Law enforcement has more tools than ever to track your movements and access your communications. Here’s how to protect your privacy if you plan to protest.

A major groundswell of nationwide protests against the second Trump administration has arrived.

If you're going to join any protests, as is your right under the First Amendment, you need to think beyond your physical well-being to your digital security, too. The same surveillance apparatus that’s enabling the Trump administration’s raids of undocumented people and targeting of left-leaning activists will no doubt be out in full force on the streets.

Two key elements of digital surveillance should be top of mind for protestors. One is the data that authorities could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is surveillance of all the identifying and revealing information that you produce when you attend a protest, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and face recognition. You should be mindful of both.

After all, police have already demonstrated their willingness to arrest and attack entirely peaceful protesters as well as journalists observing demonstrations. In that light, you should assume that any digital evidence that you were at or near a protest could be used against you.

“The Trump administration is weaponizing essentially every lever of government to shut down, suppress, and curtail criticism of the administration and of the US government generally, and there have never been more surveillance toys available to law enforcement and to US government agencies,” says Evan Greer, the deputy director of the activist organization Fight for the Future, who also wrote a helpful X (then-Twitter) thread laying out digital security advice during the Black Lives Matter protests in the summer of 2020. “That said, there are a number of very simple, concrete things that you can do that make it exponentially more difficult for someone to intercept your communications, for a bad actor to ascertain your real-time location, or for the government to gain access to your private information.”

_This story was originally published on May 31, 2020 and updated on June 12, 2025._

**Your Phone**

The most important decision to make before leaving home for a protest is whether to bring your phone—or what phone to bring. A smartphone broadcasts all sorts of identifying information; law enforcement can force your mobile carrier to cough up data about what cell towers your phone connects to and when. Police in the US have also been documented using so-called stingray devices, or IMSI catchers, that impersonate cell towers and trick all the phones in a certain area into connecting to them. This can give cops the individual mobile subscriber identity number of everyone at a protest at a given time, undermining the anonymity of entire crowds en masse.

“The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of digital security at the Freedom of the Press Foundation, a nonprofit press advocacy group. (Disclosure: WIRED’s global editorial director, Katie Drummond, serves on Freedom of the Press Foundation’s board.)

For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. Open the bag only when necessary. Holmes herself uses and recommends the Mission Darkness Faraday bag.

If you do need a mobile device, consider bringing only a secondary phone you don’t use often, or a burner. Your main smartphone likely has the majority of your digital accounts and data on it, all of which law enforcement could conceivably access if they confiscate your phone. But don’t assume that any backup phone you buy will grant you anonymity. If you give a prepaid carrier your identifying details, after all, your “burner” phone could be no more anonymous than your primary device. “Don’t expect because you got it from Duane Reade that you’re automatically a character from _The Wire_,” Holmes cautions.

Instead of a burner phone, Holmes argues that it may be far more practical to simply own a secondary phone that you’ve set up to be less sensitive—leaving off accounts and apps that offer your most private information to anyone who seizes it, such as social media, email, and messaging apps. “Choosing a secondary device that limits the amount of personal data that you have on you at all times is probably your best protection,” Holmes says.

Regardless of what phone you’re using, consider that traditional calls and text messages are vulnerable to surveillance. That means you need to use end-to-end encryption. Ideally, you and those you communicate with should use disappearing messages set to self-delete after a few hours or days. The encrypted messaging and calling app Signal has perhaps the best and longest track record. Just make sure you and the people you’re communicating with are using the same app, since they’re not interoperable.

Aside from protecting your phone’s communications from surveillance, be prepared in the event police seize your device and try to unlock it in search of incriminating evidence. The first order of business is to make sure your smartphone’s contents are encrypted. iOS devices have full disk encryption on by default if you enable an access lock. For Android phones, go to **Settings**, then **Security** to make sure the **Encrypt Disk** option is turned on. (These steps may differ depending on your specific device.)

Regardless of your operating system, always protect devices with a long, strong passcode rather than a fingerprint or face unlock. As convenient as biometric unlocking methods are, it may be more difficult to resist an officer forcing your thumb onto your phone’s sensor, for instance, than to refuse to tell them a passcode. So if you use biometrics day-to-day for convenience, disable them before heading into a protest.

If you insist on using biometric unlocking methods to have faster access to your devices, keep in mind that some phones have an emergency function to disable these types of locks. Hold the wake button and one of the volume buttons simultaneously on an iPhone, for instance, and it will lock itself and require a passcode to unlock rather than FaceID or TouchID, even if they’re enabled. Most devices also let you take photos or record video without unlocking them first, a good way to keep your phone locked as much as possible.

