Warspying San Francisco

'We kind of look at this as useless, recreational fun'

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Striding through San Francisco's busy financial district after dusk, 20-year-old Jake Appelbaum is an odd sight. His left hand is clutching the handle of a two-foot-long fiberglass pole wrapped in a metal spiral, which he holds high like a lance. The device is a directional antenna: a thin cable hangs between it and what looks like a handheld TV in Appelbaum's other hand.

As he walks, Appelbaum studies the fluttering static on the receiver's LCD screen while rapidly thumb-clicking a button below it, occasionally glancing up to avoid slamming into other pedestrians on the sidewalk -- most of whom stare as he passes. "You get the Playboy Channel on that?," one asks.

He doesn't. But at the corner of Mason and Post a clear black-and-white image flickers onto the 2.5 inch screen. It's the interior of an office: a clock and a piece of art can be seen above a desk cluttered with stacks of books. The view is angled sidewise and up towards a drop ceiling, and is partly obscured, giving the video feed a decidedly covert look. Watching the display, Appelbaum sweeps the antenna slowly, left to right, up and down, dowsing for the source of the signal, which seems to be emanating from an upper floor of a hotel. "That's a hidden camera right there," he says, with perhaps more confidence than is due.

Applebaum is part of an informal three-person "warspying" expedition out to peek in on San Francisco's wireless cameras, and the image of the empty office is one of the more interesting finds of the evening.

A 2002 New York Times article first brought to light how easily outsiders could intercept the video from the inexpensive cameras sold by Seattle-based X10 Wireless Technology (once very familiar to netizens from a steady barrage of pop-up ads around the Web) using nothing more than the receivers sold with the cameras. Later that year, a how-to in 2600 magazine coined the phrase "warspying" to describe the sport of driving or walking around to sniff out wireless video signals from X10s and other cameras that share the unlicensed 2.4GHz band.

The sport generally involves hacking up a standard 2.4GHz video receiver, equipping it with an external antenna connector, a long-lasting power supply and possibly an amplifier to boost its range. Hobbyists with more cash than soldering skills can spring for a $400 Icom IC-R3 scanner, capable of picking up wireless video signals and displaying them on a built-in two-inch LCD screen. "Experimenting with wireless video opens a whole new world for monitoring, whether for fun or security," reads the Icom webpage.

"I have no doubt that there?s people out there doing it right now," says Simon Byers, a researcher at AT&T Labs. "It?s so easy, and it?s highly entertaining. Just look at the amount of people being arrested for being peeping Toms each year, and all the psuedeo-voyeur type porn out there. I have no doubt that it?s going on to a certain degree."

But just what are the video sniffers picking up? If the San Francisco expedition late last week is any indication, the answer is, not all that much.

The outing was organized by a 60-year-old techie and ham radio operator who asked to be identified only by his online moniker, "Massive White Dude." MWD first went warspying (he prefers the neutral term "warviewing") a year ago, and he experimented with a couple of different receivers and antennas to discover what he says is the best combination for the job. His receiver of choice is the Action ACN-53292, a sleek handheld unit sold as part of a system designed to let you retransmit your favorite cable TV shows and watch from anywhere in the house. The Action receiver doesn't scan through the video channels automatically (hence the need for vigorous button-pushing), but it sports a color LCD display, accepts an external antenna, and through an undocumented feature can tap four extra video channels that a standard X10 receiver misses. MWD found it in an airline catalog.

"We kind of look at this as useless, recreational fun," he says, demonstrating the gear near a video hotspot he's already charted in the Potrero Hill district. There, images from two cameras fighting over the same frequency are grainy and dark. He gets better results a few blocks away, where he taps the signal from a pole-mounted freeway cam pointed at the San Francisco skyline. From near the highway he can see what the camera sees, in color, on his little Action receiver.

Geek Appeal

Once the expedition moves into uncharted territory, though, results become more rare. With Applebaum and another young hacker handling the equipment in the backseat, it takes half-an-hour of driving around in MWD's Volvo before the crew gets another hit near a city hospital. The screen shows a car pulling into a parking lot, the driver in a close-up reaching out to pluck a ticket from the dispenser.

Out of the Volvo and on foot with the directional antenna, MWD and his apprentices zero in on the camera: it's at the entrance to the hospital's visitor lot -- a sign beneath the tinted dome warns that the area is under video surveillance. Thumbing though the other channels, the trio finds a view from a second camera, peering down from the ceiling of the parking attendant's booth. On screen, the attendant organizes some papers, steps to the other side of the booth and leans to the window to speak with a driver-unaware, presumably, that the ragtag clutch of strangers huddled across the street have a bird's-eye view of him.

This kind of snooping doesn't violate federal wiretap laws, which generally protect audio communication, but not video, says Joseph Metcalf, an assistant professor at the University of Oregon law school. Moreover, the law keeps it legal to monitor radio transmissions that aren't encrypted or scrambled in any way, unless they're in a band specifically protected by statute, like analog cell phone signals. "If a communication is readily accessible to the general public, that communication is not protected by the federal Wiretap Act," says Metcalf.

But MWD doesn't relish trying to explain that to the San Francisco Police Department. Even when he's not warviewing, he keeps a police scanner running in his car, to "keep an ear on the pulse on the city," and tonight it provides some comfort by not squawking out calls about strange men carrying alien-looking ray gun equipment, or driving slowly and suspiciously though the city's varied neighborhoods in an ominous black '64 Volvo.

After the hospital parking lot, San Francisco's airwaves yield nothing through nearly two hours of driving and button-pushing. A cruise through family-friendly Noe Valley fails to produce a single wireless nanny-cam. The county jail, city hall, the library-- zip. Finally, in a gritty neighborhood of warehouses and adult video stores, MWD's gang starts sniffing out cameras again: finding signals from the car, then parking and closing in on foot. At a small grocery store, a tiny black X10 is mounted atop a hanging florescent light and pointed at the door. Outside an apartment building, a color image from a security camera shows an empty hall.

A few other cameras pop up, but nothing exciting -- until the financial district, where on the same block as the office cam, MWD's receiver picks up the very freeway camera that marked the start of the expedition. The camera is more than two miles away, while most wireless video cameras have trouble reaching the curb. The appearance of the signal so far from its source energizes the team. "That's definitely the catch of the night there," says MWD.

With a little detective work, MWD will eventually discover that the signal is a directional transmission from the camera to a local TV station that features the feed on its website and in its nightly newscast. His satisfaction at the discovery hints at the real nature of warspying: at least for WMD, the appeal isn't voyeuristic at all -- it's pure geek.

The stroll through the financial district ends when Appelbaum notices a police car driving by a little too slowly as he waves the giant antenna around. The gang piles into the Volvo and heads out. "The problem is, if the cops take an interest in you while you're doing something like this, the only way to get out of the situation is to admit that you're a dork," says MWD. "I'd almost rather be taken back to the station."

Copyright © 2004, 0

Secure remote control for conventional and virtual desktops

More from The Register

next story
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.