Richard Steven Hack August 4, 2011 2:57 PM

Why not? The FBI and the military have spy planes. The cops have spy planes. Why can’t hackers have spy planes?

I want my own drone with spy gear on it – and maybe a couple Hellfire missiles as well. Shoot a few Hellfires around town, see how the civies like it when THEIR town looks like Pakistan or Yemen or Somalia or Iraq or Libya, i.e., blown up buildings and dead civilians who were guilty of nothing but being near a target of the CIA.

Speaking of aerial “war driving”, I recall reading some years back where someone flew over LA in a light plane and picked up quite a few signals. Seems the signals go UP pretty well since there’s nothing blocking them. They were able to pick up good signals despite staying above the minimum required flight altitude.

Has anyone done any WiFi ballooning?

jacob August 4, 2011 3:11 PM

Sorry, just meh. It is clever in execution but really to my way of thinking just mobilizing a hack that someone could do rather easily. @richard…ballooning now that an idea. Amplified reception (pringles can?) and you could cover some cities, move direction of amp.

How about ham radio internet for the middle east? Low band width. As long as you don’t encrypt the GOV should leave you alone. So no transactions. Encrypt it and I think you run afoul of laws dating back to WW1 if I remember correctly. Could that be free internet for everyone or a new tactic for AQ?..just joking I think. \m/

askme August 4, 2011 3:27 PM

I guess it is a hacker RC toy, but why a plane? I would have used one of the many cheaper RC blimps out there. much cheaper, quieter, no radar image, and can hang around unobtrusively in a target area for quite some time. I would imagine that spoofing a Cell tower or hacking a wifi signal is hard when you have to keep buzzing the target and circling.

With a blimp the cameras could come right to a highrise window for a peeping as well. Now I am remembering some 80’s movie.

Roy August 4, 2011 5:11 PM

Simpler still would be using a tethered helium balloon as a platform. Launch upwind of Wall Street and run it out with a fishing rod until the memory is probably full, then haul in the take.

jacob August 4, 2011 6:26 PM

@askme. Yep, just name it linksys and haul in the information…You could do a MIM attack even on secured wireless if done in a certain way..Thought provoking. Maybe put it up in a shopping center near starbucks or hotel. With the right logos, it probably wouldn’t even raise suspicions.

Referencing PLCs, suxt worm, etc, drop a flashdrive in the parking lot of a correctional institution. hmm. People need to be more security aware and professionals need to explain better.

If someone can gain access, game over. Google and source code, lockheed martin, SecurID, etc. The government has been stepping up in the last 5 years, but are they hiring the right people and enough of them? Good question. I don’t know. I noted that anon and others were somewhat amateurs. The professionals don’t warn you or draw out the game. It may be a timely setup but the crime is a real snatch and grab, usually. Just my thoughts. FWIW.

Gabriel August 4, 2011 6:36 PM

@Richard: with all due respect, I would hope that should our land actually be invaded, our armed forces would have the dignity to fight with uniforms and not embed themselves among civilians. At least let the civilians leave the city. Last time something like that occurred, I don’t recall the navy and marines hiding amongst civilians at Pearl Harbor. Yes I understand the sentiments of not getting involved in other peoples shit, but I must say, I cannot ever shed a tear over the loathesome militants or insurgents we have encountered. Sometimes, one man’s freedom fighter is really just everyone’s terrorist. You didn’t see Washington using car bombs to blow up a few redcoats along with dozens of Americans. I doubt any militant in these areas would let the civilians get out. Hell, Gaddafi is deliberately slaughtering his people. So are the Syrians. They’re having a Hama II out there now. How many will Bashar kill? Will he out do daddy’s 20000 dead? I am not justifying an intervention at this point, nor do I want us to further extend ourselves, but please at least recognize how loathsome many of these targets are.

tommy August 4, 2011 7:43 PM

Another reason why I don’t use celll phones for anything sensitive, and don’t use passwords that would be in a 340-million-word dictionary.

I expect they’ll get a richer haul from women sunbathing in the altogether in their fenced, presumably private, back yard, though I always pictured the NRO taking quick breaks to focus on such an acquired “target”.

