As the field of open source investigation matures, the number of tools developed for OSINT and by OSINT has grown with it. But relying only on those tools can be limiting. This piece offers a few examples of open source hacking: the practice of repurposing a piece of technology made by governments or private companies, often in a fashion far from its intended purpose.
by Tyler McBrien
Introduction: The Whataburger Workaround
In July 2024, Hurricane Beryl bore down on the Southern state of Texas, slamming into Houston and surrounding areas. The immediate aftermath of the powerful storm left more than 2.2 million customers of CenterPoint Energy, a private utility that provides electricity to several states, without power—including nearby Tomball resident Bryan Norton.
In many ways, Norton wasn’t so bad off. Though he had no power, Norton wasn’t exactly powerless. A lifetime of unpredictable Texas weather had taught him that preparation is a virtue and creativity is not only reserved for the arts. His backup gas generator and propane stoves kept him humming along through the worst of it, but he couldn’t help but worry about his neighbors and the rest of his community. "Who else was without power?" - he wondered. "Just how far did the power outage stretch?"
With the wifi down, Norton used cellular data to navigate to CenterPoint’s website. The private utility only listed the number of homes affected, but not the geographic distribution. Discouraged and hungry, he did what any sensible Texan looking to clear his head with a hot meal would do: he fired up the app for Whataburger, a fast food restaurant chain with a cult following across much of the Southern and Southwestern United States.
Luckily, Norton saw that his local branch was open. Since the beloved burger joint is open 24 hours a day, he figured the restaurant had been spared the outage. But as he kept zooming out, a map of Houston appeared, dotted with Whataburger icons, some indicating open and some closed. Surveying the orange and gray pins, he quickly realized the map could serve as a rough approximation of power outages across the city.
“This is pretty darn cool,” Norton thought to himself, and took to Twitter to alert his fellow Houstonians. “The Whataburger app works as a power outage tracker, handy since the electric company doesn't show a map,” he tweeted from his handle @BBQBryan, along with a screenshot.
Screenshot of Whataburger app, posted by Bryan Norton on July 8, 2024 (archived here: https://archive.ph/nrmy8)
Messages of appreciation flooded in. Someone thanked him in the replies, dubbing it the “Whataburger Workaround.”
Local news outlets also took notice of this feel-good story amid the hurricane’s devastating effects. With a little technical know-how, and a lot of creativity, Norton’s story seemed to say: people find a way. But the sunny story of citizen ingenuity and the absurdity of using a burger chain's map to navigate a devastating hurricane almost distracted from the fact that CenterPoint, and to a lesser extent the government, had literally left Norton and his neighbors in the dark, without electricity or information.
Though he may not have known it at the time, Norton was open source “hacking”: the practice of repurposing technologies or tools to suit one's own needs, often in a fashion far from its intended purpose. Open source hacking boils down to a mindset rather than a toolkit. The idea is simple: information is almost always available, that is, if you know where to look. It’s a scrappy, DIY world, one that reclaims the internet’s lost promise of democratizing information and offers lessons for investigators everywhere.
As Brian Nguyen, open source investigations training manager at the University of California, Berkeley’s Human Rights Center, told me in an OSINT 101 course, “There are many ways up the mountain.” Below are just a few examples of investigators, journalists, citizens, and others who, like Norton, found a new way up the mountain when other paths appeared blocked.
As the OSINT field has grown and matured, the number of tools specifically developed for open source investigation have grown with it. But each one has its own strengths and weaknesses, and only focusing on tools for OSINT and by OSINT limits the possibilities of investigation. There are countless apps and technologies developed for a specific purpose and audience, ranging from niche hobbyist communities to government agencies or commercial customers. But nothing is stopping you from using those apps for your own goal.
The Waffle House Index
Norton is far from the first person to engage in creative open source hacking. In fact, he’s not even the first to do so by exploiting technology made by a fast food restaurant chain.
