Feeds

Warspying San Francisco

'We kind of look at this as useless, recreational fun'

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Striding through San Francisco's busy financial district after dusk, 20-year-old Jake Appelbaum is an odd sight. His left hand is clutching the handle of a two-foot-long fiberglass pole wrapped in a metal spiral, which he holds high like a lance. The device is a directional antenna: a thin cable hangs between it and what looks like a handheld TV in Appelbaum's other hand.

As he walks, Appelbaum studies the fluttering static on the receiver's LCD screen while rapidly thumb-clicking a button below it, occasionally glancing up to avoid slamming into other pedestrians on the sidewalk -- most of whom stare as he passes. "You get the Playboy Channel on that?," one asks.

He doesn't. But at the corner of Mason and Post a clear black-and-white image flickers onto the 2.5 inch screen. It's the interior of an office: a clock and a piece of art can be seen above a desk cluttered with stacks of books. The view is angled sidewise and up towards a drop ceiling, and is partly obscured, giving the video feed a decidedly covert look. Watching the display, Appelbaum sweeps the antenna slowly, left to right, up and down, dowsing for the source of the signal, which seems to be emanating from an upper floor of a hotel. "That's a hidden camera right there," he says, with perhaps more confidence than is due.

Applebaum is part of an informal three-person "warspying" expedition out to peek in on San Francisco's wireless cameras, and the image of the empty office is one of the more interesting finds of the evening.

A 2002 New York Times article first brought to light how easily outsiders could intercept the video from the inexpensive cameras sold by Seattle-based X10 Wireless Technology (once very familiar to netizens from a steady barrage of pop-up ads around the Web) using nothing more than the receivers sold with the cameras. Later that year, a how-to in 2600 magazine coined the phrase "warspying" to describe the sport of driving or walking around to sniff out wireless video signals from X10s and other cameras that share the unlicensed 2.4GHz band.

The sport generally involves hacking up a standard 2.4GHz video receiver, equipping it with an external antenna connector, a long-lasting power supply and possibly an amplifier to boost its range. Hobbyists with more cash than soldering skills can spring for a $400 Icom IC-R3 scanner, capable of picking up wireless video signals and displaying them on a built-in two-inch LCD screen. "Experimenting with wireless video opens a whole new world for monitoring, whether for fun or security," reads the Icom webpage.

"I have no doubt that there?s people out there doing it right now," says Simon Byers, a researcher at AT&T Labs. "It?s so easy, and it?s highly entertaining. Just look at the amount of people being arrested for being peeping Toms each year, and all the psuedeo-voyeur type porn out there. I have no doubt that it?s going on to a certain degree."

But just what are the video sniffers picking up? If the San Francisco expedition late last week is any indication, the answer is, not all that much.

The outing was organized by a 60-year-old techie and ham radio operator who asked to be identified only by his online moniker, "Massive White Dude." MWD first went warspying (he prefers the neutral term "warviewing") a year ago, and he experimented with a couple of different receivers and antennas to discover what he says is the best combination for the job. His receiver of choice is the Action ACN-53292, a sleek handheld unit sold as part of a system designed to let you retransmit your favorite cable TV shows and watch from anywhere in the house. The Action receiver doesn't scan through the video channels automatically (hence the need for vigorous button-pushing), but it sports a color LCD display, accepts an external antenna, and through an undocumented feature can tap four extra video channels that a standard X10 receiver misses. MWD found it in an airline catalog.

"We kind of look at this as useless, recreational fun," he says, demonstrating the gear near a video hotspot he's already charted in the Potrero Hill district. There, images from two cameras fighting over the same frequency are grainy and dark. He gets better results a few blocks away, where he taps the signal from a pole-mounted freeway cam pointed at the San Francisco skyline. From near the highway he can see what the camera sees, in color, on his little Action receiver.

Geek Appeal

Once the expedition moves into uncharted territory, though, results become more rare. With Applebaum and another young hacker handling the equipment in the backseat, it takes half-an-hour of driving around in MWD's Volvo before the crew gets another hit near a city hospital. The screen shows a car pulling into a parking lot, the driver in a close-up reaching out to pluck a ticket from the dispenser.

Out of the Volvo and on foot with the directional antenna, MWD and his apprentices zero in on the camera: it's at the entrance to the hospital's visitor lot -- a sign beneath the tinted dome warns that the area is under video surveillance. Thumbing though the other channels, the trio finds a view from a second camera, peering down from the ceiling of the parking attendant's booth. On screen, the attendant organizes some papers, steps to the other side of the booth and leans to the window to speak with a driver-unaware, presumably, that the ragtag clutch of strangers huddled across the street have a bird's-eye view of him.

This kind of snooping doesn't violate federal wiretap laws, which generally protect audio communication, but not video, says Joseph Metcalf, an assistant professor at the University of Oregon law school. Moreover, the law keeps it legal to monitor radio transmissions that aren't encrypted or scrambled in any way, unless they're in a band specifically protected by statute, like analog cell phone signals. "If a communication is readily accessible to the general public, that communication is not protected by the federal Wiretap Act," says Metcalf.

But MWD doesn't relish trying to explain that to the San Francisco Police Department. Even when he's not warviewing, he keeps a police scanner running in his car, to "keep an ear on the pulse on the city," and tonight it provides some comfort by not squawking out calls about strange men carrying alien-looking ray gun equipment, or driving slowly and suspiciously though the city's varied neighborhoods in an ominous black '64 Volvo.

After the hospital parking lot, San Francisco's airwaves yield nothing through nearly two hours of driving and button-pushing. A cruise through family-friendly Noe Valley fails to produce a single wireless nanny-cam. The county jail, city hall, the library-- zip. Finally, in a gritty neighborhood of warehouses and adult video stores, MWD's gang starts sniffing out cameras again: finding signals from the car, then parking and closing in on foot. At a small grocery store, a tiny black X10 is mounted atop a hanging florescent light and pointed at the door. Outside an apartment building, a color image from a security camera shows an empty hall.

A few other cameras pop up, but nothing exciting -- until the financial district, where on the same block as the office cam, MWD's receiver picks up the very freeway camera that marked the start of the expedition. The camera is more than two miles away, while most wireless video cameras have trouble reaching the curb. The appearance of the signal so far from its source energizes the team. "That's definitely the catch of the night there," says MWD.

With a little detective work, MWD will eventually discover that the signal is a directional transmission from the camera to a local TV station that features the feed on its website and in its nightly newscast. His satisfaction at the discovery hints at the real nature of warspying: at least for WMD, the appeal isn't voyeuristic at all -- it's pure geek.

The stroll through the financial district ends when Appelbaum notices a police car driving by a little too slowly as he waves the giant antenna around. The gang piles into the Volvo and heads out. "The problem is, if the cops take an interest in you while you're doing something like this, the only way to get out of the situation is to admit that you're a dork," says MWD. "I'd almost rather be taken back to the station."

Copyright © 2004, 0

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.