Daniel August 4, 2011 8:48 PM

Honestly, it’s not impressive. I would like to see that airplane crack anything. There are two fundamental problems with mobile wi-fi cracking as any war driver knows. The first is battery power and the second is distance. Other than say a simple WEP hack the plane would crash and run out of juice before the hack was over. The second problem is that it would be next to impossible to get a clear wi-fi signal flying about unless that thing was buzzing 10 feet from someone window. Finally, and most importantly, even if you could run a crack unless you had information from other sources as to when the data you wanted to intercept was going to be transmitted you are back to a fuel/battery life problem.

Until you have actually tried to construct a battery pack to run a remote wifi intercept and dealt with all the logistics to place it, you don’t have a clue. There’s a reason that wifi pharming has never taken off. It’s a lot harder than it looks.

IMO this plane is nothing but a stupid gimmick.

JonS August 4, 2011 9:56 PM

“IMO this plane is nothing but a stupid gimmick.”

So was the Trevithick’s steam locomotive, the Wright flyer, and Arpanet. Until suddenly they weren’t stupid gimmicks anymore.

Technology always gets better, often after a kickstart provided by gimmicks.

Clive Robinson August 5, 2011 3:21 AM

First off a little bit of history.

Those living in the UK are aware of “Pirate Radio” in the early days it was MW transmitters by the likes of “Radio Caroline” on ships and hand built valve transmitters powered by 12V car batteries (and “rotary converters” to produce the high voltages) in fields by the likes of Radio Jackie.

What is not well known was the plans to put out “Pirate Television” from a second world war DC3. The plan was to put generators fuel and transmitter into the DC3 and two high gain antennas on the underneath of the DC3. The technical details were worked out in quite some detail and some equipment aquired, the only problem was actually the “video source” as the video tape units available at the time were to fragile.

More upto date is the NASA solar powered remotly operated plane designed to fly above the clouds where there is a reliable source of energy to keep it up for 24hours. It is also no secret that other “professional” UAV designers are looking at designing “solar powered gliders” to fly above the clouds to do elint activities, or to act as a “mid point” for controling very long range drones.

Now some have mentioned “blimps” many of those we see used for advertising actualy don’t generate much lift (helium has half the lift of hydrogen and is over five times the price) and as can be seen on even a mildly breezy day don’t offer a very stable platform because they have a large “sail area” to contend with.

However the amount of lift a blimp can offer goes up with the volume, but the weight and cost of the bladders and support structure goes up more in line with the surface area. This means that a blimp needs to be a certain minimum size to generate sufficient lift for a stabilising platform and this appears to be around 10m length for the standard (cigar shaped) profile.

One of the problems blimps have is due to insolation where sunlight across the EM spectrum on the envelope creates heat. And this causes a number of problems in that although it generates extra lift it also causes unwanted expansion of the gas bladders. In the past large lighter than air craft had a double skin the outer one had a surface consisting of powered aluminium and cellulose dope. It has been sugested that high efficiency very light weight “foil solar cells” as developed by the space industry can be used as the external envelope and providing the power not just for cooling and maneuvering also provide sufficient power to run quite complex electronics.

Now the maths works out for a 10m blimp you get around 20Sqm of solar cell area which has an average annualized power in Europe of 1.2KW and 1.3KW in the US multiplied by the solar cell efficiency and angle of incidence to the sun (though insolation is usually calculated as an orthaganal plane to the local zenith).

This gives more than sufficient power to run the electronics and provide steerage and headway. And as automotive engineers are proving moder rare earth magnets and lithium ion rechargable batteries compare favourably to the weight of traditional petrol engines and fuel systems.

However the same calculations apply to glideers and the like and these generaly have a much smaller head on sail area.

So I have no reason to belive that long uptime UAV’s can be developed by pioneering amateurs.

As an engineer if you asked me to produce a design as my current first cut idea I would certainly look at the solar assisted glider solution for the high altitude ariel platform. However I would look at using an additional detachable heavy lift platform to deploy it to crusing altitude.

As for the avionics and other systems as I mentioned a week or so ago NASA is looking to use smart phones to control their SOCAR spherical robots that are deployed on the ISS.

Oh and mentioning NASA they have a mission to Jupiter just starting, upon which they have included three “lego minifigures”…

Gabriel August 5, 2011 6:30 AM

@Clive: that reminds me of Stratovision, the attempt to use surplus B-29s as mobile tv transmitters in the 50’s. I could see where solar powered UAVs could be an asset in the field for sigint, when you need a fast deployment and it will take too long to get time on a satellite.

