’t know about DHS’s DNA collection activities,” Georgetown’s Glaberson says. “We’ve had to sue the agencies just to get them to do their statutory duty, and even then they’ve flouted court orders. The public has a right to know what its government is up to, and we’ll keep fighting to bring this program into the light.”

DHS Has Been Collecting US Citizens’ DNA for Years

Travel Mode not only hides your most sensitive data—it acts as if that data never existed in the first place.

**Worried About Phone Searches? 1Password’s Travel Mode Can Clean Up Your Data**

Travel Mode not only hides your most sensitive data—it acts as if that data never existed in the first place.

1Password via Jacob Roach

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Searches at the US border are at an all-time high. Between April and June of this year, US Customs and Border Protection says it searched nearly 15,000 devices, outpacing the previous quarterly record by over 2,000. Combined with visitors allegedly being turned away for content on their devices and hours-long detentions at ports of entry, it’s reasonable to be a little worried about entering the US.

There’s a lot you can do to protect yourself at the US border, but most people have at least some sensitive information they need to keep on a phone or laptop while traveling. That’s where 1Password, the password manager, and its Travel Mode feature come into play.

Although it can’t remove everything, Travel Mode can erase a lot. The way it works is simple: You organize your logins, notes, attachments, and other sensitive information into a series of vaults. From there, you can choose which vaults are safe for travel and which aren’t. When you turn on Travel Mode, your selected vaults aren’t only hidden; 1Password claims they’re entirely removed from your device.

*   **A Password Manager Is a Golden Goose**
*   **How to Use Travel Mode in 1Password**
*   **What About Your Laptop?**
*   **You Still Need Some Digital Housekeeping**

**A Password Manager Is a Golden Goose**

The legality and scope of device searches at the border are complex. Broadly speaking, CBP can’t deny entry to US citizens or green card holders if they don’t comply with a device search. But they can make your life really difficult, with longer detentions and device seizures. “You can state that you don’t consent to such a search, but unfortunately, this likely won’t prevent Customs and Border Protection from taking your phone,” according to the Texas chapter of the American Civil Liberties Union.

According to CBP’s own policies, “Officers may not use the device to access information that is solely stored remotely.” Unfortunately, those policies may not always play out cleanly. “This is essentially a limitless authority that they claim for themselves to search travelers without a warrant and to search the full scope of information people carry on them,” says Esha Bhandari, deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project.

1Password via Jacob Roach

Travel Mode can't prevent a search, but it could help you store information you'd rather border agents not see. It’s for a little extra peace of mind that, in the event of an invasive search, some of your data won’t be accessible. It works well for two reasons. First, Travel Mode removes marked vaults from your device completely. You can sign into the 1Password app and do everything else you normally would, but your travel vaults won't be there. It’s as if the vaults you marked never existed in the first place.

You'll want to restore these vaults eventually, but border agents won't be able to do that. 1Password says you can only turn Travel Mode on or off from a browser (at 1password.com) that's been authenticated with both your secret key and master password. So, even if a border agent seizes your phone, there’s no way to turn off Travel Mode from the 1Password app.

“As a practical matter, a border agent can't search what isn't in your possession when crossing the border,” Bill Budington, senior staff technologist at the Electronic Frontier Foundation, wrote to WIRED in an email. “As a feature that limits the amount of data you carry with you, Travel Mode seems like a good way to protect that data.”

1Password via Jacob Roach

**1Password**

It’s easy to turn Travel Mode on and off with 1Password, but there’s some important housekeeping you should do beforehand.

**Mark vaults as safe for travel.** When you create a new vault with 1Password, you can mark it as safe for travel. If it’s marked, it won’t be removed from your device when you turn Travel Mode on. For existing vaults, you can mark them as safe or not safe for travel using the cog icon on the vault at my.1password.com.