Across the Southeastern United States, simple rectangular buildings with bright yellow and black signs reading “Waffle House” are ubiquitous. The roadside mainstay is known for low prices and a Southern delicacy called grits. And, much like Whataburger, Waffle House stays open 24 hours a day, 7 days a week—except in extreme circumstances. With tornadoes and hurricanes common in many areas where Waffle House operates, this commitment to staying open all the time requires sophisticated disaster preparedness systems. The company even maintains a storm center, and a map showing which restaurants are open and offering a full menu (in green), which locations are open but serving a limited menu (in yellow), and which locations had to shutter (in red).
A map of Waffle House locations in and around Fort Meyers, FL in the aftermath of Hurricane Milton, posted by an official Waffle House social media account on October 9, 2024: https://x.com/WaffleHouse/status/1844033324483764556
The potential usefulness did not escape Craig Fugate, head of the U.S. Federal Emergency Management Agency (FEMA) from 2009 to 2017. “If you get there and the Waffle House is closed?” said Fugate, who coined the term Waffle House Index. “That's really bad. That's where you go to work.” Though not an official metric on which to base government emergency relief, Fugate looked to the Waffle House Index to get a quick snapshot after disaster strikes. The unorthodox, unofficial metric stuck, long after Fugate left FEMA. It has even seen adoption beyond the emergency response industry. Public health officials kept an eye on the Waffle House Index to track the spread of COVID-19, and some have recently suggested its use in monitoring bird flu.
Whether one uses fast food restaurant apps to track power outages, or global prices of a McDonald’s cheeseburger to compare the strength of currencies, the lesson to open source investigators is clear: if the government lacks the capacity or will to collect and share information, look to the private sector.
PeakVisor
Geolocation is often a foundational part of an investigation. Figuring out where and when a photo or video was taken can unlock a trove of information and corroborate other pieces of evidence. But digital media is often uploaded to the internet with its metadata stripped, leaving only visual clues to suggest a file’s provenance.
PeakVisor, an app “originally developed to help mountaineers and hikers orientate, navigate and share geographic information on their smartphones,” has emerged as a favorite tool among human rights researchers and other OSINT investigators trying to geolocate images or videos taken in rocky terrains. As a post on Bellingcat explains, there’s no Google Street View in many mountainous areas, and even Google Earth can have limited utility. But with PeakVisor, investigators can zero in on geographical and topographical features such as ridges and plateaus.
In 2021, five graphic videos showed up on a Telegram channel called “EthiopiaMap.” In them, Amharic-speaking soldiers in uniforms with Ethiopian flags appeared to execute a group of 25 to 30 people in civilian clothing. An investigation team from Bellingcat, Newsy, and BBC Africa Eye hypothesized that the videos were taken somewhere in Ethiopia’s Tigray Region, because a war between Ethiopia’s federal government and rebel forces raged there at the time. But Tigray is a large, semi-arid, and sparsely populated mountainous area with a small digital footprint, making geolocation with go-to tools like Google Earth 3-D challenging. With the aid of PeakVisor, however, the researchers were able to match a few features in the background of the videos, such as a gap in a ridgeline and mountain peaks in the distance, to a single remote cliff.
For more information on how to use PeakVisor, Bellingcat posted a video tutorial here.
Strava
Geolocating a person on the move can prove a much trickier endeavor than finding where an image or video was taken. Figuring out where a certain person was or is at any given time can be especially difficult in investigations targeting individuals or institutions trained at avoiding detection—such as militaries or government intelligence agencies.
Making an investigator’s job easier, however, is the ubiquity of personal devices constantly tracking its owner’s location, often without that owner’s knowledge. In 2017, the fitness tracking app Strava updated its global heat map of user activities, including running, cycling, and hiking. Strava’s popularity meant that these activities numbered over 1 billion, and soon certain patterns of activity began appearing on parts of the map that struck some investigators as peculiar. As WIRED reported, “Some Strava users appear to work for certain militaries or various intelligence agencies, given that knowledgeable security experts quickly connected the dots between user activity and the known bases or locations of US military or intelligence operations.” Security anxieties intensified when analysts suggested that the data could even reveal the names of Strava users.