Regarding the Lego men, what are they trying to tell the aliens on Jupiter? That we’re going to send thunderbolts and toast their planet with a giant magnifying glass? Just kidding, but one has to wonder, should other intelligent life exist and find this one day, what would they make of it?

askme233 August 5, 2011 10:31 AM

Clive, While the glider idea is nice if you are doing real Recon, Daniel’s points around the limitations of a flying vs floating platform for Wifi/Cell interception are just as valid.

since most of the tech on the UAV they built is pretty basic, the one thing they could build/add that would be fantastic would be a basic 6df servo mount for the Pringles Cantenna (assumed) that could maintain a specific target direction as the plan flies. I think the theory is pretty easy, but I will bet the engineering is hard to work out with inexpensive/light parts.

Build that dynamic directional cantenna mount (with open source SW), and I will use it for all kinds of purposes.

ENKI-2 August 5, 2011 10:32 AM

Ideally, one would want hardware cheap enough to set off a large number of balloons or blimps with this tech but without navigation (or with minimal navigation) to drift. This was done by the US during the cold war with cameras, before surveillance sats were feasible, but governments have entirely different values of ‘cheap hardware’ than individuals do.

Nick P August 5, 2011 11:28 AM

@ Clive Robinson

Black Hat has some other interesting things popping up. Here’s a few from the briefing page linked below.

Femtocells: A poisonous needle in the operator’s hay stack

Exploiting Siemens Simatic S7 PLC’s

Arlen on security in microtrading financial environments

Owning the routing table (protocol attacks on OSPF)

Karsten Nohl on extracting code from smart cards with simple equipment

Some things on espionage

Black Hat looks interesting so far. Too bad I couldn’t make it to Vegas this year. I’ll just have to download all the free presentations afterwards. 😉

Nick P August 5, 2011 11:51 AM

Oh darn I posted the above comment in the wrong thread. It was meant to be in the Squid post. My bad.

On Topic

UAV’s are getting cheaper and this will cause more groups to use them. A few years ago, a person could buy a $800 UAV surveillance drone that would fly for a few hours or so. For $5000-6000, it would include automated navigation via GPS waypoints. Examples below.

Flies up to 2,000 feet altitude, avg speed is 60kmh, duration 55 minutes, camera/video, autopilot or manual. $7,000.

MicroPilot UAV’s
Various features. $9500-$13400

Chinese Spy Camera for UAVs

Of course, if you can manage to get a real UAV from a major company, some of the smaller ones are selling for the price of a new car or truck.

Richard Steven Hack August 5, 2011 11:58 AM

Gabriel: “please at least recognize how loathsome many of these targets are.”

Since I wasn’t talking about the targets, clearly those remarks are irrelevant.

And to my mind, there is no distinction between a group that will target civilians using a bomb on a bus or a group that will target the first group knowing that X civilians will also be killed – which is precisely what the US military does.

“Embedding in civilians” is a cop out. If the US military wants to kill someone, let them walk in and engage the enemy face to face instead of calling in an airstrike that kills everyone within 500 meters. If they can’t hack that, then they aren’t soldiers, they’re cowards. Centuries ago, you had to wade in and hack someone with a sword. The military has become more cowardly for the last several hundred years or more since the invention of gunpowder or at least cannon.

Mind you, I don’t object to sneaking up on someone and shooting them in the back. That’s smart. But killing everyone in the vicinity because you aren’t willing to threaten your Pentagon budget for the war by having the civilians back home have to see their relatives coming back in body bags is just crooked.

Back on topic: That’s why I asked about ballooning – more time on target, better control (to some degree), less cost.

The big problem for a balloon is: “Hey, what the hell is that balloon doing hovering over our parking lot?” Whereas a UAV can make passes and maybe escape detection. Of course, if your WiFi antenna is really good, that balloon can be hovering half a mile away. But that implies a large and probably heavier antenna. How light and small can a long-range WiFi antenna get?

Anyone tried to use a kite for this? One of those large aerodynamic ones that can stay aloft for a while?