**Store your emergency kit somewhere safe.** 1Password has an emergency kit, which includes your secret key, login email, a setup QR code, and a space to write (or type) your master password. You can generate an emergency kit at my.1password.com with the **Manage Account** button. You can print this and physically store it somewhere safe, or upload it to an encrypted cloud storage service like Proton Drive; make sure the device you’re traveling with isn’t logged into that storage service.

In the event you can’t log back into your account and turn off Travel Mode, you can get in using any browser and your emergency kit.

1Password via Jacob Roach

**Organize your entries into different vaults.** 1Password doesn’t have a hard limit on the number of vaults you can create, so it’s worth spending some time organizing different entries into their own vaults. You can store a lot of information in your 1Password vaults beyond passwords, including documents and passkeys. Separating sensitive documents from your Spotify login will make it a lot easier to toggle on Travel Mode without double-checking all of your entries.

You can remove all of your vaults, but I recommend keeping some essentials available through 1Password. Ideally, you’ll turn on Travel Mode before heading to the airport and only turn it off after you’re through customs. If you’re using a laptop (or other device) you brought with you to turn Travel Mode on and off, that kind of defeats the purpose.

Once that’s done, you can turn on Travel Mode following these steps:

*   Log in to your 1Password account in a browser at my.1password.com. If you haven’t already authenticated your device, you’ll need your secret key in addition to your master password.
*   Select your account name in the upper right corner, and choose **Manage Account.**
*   On the left side, under the **More Actions** button, you’ll find a toggle for Travel Mode.

Travel Mode goes into effect instantly, and I mean instantly. Even with my 1Password vault opened on my phone, I was immediately returned to an empty vault after enabling Travel Mode on my desktop.

**What About Your Laptop?**

Travel Mode is handy in the context of your phone. But what about your laptop? Technically, CBP isn’t allowed to turn off Travel Mode through the browser on your laptop, but that doesn’t account for any rogue actors or other, more strict border agencies.

Unfortunately, there isn’t a Travel Mode for your laptop, but there are some options if you want to make sure your devices are completely secure. Most laptops come with ways to encrypt data. With Windows, it’s through BitLocker, with macOS, it’s through FileVault, and Chromebooks are encrypted out of the box. That layer of encryption protects against dumping your PC for later analysis, but if you’re forced to enter your password, it doesn’t do much.

Courtesy of VeraCrypt

Enter VeraCrypt. It’s a free, open source encryption app that can encrypt full drives, as well as operating system partitions, similar to BitLocker or FileVault. The big feature of VeraCrypt is plausible deniability. There are specific setup steps, but you can store an encrypted partition within an encrypted partition.

When you encrypt a drive with VeraCrypt, it writes random data to any free space available on the drive. Within that free space, you can set up another encrypted volume with a different password. It’ll appear as random data, just as if you didn’t have anything written in the free space.

VeraCrypt is available for Windows, macOS, and Linux. Alternatives are available for iOS and Android, as well, but I haven’t tested those myself. You shouldn’t need to set up VeraCrypt on your laptop, and if you do, you might want to reconsider traveling with it in the first place. But if you need protection regardless of the hassle, it’s a good option to consider.

**You Still Need Some Digital Housekeeping**

1Password and Travel Mode are great, and VeraCrypt is a useful tool to keep in your back pocket. But there’s a lot of other data on your phone that could cause issues that neither of them helps with. Photos, messages, and even apps you have installed could all cause problems, so it’s a good idea to either travel with a secondary device or clean up your primary device.

“The general principle of data minimization can go a long way,” Budington says. “Try to thoughtfully consider what is important to take with you, and what can be left behind. Then, try to minimize what you take with you across the border to only the essentials. If you are taking a vacation, do you really need that work laptop with you?”

For data minimization, Budington pointed to removing data from your device. You can use Travel Mode for some of that data, along with “a backup service which is protected by a passphrase you know and can recall if you need to.”

After you’re done storing what you need in the cloud, make sure to log out of your account. CBP’s official policy is that it can’t search data stored in the cloud, but a lot of storage services will keep a local copy when disconnected from the internet. WIRED spoke with several experts about how to protect yourself at the US border in June, and I recommend following their guidance.

Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.

_If you don't have 1Password yet, you can get started for less with a 1Password coupon code._

**_Power up with unlimited access to_ WIRED_._** _Get best-in-class reporting and exclusive subscriber content that's too important to ignore. Subscribe Today._

How to Use 1Password's Travel Mode at the Border (2025)

The UK-based automaker has been forced to stop vehicle production as a result of the attack—costing JLR tens of millions of dollars and forcing its parts suppliers to lay off workers.

For almost three weeks, the production lines at global car giant Jaguar Land Rover have stood still. Usually busy turning out an estimated 1,000 vehicles per day, staff at multiple JLR factories across Britain have been told to stay at home as the automotive firm responds to a damaging cyberattack. But as its recovery has stretched from days to weeks, the knock-on impacts are being felt at the hundreds of companies that supply JLR with parts and materials and risk turning the attack into a full-blown crisis.

On Friday, the UK government admitted that the cyberattack against JLR was having a “significant impact” on the company and on the “wider automotive supply chain.” The concession came as unions and officials have increasingly warned that thousands of jobs in JLR’s sprawling supply chain could be lost, and some smaller companies could go bankrupt. Reports claim JLR itself may be losing up to £50 million ($67 million) per week in the shutdown. Some firms have reportedly already laid off staff, with the Unite union claiming that workers in the JLR supply chain “are being laid off with reduced or zero pay.” Some have been told to “sign up” for government benefits, the union claims.

“It seems unprecedented in the UK to have that level of disruption because of a cyberattack or ransomware attack,” says Jamie MacColl, a senior research fellow in the cyber and tech research group at the security and defence think tank RUSI. That thousands of jobs could be put at risk, either temporarily or permanently, is “a different order of magnitude” to previous incidents, MacColl says.

JLR, which is owned by India’s Tata Motors, is one of the UK’s biggest employers, with around 32,800 people directly employed in the country. Stats on the company’s website also claim it supports another 104,000 jobs through its UK supply chain and another 62,900 jobs “through wage-induced spending.” Many other suppliers are also based outside of the UK, as well as some overseas factories.

At the start of September, JLR confirmed it had been “impacted” by a cyberattack and that the company was taking “immediate action” and “proactively shutting down our systems,” effectively grinding its factories and production processes to a halt. As the company investigated the attack, it revealed that “some data” has been “affected” but did not specify what that data is.

Despite efforts to get systems back online, the company confirmed on Wednesday that its “pause” in production has been extended to Wednesday, September 24. “We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time,” JLR said in a statement on Wednesday. “We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”

JLR did not respond to questions from WIRED about what systems were disrupted, the financial cost of the cyberattack to suppliers, nor any measures the company was looking at to support businesses.

Almost immediately after the cyberattack, a group on Telegram called Scattered Lapsus$ Hunters, claimed responsibility for the hack. The group name implies a potential collaboration between three loose hacking collectives— Scattered Spider, Lapsus$, and Shiny Hunters—that have been behind some of the most high-profile cyberattacks in recent years. They are often made up of young, English-speaking, cybercriminals who target major businesses.

Building vehicles is a hugely complex process. Hundreds of different companies provide parts, materials, electronics, and more to vehicle manufacturers, and these expansive supply chain networks often rely upon “just-in-time” manufacturing. That means they order parts and services to be delivered in the specific quantities that are needed and exactly when they need them—large stockpiles of parts are unlikely to be held by auto makers.

“The supplier networks that are supplying into these manufacturing plants, they’re all set up for efficiency—economic efficiency, and also logistic efficiency,” says Siraj Ahmed Shaikh, a professor in systems security at Swansea University. “There’s a very carefully orchestrated supply chain,” Shaikh adds, speaking about automotive manufacturing generally. “There’s a critical dependency for those suppliers supplying into this kind of an operation. As soon as there is a disruption at this kind of facility, then all the suppliers get affected.”