**Your Face**

Face recognition has become one of the most powerful tools to identify your presence at a protest. Consider wearing a face mask and sunglasses to make it far more difficult for you to be identified by face recognition in surveillance footage or social media photos or videos of the protest. Fight for the Future’s Greer cautions, however, that the accuracy of the most effective face recognition tools available to law enforcement remains something of an unknown, and a simple surgical mask or KN95 may no longer be enough to defeat well-honed face-tracking tech.

If you’re serious about not being identified, she says, a full-face mask may be far safer—or even a Halloween-style one. “I've seen people wear funny cosplay-style cartoon masks or mascot suits or silly costumes,” says Greer, offering as an example Donald Trump and Elon Musk masks that she’s seen protesters wear at Tesla Takedown protests against Musk and the so-called Department of Government Efficiency (DOGE). “That's a great way to defy facial recognition and also make the protest more fun.”

You should also consider the clothes you’re wearing before you head out. Colorful clothing or prominent logos makes you more recognizable to law enforcement and easier to track. If you have tattoos that make you identifiable, consider covering them.

Greer cautions, though, that preventing determined surveillance-empowered agencies from learning the mere fact that you attended a protest at all is increasingly difficult. For those of you in the most sensitive positions—such as undocumented immigrants at risk of deportation—she suggests that you consider staying home rather than depend on any obfuscation technique to mask their presence at an event.

If you’re driving a car to a protest—your own or someone else’s—consider that automatic license plate readers can easily identify the vehicle’s movements. And, in addition to license plates, be aware that these same sensors can also detect other words and phrases, including those on bumper stickers, signs, and even T-shirts.

More broadly, everyone who attends a protest needs to consider—perhaps more than ever before—what their tolerance for risk might be, from mere identification to the possibility of arrest or detention. “I think it's important to say that protesting in the US now comes with higher risks than it used to—it comes with a real possibility of physical violence and mass arrest,” says Danacea Vo, the founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Even just compared to protests that happened last month, people were able to just show up barefaced and march. Now things have changed.”

**Your Online Footprint**

Though most privacy and security considerations for attending an in-person protest naturally relate to your body, any devices you bring with you, and your physical surroundings, there are a set of other factors to think about online. It’s important to understand how posts on social media and other platforms before, during, or after a protest could be collected and used by authorities to identify and track you or others. Simply saying on an online platform that you are attending or attended a protest puts the information out there. And if you take photos or videos during a protest, that content could be used to expand law enforcement’s view of who attended a protest and what they did while there, including any strangers who appear in your images or footage.

Authorities can come to your online presence by looking for information about you in particular, but can also arrive there using bulk data analysis tools like Dataminr that offer law enforcement and other customers real-time monitoring connecting people to their online activity. Such tools can also surface past posts, and if you’ve ever made violent comments online or alluded to committing crimes—even as a joke—law enforcement could discover the activity and use it against you if you are questioned or arrested during a protest. This is a particular concern for people living in the US on visas or those whose immigration status is tenuous. The US State Department has said explicitly that it is monitoring immigrants’ and travelers’ social media activity.

In addition to written posts, keep in mind that files you upload to social media might contain metadata like time stamps and location information that could help authorities track protest crowds and movement. Make sure you have permission to photograph or videotape any fellow protesters who would be potentially identifiable in your content. Also think carefully before livestreaming. It’s important to document what’s going on but difficult to be sure that everyone who could show up in your stream is comfortable being included.

Even if you take photos and videos that you don’t plan to post on social media or otherwise share, remember that this media could fall into law enforcement’s hands if they demand access to your device.

With federal crackdowns on protests ramping up around the country, Cyberlixir’s Vo says that people must assess each situation and weigh the benefits of maintaining personal privacy versus chronicling the reality of what’s happening at protests.

“Social media monitoring and online profiling is the factor that lots of people forget. Those who publish footage on social media should avoid sharing photos or videos that reveal people's faces,” she says. “But I also believe that documenting what’s going on is essential, especially in high-risk conditions, because when the state escalates we need proof for legal defense, for public record, for future organizing, and also to keep ourselves physically safe in real time.”

As protests continue—with the real possibility of even further escalated response from the Trump administration—be prepared for the emergence of forms of digital surveillance that have never been used in the US before to counter civil disobedience or to retaliate against protesters after the fact. Protesters will need to stay vigilant, and Fight for the Future’s Greer emphasizes that everyone has different potential vulnerabilities and tolerance for risk. For people of every category of risk, however, a few thoughtful privacy protections can go a long way towards empowering them to hit the streets.