The “patterns of life” and digital footprints revealed by personal tracking apps like Strava have given investigators insight into the whereabouts of notoriously opaque military and intelligence units. Adversarial nations have also taken notice. In 2023, the assassins who shot and killed a Russian general while he went on his daily jog may have used Strava to predict his whereabouts.
The chance of inadvertently revealing someone’s whereabouts diminishes greatly when apps only track geolocation data internally. But even these apps carry risk if data is hacked and leaked, which happened in 2022 with the Russian food delivery service Yandex. The massive leak revealed user emails, phone numbers, addresses, and orders made on the platform, which uncovered leads for investigations into everything from the whereabouts of Russian security agents to a corrupt apartment deal for Vladimir Putin’s “secret daughter.”
Strava app’s privacy and security flaws make it particularly “useful” to journalists and OSINT investigators who have used it numerous times to track the whereabouts of politicians and militaries. You can read more cases as well as tips for conducting investigations with similar apps in this article by journalist Santiago Villa.
Tinder
Few places seem harder to penetrate than the Guantánamo Bay detention camp is a symbol of illegal detention made possible by isolation and a total access blackout. The United States only let a UN investigator visit the camp in 2023, 21 years after it opened. But even black boxes have their vulnerabilities, if you know how to exploit them.
In 2015, Muira McCammon, then a graduate in comparative literature, wanted to explore how the recent arrival of cell service affected life at the naval base as part of a larger project to show Americans that Guantánamo Bay (also called “Gitmo”) was not “the legal equivalent of outer space,” as the Bush administration insisted, but rather a not-so-far-away place “connected by multiple fiber optic cables to the state of Florida.”
Over the course of five years, McCammon deployed different OSINT investigation methods “to explore the porousness of Gitmo and to follow the people who move through it.” Some methods will sound like standard fare for any investigator, including monitoring the official Twitter feeds of the base and the personal feeds of the twenty-something guards stationed there. McCammon also knew about the potential value of fitness trackers like Strava, but “that Strava was just the tip of the iceberg.” As McCammon recalled, “I didn’t need to go to Gitmo to speak with personnel there; I could just turn on my phone” (source: "Zoomers Versus the National Security State", by Muira McCammon: https://logicmag.io/kids/zoomers-versus-the-national-security-state/).
But with something as secretive as Gitmo, McCammon found that even guards’ social media profiles on Facebook, YouTube, and Reddit had limited use. They were, in a word, guarded on these public platforms with the exception of one: a popular dating app called Tinder. In 2017, a newer premium feature allowed users to virtually geolocate themselves anywhere in the world, so McCammon made a profile and started swiping in Guantánamo Bay, Cuba—from the safety of her apartment in Massachusetts over 2,500 kilometers away. “Through swiping,” McCammon wrote, “I could ask these people what they saw on the ground, and I could do what I had largely been unable to do at Guantánamo—learn their names, gain records of their faces, outline their moral codes, inquire what the detention facilities represented to them.”
In an ironic illustration of the fact that almost anyone can use these apps for virtually any purpose, years later the U.S. military started swiping too. In August 2024, a journalist named Séamus Malekafzali opened Tinder in Lebanon. Instead of a dating profile, Malekafzali was greeted by an ad from the U.S. Central Command, which read in Arabic: “Do not take arms against the US and its partners,” that F-16s and A-10s are already prepared, and that the U.S. will “protect its partners in the face of threats from the Iranian regime and its agents.”
For another investigation using Tinder, read Follow the Money’s 2024 article “Looking for love and sex on Tinder, soldiers endanger national security.”
Venmo
In 2017, multimedia artist and technologyst Hang Do Thi Duc launched “Public by Default”, a visual project and campaign based on an investigation into the personal data collection practices of the Venmo mobile payment app in the USA. The idea of the investigation emerged in 2015 when Hang — after becoming a Venmo user herself — realised that the app, which allows users to pay for their daily expenses while socially interacting with each other around their transactions, was displaying all these transactions in a real-time public feed on its website. This “public by default” feature of the users’ payments meant that anyone in the world could see who was paying for their meals, borrowing money, paying rents and much more.