One company that makes glass sun roofs has started laying off workers, according to a report in the Telegraph. Meanwhile, another firm told the BBC it has laid off around 40 people so far. French automotive company OPmobility, which employs 38,000 people across 150 sites, told WIRED it is making some changes and monitoring the events. “OPmobility is reconfiguring its production at certain sites as a consequence of the shutdown of its production by one of its customers based in the United Kingdom and depending on the evolution of the situation,” a spokesperson for the firm says.

While it is unclear which specific JLR systems have been impacted by the hackers and what systems JLR took offline proactively, many were likely taken offline to stop the attack from getting worse. “It’s very challenging to ensure containment while you still have connections between various systems,” says Orla Cox, head of EMEA cybersecurity communications at FTI Consulting, which responds to cyberattacks and works on investigations. “Oftentimes as well, there will be dependencies on different systems: You take one down, then it means that it has a knock on effect on another.”

Whenever there’s a hack in any part of a supply chain—whether that is a manufacturer at the top of the pyramid or a firm further down the pipeline—digital connections between companies may be severed to stop attackers from spreading from one network to the next. Connections via VPNs or APIs may be stopped, Cox says. “Some may even take stronger measures such as blocking domains and IP addresses. Then things like email are no longer usable between the two organizations.”

The complexity of digital and physical supply chains, spanning across dozens of businesses and just-in-time production systems, means it is likely that bringing everything back online and up to full-working speed may take time. MacColl, the RUSI researcher, says cybersecurity issues often fail to be debated at the highest level of British politics—but adds this time could be different due to the scale of the disruption. “This incident has the potential to cut through because of the job losses and the fact that MPs in constituencies affected by this will be getting calls,” he says. That breakthrough has already begun.

“This cyberattack is not some mere flicker on a screen, it is fast becoming a cyber-shockwave ripping through our industrial heartlands,” Liam Byrne, a member of Parliament and chair of the House of Commons’ Business and Trade committee said on X. “If government stands back, that shockwave is going to destroy jobs, businesses, and pay packets across Britain.” Other lawmakers have also expressed concerns after speaking with impacted JLR suppliers, and the Unite union has said the British government should intervene with a “furlough” scheme to support workers.

“The recent cyber incident is having a significant impact on Jaguar Land Rover and on the wider automotive supply chain,” the UK’s Department for Business and Trade said in a statement on Friday, following a meeting with automotive industry groups. “The Government, including government cyber experts, are in contact with the company to support the task of restoring production operations, and are working closely with JLR to understand any impacts on the supply chain.”

The attack is likely another incident that demonstrates how fragile supply chains can be when they are faced with disruption. “We do need to shift to a more resilient supply chain and a resilient operation when it comes to things like manufacturing,” says Shaikh, from Swansea University.

Meanwhile, MacColl says that as global tensions are high—with multiple countries taking steps to make sure they are prepared for war—the attack indicates how production can be forced to grind to a halt. “If this is the effect just that criminals can have on our supply chains, then it's quite worrying to think about how unprepared we are for, say, a more coordinated and sustained attack from a potential state adversary,” MacColl says.

A Cyberattack on Jaguar Land Rover Is Causing a Supply Chain Disaster

Plus: An investigation reveals how US tech companies reportedly helped build China’s sweeping surveillance state, and two more alleged members of the Scattered Spider hacking group were arrested.

New findings this week showed that a misconfigured platform used by the Department of Homeland Security left sensitive national security information—including data related to the surveillance of Americans—exposed and accessible to thousands of people. Meanwhile, 15 New York officials were arrested by Immigration and Customs Enforcement and the New York Police Department this week in or around 26 Federal Plaza—where ICE detains people in what courts have ruled are unsanitary conditions.