“Part of the goal of governments extending and implementing mass surveillance programs is to scare people and make people think twice before they speak up,” Greer says. “I think that we should be very careful in this moment not to fall into that trap.”

How to Protest Safely in the Age of Surveillance

Popular Chrome extensions exposed user data by sending it over unencrypted HTTP, raising privacy concerns. Symantec urges caution for users.

A recent investigation has revealed that several widely used Google Chrome extensions are transmitting sensitive user data over unencrypted HTTP connections, exposing millions of users to serious privacy and security risks.

The findings, published by cybersecurity researchers and detailed in a blog post by Symantec, reveal how extensions such as:

PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl)

Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh)

MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl)

SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab)

DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc)

There are other extensions as well that are handling user data in ways that open the door to eavesdropping, profiling, and other attacks.

****Extensions That Promise Privacy Are Doing the Opposite****

Although these extensions are legitimate and meant to help users monitor web rankings, manage passwords, or improve their browsing experience, behind the scenes, they are making network requests without encryption, allowing anyone on the same network to see exactly what’s being sent.

In some cases, this includes details like the domains a user visits, operating system information, unique machine IDs, and telemetry data. More troubling, several extensions were also found to have hardcoded API keys, secrets, and tokens inside their source code which is a piece of valuable information that attackers can easily exploit.

****Real Risk on Public Networks****

When extensions transmit data using HTTP rather than HTTPS, the information travels across the network in plaintext. On a public Wi-Fi network, for example, a malicious actor can intercept that data with little effort. Worse still, they can modify it mid-transit.

This opens the door to attacks that go far beyond spying. According to Symantec’s blog post, in the case of Browsec VPN, a popular privacy-focused extension with over six million users, the use of an HTTP endpoint during the uninstall process sends user identifiers and usage stats without encryption. The extension’s configuration allows it to connect to insecure websites, further widening the attack surface.

****Data Leaks Across the Board****

Other extensions are guilty of similar issues. SEMRush Rank and PI Rank, both designed to show website popularity, were found to send full URLs of visited sites over HTTP to third-party servers. This makes it easy for a network observer to build detailed logs of a user’s browsing habits.

MSN New Tab and MSN Homepage, with hundreds of thousands of users, transmit machine IDs and other device details. These identifiers remain stable over time, allowing adversaries to link multiple sessions and build profiles that persist across browsing activity.

Even DualSafe Password Manager, which handles sensitive information by nature, was caught sending telemetry data over HTTP. While no passwords were leaked, the fact that any part of the extension uses unencrypted traffic raises concerns about its overall design.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security commented on this, stating, _“_This incident highlights a critical gap in extension security – even popular Chrome extensions can put users at risk if developers cut corners. Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks._“_

He warned of consequences for unsuspecting users and advised that _“_Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behaviour across endpoints._“_

****Privacy and Data Security Threat****

Although none of the extensions were found to leak passwords or financial data directly, the exposure of machine identifiers, browsing habits, and telemetry is far from harmless. Attackers can use this data to track users across websites, deliver targeted phishing campaigns, or impersonate device telemetry for malicious purposes.

While theoretical, NordVPN’s latest findings spotted more than 94 billion browser cookies on the dark web. When combined with the data leaks highlighted by Symantec, the potential for damage is significant.

Developers who include hardcoded API keys or secrets inside their extensions add another layer of risk. If an attacker gets hold of these credentials, they can misuse them to impersonate the extension, send forged data, or even inflate service usage leading to financial costs or account bans for the developers.

****What Users Can Do****

Symantec has contacted the developers involved, and only DualSafe Password Manager has fixed the issue. Yet, users who have installed any of the affected extensions are advised to remove them until the developers fix the issues. Even popular and well-reviewed extensions can make unsafe design choices that go unnoticed for years.

Hackread.com recommends checking the permissions an extension asks for, avoiding unknown publishers, and using a trusted security solution. Above all, any tool that promises privacy or security should be examined carefully for how it handles your data.

Popular Chrome Extensions Found Leaking Data via Unencrypted Connections

The easy access that scammers have to sophisticated AI tools means everything from emails to video calls can’t be trusted.

Imagine you meet someone new. Be it on a dating app or social media, you chance across each other online and get to talking. They’re genuine and relatable, so you quickly take it out of the DMs to a platform like Telegram or WhatsApp. You exchange photos and even video call each over. You start to get comfortable. Then, suddenly, they bring up money.

They need you to cover the cost of their Wi-Fi access, maybe. Or they’re trying out this new cryptocurrency. You should really get in on it early! And then, only after it’s too late, you realize that the person you were talking to was in fact not real at all.