How long does it take to gather enough data from an access point to crack WPA vs WEP? I know WEP is a ten-minute crack these days, but how about WPA or WPA2? Presumably you’re not actually doing the computing for the crack on the vehicle, just gathering enough data to do so offline.

Richard Steven Hack August 5, 2011 12:40 PM

Heh, turns out Google was interested in supplying WiFi from balloons:

Google Looking At Balloon Wi-Fi

Back in 2003, apparently the world WiFi distance record was set from a balloon:

World WiFi distance record -310 km – acknowledged by Guinness

Here’s a “Warflying” story at Ars from back in 2002:

War Flying

And this one references the above piece and also cites a case in Perth, Australia:

War flying: Wireless LAN sniffing goes airborne

“…at an altitude of 1,500 feet, Kismet picked up “IRC conversations, e-mails and clear NetBIOS traffic for local Perth users.” Although they do note that you have to be stationary to actually do cracking.

The drone in Bruce’s post was first reported on at DefCon 18 last year, according to this article:

War-flying with a Wi-Fi-sniffing drone

It includes some more info:

“Since the UAV has 3G Internet connectivity, the operator can “control the payload from anywhere in the world — including mobile devices. It also allows for processor-intensive applications, such as WPA attacks and password cracking, to be offloaded securely in real-time to a remote computing powerhouse utilizing CUDA technology, for mind-blowing performance.””

“Rich said it has a flight time of approximately 30-45 minutes with a maximum estimated altitude of around 22,000 feet. ‘It flies a preprogrammed set of GPS coordinates, while collecting data, and returns to base. We can also interrupt the course, and cause the UAV to ‘loiter’ around an interesting target, allowing us more time to investigate.'”

Note also on the Rabbit Hole Web site and in the articles that this UAV can also spoof cell phones:

“Now, evil operation of such a device would entail changing the Mobile Country Code (MCC) and Mobile Network Code (MNC) of OpenBTS to match a known cellular provider to essentially spoof the intended mobile service and entice handsets to hand over to our “tower”. Then outbound calls could be routed over our broadband data link and out to the PSTN via our Asterisk PBX and backhaul.”

And Dark Reading has this article from the BlackHat presentation:

Wardriving Evolves Into Warflying

This quote is relevant to what I was asking above:


The base station streams data gathered by the plane and sends it over a VPN connection to a more robust back-end PC, which can take care of the heavy-lifting, such as crunching through large dictionaries to perform brute-force attacks. The Internet connectivity would make it possible to also crowdsource data to multiple hackers with different skill sets if a project needed the manpower.

The plane itself is powered off of an electric engine that is hard to detect by ear once it is as close as 50 feet away. Though FAA regulations prohibit flight of such devices from going above 400 feet, the drone itself would be capable of going well above 20,000 feet in altitude.

Not even missiles would work against these drones because they don’t put out the kind of heat or radar signatures necessary for missiles to track and destroy them.

“So how do you defend against this? I don’t know. That’s what you guys are for. We need the right people to start thinking about this. How would you defend against something like this?” Perkins said. “Because if we thought of it, someone else has, too. They’re just not telling you about it.”

End Quote

hinten August 5, 2011 5:01 PM

I’m more impressed by the website that goads you into clicking a link to read the rest of the article and subsequently opens a pop-under.

tommy August 5, 2011 8:13 PM

@ hinten:

“I’m more impressed by the website that goads you into clicking a link to read the rest of the article and subsequently opens a pop-under.”

Strange, I didn’t get any such popunder after clicking links. Perhaps the combination of Firefox + NoScript? A number of ad agencies and data-miners were blocked by default. Try it yourself and see.

@ Richard Steven Hack:

“”So how do you defend against this? I don’t know.”

Well, for starters, you use a crypto-strength WPA2 key, not one that can be broken in a century or less.

Gabriel August 5, 2011 9:27 PM

@Richard: first of all we will respectfully but strongly disagree as gentlemen. I will tell you though i am not swayed towards any absolutes. And if you do go in somewhere you can’t dick around and just escalate later. That ends up in more bodies than a major and well coordinated effort.