Russia conducted conspicuous military exercises testing hypersonic missiles near NATO borders, stoking tensions in the region after the Kremlin had already recently flown drones into Polish and Romanian airspace. Scammers have a new tool for sending spam texts, known as “SMS blasters,” that can send up to 100,000 texts per hour while evading telecom company anti-spam measures. Scammers deploy rogue cell towers that trick people's phones into connecting to the malicious devices so they can send the texts directly and bypass filters. And a pair of flaws in Microsoft's Entra ID identity and access management system, which have been patched, could have been exploited to access virtually all Azure customer accounts—a potentially catastrophic disaster.

WIRED published a detailed guide this week to acquiring and using a burner phone, as well as alternatives that are more private than a regular phone but not as labor-intensive as a true burner. And we updated our guide to the best VPNs

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

****The “Shai-Hulud” Worm Is Eating Its Way Through Hundreds of Software Packages****

The cybersecurity world has seen, to its growing dismay, plenty of software supply-chain attacks, in which hackers hide their code in a legitimate piece of software so that it’s silently seeded out to every system that uses that code around the world. In recent years, hackers have even tried linking one software supply-chain attack to another, finding a second software developer target among their victims to compromise yet another piece of software and launch a new round of infections. This week saw a new and troubling evolution of those tactics: a full-blown self-replicating supply-chain attack worm.

The malware, which has been dubbed Shai-Hulud after the Fremen name for the monstrous Sandworms in the sci-fi novel _Dune_ (and the name of the Github page where the malware published stolen credentials of its victims), has compromised hundreds of open source software packages on the code repository Node Packet Management, or NPM, used by developers of Javascript. The Shai-Hulud worm is designed to infect a system that uses one of those software packages, then hunt for more NPM credentials on that system so that it can corrupt another software package and continue its spread.

By one count, the worm has spread to more than 180 software packages, including 25 used by the cybersecurity firm CrowdStrike, though CrowdStrike has since had them removed from the NPM repository. Another count from cybersecurity firm ReversingLabs put the count far higher, at more than 700 affected code packages. That makes Shai-Hulud one of the biggest supply-chain attacks in history, though the intent of its mass credential-stealing remains far from clear.

****How US Tech Firms Helped Build China’s Panopticon****

Western privacy advocates have long pointed to China’s surveillance systems as the potential dystopia awaiting countries like the United States if tech industry and government data collection goes unchecked. But a sprawling Associated Press investigation highlights how China’s surveillance systems have reportedly been largely built on US technologies. The AP’s reporters found evidence that China’s surveillance network—from the “Golden Shield” policing system that Beijing officials have used to censor the internet and crack down on alleged terrorists to the tools used to target, track, and often detain Uyghurs and the country’s Xinjiang region—appear to have been built with the help of American companies, including IBM, Dell, Cisco, Intel, Nvidia, Oracle, Microsoft, Thermo Fisher, Motorola, Amazon Web Services, Western Digital, and HP. In many cases, the AP found Chinese-language marketing materials in which the Western companies specifically offer surveillance applications and tools to Chinese police and domestic intelligence services.

**Two Alleged Members of Scattered Spider Hacking Crew Arrested**

Scattered Spider, a rare hacking and extortion cybercriminal gang based largely in Western countries, has for years unleashed a trail of chaos across the internet, hitting targets from MGM Resorts and Caesar’s Palace to the Marks & Spencer grocery chain in the United Kingdom. Now two alleged members of that notorious group have been arrested in the UK: 19-year-old Thalha Jubair and 18-year-old Owen Flowers, both charged with hacking the Transport for London transit system—reportedly inflicting more than $50 million in damage—among many other targets. Jubair alone is accused of intrusions targeting 47 organizations. The arrests are just the latest in a string of busts targeting Scattered Spider, which has nonetheless continued a nearly uninterrupted string of breaches. Noah Urban, who was convicted on charges related to Scattered Spider activity, spoke from jail to Bloomberg Businessweek for a long profile of his cybercriminal career. Urban, 21, has been sentenced to a decade in prison.

Source

Wired