They were a real-time AI-generated deepfake hiding the face of someone running a scam.

This scenario might sound too dystopian or science-fictional to be true, but it has happened to countless people already. With the spike in the capabilities of generative AI over the past few years, scammers can now create realistic fake faces and voices to mask their own in real time. And experts warn that those deepfakes can supercharge a dizzying variety of online scams, from romance to employment to tax fraud.

David Maimon, the head of fraud insights at identity verification firm SentiLink and a professor of criminology at Georgia State University, has been tracking the evolution of AI romance scams and other kinds of AI fraud for the past six years. “We’re seeing a dramatic increase in the volume of deepfakes, especially in comparison to 2023 and 2024,” Maimon says.

“It wasn’t a whole lot. We’re talking about maybe four or five a month,” he says. “Now, we’re seeing hundreds of these on a monthly basis across the board, which is mind-boggling.”

Deepfakes are already being used in a variety of online scams. One finance worker in Hong Kong, for example, paid $25 million to a scammer posing as the company’s chief financial officer in a deepfaked video call. Some deepfake scammers have even posted instructional videos on YouTube, which have a disclaimer as being for “pranks and educational purposes only.” Those videos usually open with a romance scam call, where an AI-generated handsome young man is talking to an older woman.

More traditional deepfakes—such as a pre-rendered video of a celebrity or politician, rather than a live fake—have also become more prevalent. Last year, a retiree in New Zealand lost around $133,000 to a cryptocurrency investment scam after seeing a Facebook advertisement featuring a deepfake of the country’s prime minister encouraging people to buy in.

Maimon says SentiLink has started to see deepfakes used to create bank accounts in order to lease an apartment or engage in tax refund fraud. He says an increasing number of companies have also seen deepfakes in video job interviews.

“ Anything that requires folks to be online and which supports the opportunity of swapping faces with someone—that will be available and open for fraud to take advantage of,” Maimon says.

Part of the reason for this increase is that the barriers for creating deepfakes are getting lower. There are a lot of easily accessible AI tools that can generate realistic faces and a lot of tools that can animate those faces or create full-length videos out of them. Scammers often use images and videos of real people, deepfaked to slightly change their faces or alter what they’re saying, to target their loved ones or hijack their public influence.

Matt Groh, a professor of management at Northwestern University who researches people’s ability to detect deepfakes, says that point-and-click generative AI tools make it much easier to make small, believable changes to already-existing media.

“If there’s an image of you on the internet, that would be enough to manipulate a face to look like it’s saying something that you haven’t said before or doing something you haven’t done before,” Groh says.

It’s not just fake video that you need to be worried about. With a few clips of audio, it’s also possible to make a believable copy of somebody’s voice. One study in 2023 found that humans failed to detect deepfake audio over a quarter of the time.

“ Just a single image and five seconds of audio online mean that it’s definitely possible for a scammer to make some kind of realistic deepfake of you,” Groh says.

Deepfakes are becoming more pervasive in contexts other than outright scams. Social media has been flooded over the past year with AI-generated “influencers” stealing content from adult creators by deepfaking new faces onto their bodies and monetizing the resulting videos. Deepfakes have even bled over into geopolitics, like when the mayors of multiple European capital cities held video calls with a fake version of the mayor of Kyiv, Ukraine. People have started using deepfakes for personal reasons, like bringing back a dead relative or creating an avatar of a victim to testify in court.

So, if deepfakes are everywhere, how do you spot one? The answer is not technology. A number of technology companies, including OpenAI, have launched deepfake detection tools. Researchers have also proposed mechanisms to detect deepfakes based on things like light reflected in a person’s eyes or inconsistent facial movements, and have started investigating how to implement them in real time.

But those models often cannot reliably detect different kinds of AI fakes. OpenAI’s model, for example, is specifically designed only to report content generated with the company’s own Dall-E 3 tool but not other image generation models.

There’s also the risk that scammers can abuse AI detectors by repeatedly tweaking their content until it fools the software.

“ The major thing we have to understand is that the technology we have right now is not good enough to detect those deepfakes,” Maimon says. “ We’re still very much behind.”

For now, as video deepfakes get more popular, the best way to detect one relies on humans. Studies on deepfake detection show that people are best at distinguishing whether videos are real or fake, as opposed to just audio or text content, and are in some cases even better than leading detection models.

Groh’s team conducted one study which found that taking more time to determine whether an image was real or fake led to a significant increase in accuracy, by up to eight percentage points for just 10 seconds of viewing time.

