Feeds

Warspying San Francisco

'We kind of look at this as useless, recreational fun'

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Striding through San Francisco's busy financial district after dusk, 20-year-old Jake Appelbaum is an odd sight. His left hand is clutching the handle of a two-foot-long fiberglass pole wrapped in a metal spiral, which he holds high like a lance. The device is a directional antenna: a thin cable hangs between it and what looks like a handheld TV in Appelbaum's other hand.

As he walks, Appelbaum studies the fluttering static on the receiver's LCD screen while rapidly thumb-clicking a button below it, occasionally glancing up to avoid slamming into other pedestrians on the sidewalk -- most of whom stare as he passes. "You get the Playboy Channel on that?," one asks.

He doesn't. But at the corner of Mason and Post a clear black-and-white image flickers onto the 2.5 inch screen. It's the interior of an office: a clock and a piece of art can be seen above a desk cluttered with stacks of books. The view is angled sidewise and up towards a drop ceiling, and is partly obscured, giving the video feed a decidedly covert look. Watching the display, Appelbaum sweeps the antenna slowly, left to right, up and down, dowsing for the source of the signal, which seems to be emanating from an upper floor of a hotel. "That's a hidden camera right there," he says, with perhaps more confidence than is due.

Applebaum is part of an informal three-person "warspying" expedition out to peek in on San Francisco's wireless cameras, and the image of the empty office is one of the more interesting finds of the evening.

A 2002 New York Times article first brought to light how easily outsiders could intercept the video from the inexpensive cameras sold by Seattle-based X10 Wireless Technology (once very familiar to netizens from a steady barrage of pop-up ads around the Web) using nothing more than the receivers sold with the cameras. Later that year, a how-to in 2600 magazine coined the phrase "warspying" to describe the sport of driving or walking around to sniff out wireless video signals from X10s and other cameras that share the unlicensed 2.4GHz band.

The sport generally involves hacking up a standard 2.4GHz video receiver, equipping it with an external antenna connector, a long-lasting power supply and possibly an amplifier to boost its range. Hobbyists with more cash than soldering skills can spring for a $400 Icom IC-R3 scanner, capable of picking up wireless video signals and displaying them on a built-in two-inch LCD screen. "Experimenting with wireless video opens a whole new world for monitoring, whether for fun or security," reads the Icom webpage.

"I have no doubt that there?s people out there doing it right now," says Simon Byers, a researcher at AT&T Labs. "It?s so easy, and it?s highly entertaining. Just look at the amount of people being arrested for being peeping Toms each year, and all the psuedeo-voyeur type porn out there. I have no doubt that it?s going on to a certain degree."

But just what are the video sniffers picking up? If the San Francisco expedition late last week is any indication, the answer is, not all that much.

The outing was organized by a 60-year-old techie and ham radio operator who asked to be identified only by his online moniker, "Massive White Dude." MWD first went warspying (he prefers the neutral term "warviewing") a year ago, and he experimented with a couple of different receivers and antennas to discover what he says is the best combination for the job. His receiver of choice is the Action ACN-53292, a sleek handheld unit sold as part of a system designed to let you retransmit your favorite cable TV shows and watch from anywhere in the house. The Action receiver doesn't scan through the video channels automatically (hence the need for vigorous button-pushing), but it sports a color LCD display, accepts an external antenna, and through an undocumented feature can tap four extra video channels that a standard X10 receiver misses. MWD found it in an airline catalog.

"We kind of look at this as useless, recreational fun," he says, demonstrating the gear near a video hotspot he's already charted in the Potrero Hill district. There, images from two cameras fighting over the same frequency are grainy and dark. He gets better results a few blocks away, where he taps the signal from a pole-mounted freeway cam pointed at the San Francisco skyline. From near the highway he can see what the camera sees, in color, on his little Action receiver.

Geek Appeal

Once the expedition moves into uncharted territory, though, results become more rare. With Applebaum and another young hacker handling the equipment in the backseat, it takes half-an-hour of driving around in MWD's Volvo before the crew gets another hit near a city hospital. The screen shows a car pulling into a parking lot, the driver in a close-up reaching out to pluck a ticket from the dispenser.

Out of the Volvo and on foot with the directional antenna, MWD and his apprentices zero in on the camera: it's at the entrance to the hospital's visitor lot -- a sign beneath the tinted dome warns that the area is under video surveillance. Thumbing though the other channels, the trio finds a view from a second camera, peering down from the ceiling of the parking attendant's booth. On screen, the attendant organizes some papers, steps to the other side of the booth and leans to the window to speak with a driver-unaware, presumably, that the ragtag clutch of strangers huddled across the street have a bird's-eye view of him.

This kind of snooping doesn't violate federal wiretap laws, which generally protect audio communication, but not video, says Joseph Metcalf, an assistant professor at the University of Oregon law school. Moreover, the law keeps it legal to monitor radio transmissions that aren't encrypted or scrambled in any way, unless they're in a band specifically protected by statute, like analog cell phone signals. "If a communication is readily accessible to the general public, that communication is not protected by the federal Wiretap Act," says Metcalf.

But MWD doesn't relish trying to explain that to the San Francisco Police Department. Even when he's not warviewing, he keeps a police scanner running in his car, to "keep an ear on the pulse on the city," and tonight it provides some comfort by not squawking out calls about strange men carrying alien-looking ray gun equipment, or driving slowly and suspiciously though the city's varied neighborhoods in an ominous black '64 Volvo.

After the hospital parking lot, San Francisco's airwaves yield nothing through nearly two hours of driving and button-pushing. A cruise through family-friendly Noe Valley fails to produce a single wireless nanny-cam. The county jail, city hall, the library-- zip. Finally, in a gritty neighborhood of warehouses and adult video stores, MWD's gang starts sniffing out cameras again: finding signals from the car, then parking and closing in on foot. At a small grocery store, a tiny black X10 is mounted atop a hanging florescent light and pointed at the door. Outside an apartment building, a color image from a security camera shows an empty hall.

A few other cameras pop up, but nothing exciting -- until the financial district, where on the same block as the office cam, MWD's receiver picks up the very freeway camera that marked the start of the expedition. The camera is more than two miles away, while most wireless video cameras have trouble reaching the curb. The appearance of the signal so far from its source energizes the team. "That's definitely the catch of the night there," says MWD.

With a little detective work, MWD will eventually discover that the signal is a directional transmission from the camera to a local TV station that features the feed on its website and in its nightly newscast. His satisfaction at the discovery hints at the real nature of warspying: at least for WMD, the appeal isn't voyeuristic at all -- it's pure geek.

The stroll through the financial district ends when Appelbaum notices a police car driving by a little too slowly as he waves the giant antenna around. The gang piles into the Volvo and heads out. "The problem is, if the cops take an interest in you while you're doing something like this, the only way to get out of the situation is to admit that you're a dork," says MWD. "I'd almost rather be taken back to the station."

Copyright © 2004, 0

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.