After turning her transactions private by default, Hang started to dig into the app’s practices and the personal data it was exposing. Combining open source data (from the app users in this case), design, storytelling and advocacy, Hang’s investigation shows how anyone can research important issues related to social apps, what can be discovered using open-source tools and how to make such findings public in a responsible way. It’s also a great illustration of the investigative mindset involved in such projects. The methodology and challenges she faced during the process are outlined in this piece: "Extracting Information From Social Apps: A case of exposed financial data".
NASA’s Landsat and FIRMS
Citizens, investigators, and governments alike exploit commercial technologies from industries as diverse as fast food chains and dating apps. But open government systems are fair game too.
For investigators using remote sensing technologies for conflict monitoring or geolocation, the U.S. National Aeronautics and Space Administration (NASA) is an essential resource. As I’ve written about in Mother Jones, a team of researchers recently set out to build a case against the Israeli government for perpetrating the crime of apartheid in the West Bank. They set out to document how three hallmarks of apartheid—land dispossession, restriction of access, and forced displacement—have played out over decades. But then, as the war in Gaza intensified following the October 7 attacks and Israel’s response, the Israel Defense Forces (IDF) restricted access to the West Bank as well, making documentation difficult for the team. To make matters worse, additional restrictions such as the Kyl-Bingaman Amendment, limited access to U.S. satellite imagery over Israel and the Occupied Palestinian Territories from 1997 until the law was repealed in 2020.
But the U.S. government didn’t restrict all historical remote sensing technology over the West Bank. Another NASA system, Landsat’s Normalized Difference Vegetation Index (NDVI), allowed the team to track differences in vegetation health and lushness in areas of the West Bank dating back to Landsat’s launch in 1975. Using the NDVI, the investigators documented how patches of olive groves transitioned to vineyards—a proxy for dispossession of Palestinian land.
In recent years, open source investigators have used another piece of NASA technology called the Fire Information for Resource Management System, or FIRMS. According to its website, FIRMS “enables access to global near real-time satellite imagery, active fire/hotspots, and related products to identify the location, extent, and intensity of wildfire activity” and provides “geospatial data, products, and services to support the broader fire management community and to inform the general public”—but that’s not exactly how the OSINT community uses it.
Following Russia’s full-scale invasion of Ukraine in 2022, analysts used FIRMS sensors to detect heat generated from missile launches, heavy artillery fighting, and other explosions typical of a battlefield in order to monitor the progress of front lines. FIRMS’ role in monitoring conflict and verifying claims made by warring parties dates back to at least 2020, when analysts used it in the Nagorno-Karabakh region on the border between Armenia and Azerbaijan, and 2021, in Bellingcat’s Tigray investigation. More information on the strengths and weaknesses of FIRMS and its applicability to open source investigations can be found here. OSINT investigators have similarly used other remote sensing technologies, such as seismometers originally designed to study earthquakes and other seismic activity, to monitor conflicts.
Credits and Licensing
- Author: Tyler McBrien
- Editorial support & copy-editing: Laura Ranca, Jasmine Erkan
- Illustration & design: Exposing the Invisible
CC BY-SA 4.0 - This article is published by Tactical Tech's Exposing the Invisible (ETI) project, and licensed under a Creative Commons Attribution-ShareAlike 4.0 International license
Contact us with questions or suggestions: eti-at-tacticaltech.org (GPG Key / fingerprint: BD30 C622 D030 FCF1 38EC C26D DD04 627E 1411 0C02).
About the author: Tyler McBrien is the managing editor of Lawfare. He has written for the New York Times, Washington Post, The Atlantic, Slate, Mother Jones, the New Republic, and more. Visit www.tylermcbrien.com to read his work or get in touch, and follow him on Bluesky (@tylermcbrien.com) or Twitter (@TylerMcBrien).
This content is part of the resources produced under the Collaborative and Investigative Journalism Initiative.
Disclaimer:
Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Education and Culture Executive Agency (EACEA). Neither the European Union nor EACEA can be held responsible for them.