“ This sounds almost so simple,” Groh says. “But if you spend just a couple extra seconds, that leads to way higher rates of being able to distinguish an image as real or fake. One of the ways for any regular person to just be a little bit less susceptible to a scam is to ask, ‘Does this look actually real?’ And if you just do that for a few extra seconds, we’re all going to be a little bit better off.”

Deepfakes’ popularity could be a double-edged sword for scammers, Groh says. The more widespread they are, the more people will be familiar with them and know what to look for.

That familiarity has paid off in some cases. Last summer, a Ferrari executive received a call from someone claiming to be the CEO of the company. The person convincingly emulated the CEO’s voice but abruptly hung up the call when the executive tried to verify their identity by asking what book the CEO had recommended just days earlier. The CEO of WPP, the world’s biggest advertising agency, was also unsuccessfully targeted by a similar deepfake scam.

“I think there’s a balancing act going on,” Groh says. “ We definitely have technology today that is generally hard for people to identify. But at the same time, once you know that there’s a point-and-click tool that allows you to transform one element into something else, everyone becomes a lot more skeptical.”

Deepfake Scams Are Distorting Reality Itself

Everyone knows what it’s like to lose cell service. A burgeoning open source project called Meshtastic is filling the gap for when you’re in the middle of nowhere—or when disaster strikes.

Hypothetical: You wake up tomorrow morning to find a superstorm that developed overnight thanks to climate change has sparked a chain of events that abruptly ushers in a new ice age and alters human society as we know it. (Yes, this is the plot of _The Day After Tomorrow_. Stick with us.) All the communication networks you relied on are down. Your phone is basically worthless. The internet has functionally ceased to exist. But you need to connect with people you trust to get help and survive. What do you do? More importantly, how did you prepare?

Less Hollywood-esque versions of having no cell service or Wi-Fi happen all the time, of course; maybe you’re hiking in a secluded area, white-knuckling through a major natural disaster, or living under a repressive regime that cuts internet access to quash public protests. Fortunately, for all these scenarios, there’s a low-budget solution: Meshtastic.

Meshtastic is a program that enables devices to send text messages over long distances without needing Wi-Fi or cell service. Long range radio (LoRa) nodes help pass messages along, forming a network of devices that can talk to each other even in remote areas. Messages hop from device to device, with each node relaying messages it hasn't seen before—extending the network’s reach across miles using minimal power. That is to say, Meshtastic is designed specifically for sending text messages over free-to-use radio frequencies to both groups and individuals, even when cell service and internet connections are nowhere to be found.

“The cool thing about Meshtastic is that it’s like a radio infrastructure without the infrastructure. It’s ad hoc,” says Eric Kristoff, a volunteer member of the Chicago chapter of the Mars Society, a nonprofit that advocates for the human exploration and colonization of Mars.

Kristoff says the group has been testing the use of Meshtastic as a way to give Mars Society “analog astronauts” the ability to communicate and keep track of each others’ locations without the use of earthly infrastructure.

“We have a set of Meshtastic T-Echo radios, about the size of a deck of cards, and they are worn on the person of the analog astronaut,” he says.

The radios that use Meshtastic cost roughly $30 (though you can spend two, three, or four times that if you want to). And because they operate over unlicensed radio frequencies on a network created by personal devices, they’re essentially free to use. Each message is end-to-end encrypted, ensuring privacy while it’s relayed through the network. And Meshtastic’s optional location-tracking capabilities give people a way to monitor their communities and keep tabs on their kids—or fellow analog astronauts—without using invasive, data-hungry apps.

Kristoff says that Mars Society members will take weeks-long excursions in remote areas with little cellular or Wi-Fi connectivity, which creates additional risks.

“There is heat stroke. We are two hours from the nearest hospital. If you go too far from the campus, it can get dangerous,” Kristoff says of the experience. “So anytime there’s a risk, the risk is made worse if people don’t know where you are.”

Most Meshtatic devices currently on the market need to pair with a phone over Bluetooth to function as a texting alternative. Some devices are just a radio, antenna, and battery, with the expectation that you’ll make the housing yourself. The radio does all the device-to-device communication, while the iOS and Android apps or the web client let you read and compose messages that are received or sent over the network—no service plan needed.

The apps also allow you to see the approximate location of nearby nodes and a map of the Meshtastic network. But fancier stand-alone devices are already available, like a line of Meshtastic-enabled gadgets from maker-friendly tech firm LilyGo that, in addition to the T-Echo model used by Mars Society members, includes Blackberry-like handhelds with their own keyboards, a smartphone-like device with an e-paper screen, and even a Meshtastic-enabled smartwatch.

Meshtastic was created by technologist Kevin Hester in early 2020 as a way to communicate while doing “any hobby where you don’t have reliable internet access,” and it remains a grassroots endeavor, with established local communities spanning from Argentina to China that are ripe with a DIY ethos. The software itself is open source, meaning anyone can theoretically contribute, and hundreds have. Still, as with many open source projects, a core group of volunteer developers help maintain the Meshtastic firmware, mobile apps, and more.

Jonathan Bennett, a self-described “Linux guy” who upgraded Meshtastic to stronger end-to-end encryption for direct messaging and keeps the software working on Linux, says he first got involved in the project after a listener of one his podcasts wanted a way to communicate with friends while attending a festival where the cell network could get overloaded.

“I put my open source enthusiast hat on and I went looking, and I came across Meshtastic,” he says. “And it immediately tickled my interest.”

Bennett says he ultimately connected with Garth Vander Houwen, a C# developer who wrote Meshtastic’s iOS app, and Ben Meadors, another C# developer who took on maintaining the Android app, web client, firmware, and other parts of the Meshtastic ecosystem after Hester needed to step back due to health issues.

Like Bennett, Vander Houwen and Meadors got involved with Meshtastic while looking for solutions to real-life problems. Vander Houwen, an iPhone user, says he found Meshtastic while on the hunt for a way to communicate as he hiked on remote trails in the Seattle area, just to find that it only had an Android app. He decided to write the iOS app himself. “So the fact that there was not an iOS app for Meshtastic was kind of how I got started,” he says, “and it's been a lot of fun.”

Meadors says he came to Meshtastic after a dangerous tornado hit his home state of Arkansas, causing major damage. “My kind of initial use case was honestly a backup communication for storm-related outages,” Meadors says. After taking part in the cleanup effort around Little Rock, he realized the value of a decentralized, off-grid communication network like Meshtastic. “It's just really handy to have anywhere where you’ve got a limited connection to the grid.”

None of which is to say you should throw your cell phone in the sea and go all-in on Meshtastic. At least not yet. First, getting into the world of LoRa remains a little bit technical, so if the idea of “flashing” your device with new firmware makes you instinctively pick up your phone to scroll TikTok, it might not be the hobby for you. Even if you are tech savvy, the system has some notable limitations.

Using the decentralized mesh network requires having your Meshtastic device in range of at least one other radio; obstructions like buildings, trees, and hills or mountains can prevent the line-of-sight communication needed to join the mesh network. This means it may only be reliable when there’s a variety of other Meshtastic nodes in the area.

Next is what Meadors calls the “narrowness” of the network’s technical capabilities. “One of the most frequent things that we get is, ‘Can I replace the internet with this?’ No, no you cannot,” he says. “You can send text messages.” Mercifully, that does include emoji.

Photograph: Michael Tessier

This may be obvious, but you also need to have a network set up before disaster hits, Meadors says. So, set up anyone who you might need to communicate with during a cell and internet blackout before it actually happens. And, due to relatively frequent firmware updates, you can’t just toss your device in a bug-out bag and forget about it. But “if it's something that you actually use, like if you pull it out and use it once a month, you'll be good to go,” Bennett says.

Then there’s the issue of raw bandwidth. This limitation can cause issues when a lot of people are trying to use the network at the same time. At a ham radio convention in Dayton, Ohio, last year (yes, it’s called Hamvention), the Meshtastic network crashed after someone ran a program that flooded the network with additional traffic, pushing the Meshtastic network to its limits.

“Because literally one person turned on this MQTT bridge, which then joined the rest of us into this mesh in a metal building in Dayton, it crashed the whole mesh immediately,” Vander Houwen says.

After this incident, Vander Houwen, Bennett, and Meadors went to work to prepare for the upcoming Defcon hacker convention in Las Vegas, ultimately releasing a special firmware for the much larger event that Vander Houwen estimates allows “somewhere between 2,000 and 2,500 nodes” to operate on the network simultaneously. A similar firmware released ahead of the 2025 Hamvention in May drew praise from the community.

Despite Meshtastic’s limitations, its promise as a backup communication system—and the sheer fun you can have with it—continues to pull in new enthusiasts. The Android app alone has drawn thousands of reviews, and the Meshtastic subreddit has grown to nearly 50,000 members. Some municipalities are even hoping to launch Meshtastic networks to help protect their communities in the event of natural disasters.

For Bennett, Meadors, and Vander Houwen, they’re excited to not just see the number of Meshtastic nodes increase, but to see the technology develop into something anyone can use without having to become an enthusiast or “analog astronaut” at all.

“I think the biggest thing for me too is that it’s not just accessible from the aspect of the hardware being available to more people. I want to make the software more accessible,” Meadors says. “I want to make the experience such that I can hand this device to anybody and have them download the app and start messaging. We've come a long way. I think there's still some room to grow there.”

_Updated at 10:25 am ET, June 4, 2025: Corrected a misspelling of Ben Meadors' surname._

The Texting Network for the End of the World

This spring has seen another spate of stories about juice jacking, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps.

Both Apple and Android operating system developer Google coded rudimentary protections against juice jacking into their operating systems years ago. They updated their software so that users would have to approve any request to control the phone via a USB port.

However, as Ars Technica reported last week, researchers have found a way past these mechanisms in a new variation on the theme called ChoiceJacking.

Ars offers a detailed technical analysis of the exploit, invented by researchers at Austria’s Graz University of Technology. In short, though, it gives itself permission to control the phone by spoofing the user’s button-pressing for them.

Government agencies continue to warn about the risks of juice jacking. The TSA was the most recent, posting a warning about the issue on Facebook back in March:

> “Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”

The TSA is well-intentioned, but behind the times. The FBI’s Denver office tweeted about this threat back in 2023, and the LA County District Attorney’s office posted about it in 2019.

Researchers have highlighted the threat since at least 2011, when the Defcon conference installed public charging stations that would flash a warning message on peoples’ phones. Since then, others have presented on the possible risks, and enterprising tinkerers have released malicious cables that take control of devices when plugged into them.

**Have any juicers actually been jacked?**

The FCC, which has had an advice page about this issue since 2019, said two years ago that it hadn’t found any real-world attacks, and Malwarebytes hasn’t found any since.

However, the lack of publicly documented attacks doesn’t mean that juice jacking isn’t a risk. It’s theoretically feasible. So how can you prevent against it?

Both Apple and Google have updated their operating systems to require more robust authentication than simply pressing a button when a connected USB device asks to take over your phone. However, not all iPhone users will necessarily update their devices. Android-based smartphone vendors get to implement their own versions of the operating system on their own schedule, and many take a long time to roll out new protections if they do so at all.

One way to be sure that your phone won’t get hijacked by a malicious charging station is to use a USB cable that has the data communication pins disconnected, meaning that a malicious charging port can’t talk to your phone. However, the Ars article warns that this might also interfere with the charging process on some phones.

One alternative is to power down your phone before plugging it in. Or take your own portable charging battery with you and skip the ports altogether.

**Oh, and don’t use public Wi-Fi, says TSA**

On another note, the TSA Facebook post also offered another piece of advice: “Don’t use free public WiFi, especially if you’re planning to make any online purchases,” it warned. “Do not ever enter any sensitive info while using unsecure WiFi \[sic\].”

This advice has merit. Attackers can snoop on public Wi-Fi connections, although the advancement of HTTPS on websites mean this is less of a risk nowadays for everyday browsing. However, if you’re doing anything of a sensitive nature, such as online banking, you can use a VPN to encrypt your traffic.

A simple alternative is to simply use cellular data instead, tethering your phone if you’re using a tablet or PC.

Which of these anti-juice-hacking and Wi-Fi snooping protections should you choose? As with all cybersecurity decisions, this is a question of how much risk you’re prepared to tolerate. Personally, I err on the side of caution. A little inconvenience now could save you significant trouble later.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Juice jacking warnings are back, with a new twist 

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

An arson attack in Colorado had detectives stumped. The way they solved the case could put everyone at risk.

3 Teens Almost Got Away With Murder. Then Police Found Their Google Searches

View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ECOVACS
Equipment: DEEBOT Vacuum and Base Station
Vulnerabilities: Use of Hard-coded Cryptographic Key, Download of Code Without Integrity Check
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to send malicious updates to the devices or execute code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ECOVACS reports the following DEEBOT vacuum and base station devices are affected:
X1S PRO: Versions prior to 2.5.38
X1 PRO OMNI: Versions prior to 2.5.38
X1 OMNI: Versions prior to 2.4.45
X1 TURBO: Versions prior to 2.4.45
T10 Series: Versions prior to 1.11.0
T20 Series: Versions prior to 1.25.0
T30 Series: Versions prior to 1.100.0
3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Hard-coded Cryptographic Key CWE-321
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK. The key can be easily derived from the device serial number.
CVE-2025-30198 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-30198. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.2 Download of Code Without Integrity Check CWE-494
ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.
CVE-2025-30199 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-30199. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Use of Hard-coded Cryptographic Key CWE-321
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived from the device serial number.
CVE-2025-30200 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-30200. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China
3.4 RESEARCHER
Dennis Giese, Braelynn Luedtke, and Chris Anderson reported these vulnerabilities to ECOVACS.
4. MITIGATIONS
ECOVACS has released software updates for the X1S PRO and X1 PRO OMNI. The remaining affected products will have updates available by May 31, 2025. Devices that support automatic updates will receive system update notifications. ECOVACS has proactively pushed the update to users, ensuring all users will be covered by May 31st. Users can complete the fix by performing the system update.
For more information, see ECOVACS security advisory.
Users can contact ECOVACS using information provided on their website.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
May 15, 2025: Initial Publication

ECOVACS DEEBOT Vacuum and Base Station

Cybersecurity researchers have disclosed a series of now-patched security vulnerabilities in Apple's AirPlay protocol that, if successfully exploited, could enable an attacker to take over susceptible devices supporting the proprietary wireless technology.
The shortcomings have been collectively codenamed AirBorne by Israeli cybersecurity company Oligo.
"These vulnerabilities can be chained by

Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi

Oligo Security uncovers “AirBorne,” a set of 23 vulnerabilities in Apple AirPlay affecting billions of devices. Learn how…

Oligo Security uncovers “AirBorne,” a set of 23 vulnerabilities in Apple AirPlay affecting billions of devices. Learn how these flaws enable remote control (RCE) and data theft on iPhones, Macs, CarPlay, and more.

Cybersecurity firm Oligo has revealed major vulnerabilities, dubbed AirBorne, in Apple’s AirPlay, a wireless system used by iPhones, iPads, Macs, and third-party devices for audio and video streaming. These flaws in Apple’s AirPlay software tools for other companies could let hackers take control of devices on the same Wi-Fi network.

Apple has released updates for its devices and provided fixes to third-party makers, urging users to update. However, not all companies update quickly. Oligo identified 23 vulnerabilities, leading to 17 security identifiers (CVEs), that could enable various attacks, including taking complete control of a device without user interaction (Zero-Click RCE), reading any file (Local Arbitrary File Read), stealing private information, and intercepting communications. Attackers could combine these to fully control devices.

Two key vulnerabilities (CVE-2025-24252 and CVE-2025-24132) could allow wormable attacks, spreading harmful software automatically across networks. This could lead to serious issues like spying and ransomware. Millions of Apple devices and third-party AirPlay devices, including those in cars (CarPlay), are potentially affected.

Oligo demonstrated Zero-Click RCE on macOS (CVE-2025-24252) under certain network settings, potentially allowing malware to spread. They also found One-Click RCE on macOS (CVE-2025-24271) under different settings. Speakers and receivers using AirPlay SDK are vulnerable to Zero-Click RCE (CVE-2025-24132), allowing eavesdropping. CarPlay devices are also at risk of RCE, which could distract drivers or enable tracking.

Oligo’s research found that many basic AirPlay commands were accessible without strong security. The vulnerabilities often relate to how the AirPlay software handles data in a format called “plist.”

For your information, plist is AirPlay’s system that combines HTTP and RTSP protocols to communicate over port 7000. Commands, particularly those with extra information, are sent as HTTP data in plist format.

Oligo gave one example of a type of confusion vulnerability (CVE-2025-24129) that happens because the AirPlay software doesn’t properly check the type of data it receives in a plist. If it expects a list of items but gets something else, it can cause the program to crash.

Crashing a device’s AirPlay could allow attackers to intercept communications. For example, crashing the AirPlay server on a device could allow an attacker to pretend to be that device on the network and intercept communications. They gave a scenario where an attacker could crash a TV’s AirPlay, fake its identity, and then record a meeting being streamed to it, researchers noted.

Oligo’s in-depth technical report published on April 29, 2025, urges users and organizations to immediately update all Apple and third-party AirPlay devices to the latest software. They also suggest disabling AirPlay when not in use and limiting AirPlay access on networks.

In a comment to Hackread.com, cybersecurity expert and Head of Business Product at NordPass, Karolis Arbaciauskas stated that “Many third-party AirPlay devices don’t get timely updates like Apple’s, so vulnerabilities may remain. To exploit them, an attacker needs access to your Wi-Fi, so secure your router with updates and a strong password.”

“Factory-set passwords are often weak, so always change them. Use at least eight random characters with numbers and symbols, and consider a password manager to make this easier,” Karolis advised. “Avoid using AirPlay on public Wi-Fi, which is often insecure. If possible, use your phone’s hotspot instead, or at least avoid open networks and use a VPN.”

Tag

#wifi