Now onto the interesting stuff. One way to defeat the UAV is to deny it comms capabilities. Unlike US assets, which are backed by overwhelming air force who will blast anyone daring to operate a broadband hammer, these blackface have no offensive capability. If you are aware of their presence, you could jam their comms. Also, their 3G channel will light up like a roman candle at that altitude. I’m sure it would be easy to directional find if we put assets in the air. I wonder if we have missiles that can lock onto a radio signal. It wouldn’t have to be close, a bit of chaff and it goes down.

Richard Steven Hack August 7, 2011 1:09 PM

Gabriel: It’s the illegitimate reasons for going in in the first place that also makes the US military’s actions war crimes.

And if you don’t realize the US did in fact “go in and dick around before escalating later” in Afghanistan – in favor of going in and destroying Iraq – then you really don’t know what’s going on.

On topic, I think the point of a hacker UAV is that it’s unlikely anyone is going to expect it, let alone have jamming capability on call, unlike a military situation. It’s something that can’t really be defended against by your average corporation or local police department.

This is basically a six-foot long tube poking along at probably less than one hundred miles an hour or so. Sending a fighter plane after it would be almost useless. The fighter would have to use a proximity missile that puts out a really blanketing amount of shrapnel or concussion and tuned somehow to the radio frequency because the jet itself would constantly overfly the thing and probably not even be able to see it visually or on radar (except maybe a Harrier which could slow down enough to make visual ID possible).

Not to mention that this thing flies under 400 feet which, over an urban area, would make it dicey to attack it from the air by any means. You could possibly shoot it down with ground anti-aircraft weapons – the Iraqi gunners got pretty good at shooting down cruise missiles after a short time of experience with them.

Even a helicopter would probably be useless. I don’t think the UAV has as much maneuverability (it flies on a GPS course) as a chopper, but if a more advanced model could be maneuvered it would probably be hard for a chopper to both catch it and have the means to knock it down short of somehow dropping an explosive near it (again, dicey in an urban environment).

At the moment, the thing can only stay up 30-45 minutes (assuming that’s long enough to reach its target and capture enough data to be useful for offline cracking), so you’d have to spot it, respond to it, and catch in that time frame which would be very hard. A longer time frame would enable a response, but you’d still have to detect its use first.

Or if you catch it, follow it back to its home base – assuming something expensive like that isn’t going to be sent off on a one-time mission. Unless of course, they end up being printed on 3D printers… 🙂

Reminds me of the Bruce Sterling novel “Islands in the Net”, where super cheap little planes made of balsa wood and loaded with cheap light incendiaries were thrown en mass at the enemy. Too small to detect and if you managed to fire a missile at it, the missile costs a hundred times what the plane cost, so you lose anyway.

I wonder if a nation state could make some of these things that would home in on a radar signal from, say, a naval vessel, and carry either a jammer or enough explosive to damage (if not destroy) a radar antenna. You throw a few hundred (or a few thousand) at the US fleet in the Gulf, then when their radar guiding their Phalanx and Aegis weapon systems are out, you send in your Sunburn missile. Game over.

Richard Steven Hack August 7, 2011 1:13 PM

Come to think of it, the best way to catch these things would probably be to own one that’s been designed to fly around your location and use short-range radar to detect it, then home in on the radio frequency and blow itself up next to it.

Again, you couldn’t do it in an urban environment, though.

Andy August 7, 2011 4:58 PM

You might not have to shoot down the UAV, a story on this blog awhile ago said that supoosable Isral sent in a team to destory a reactor and they used a drone to take out the radar setup.
Most UAV would have GPS chips, which would be enought entry to disable it(enter rf sheild range..falls out of the sky).
About the ships, they are type of point less, the only defense they have got works out to about 15km(chain gun,missles), 4g booster on a UAV is what 5*9.8= 49meters/sec times 5 min burn 14700/sec after 5min, I don’t think there defense would beable to react anyway.

Gabriel August 7, 2011 8:50 PM

@richard: regarding Afghanistan, why else would I have brought up dicking around? So please dont presume I am so naive. The last time we didn’t do that was in Korea. Of course we still failed to anticipate Chinese involvement and the level of Russian support for the north. Iraq may have been the wrong motives, but once in, you want a new stable govt to succeed. Again the worst strategic mistake was getting enough for the invasion, but not to hold the land. It would have been a splendid effort had there been a legitimate government in exile. Perhaps that was a fantasy held by the then administration.

My thought are this: dead soldiers and dead US civilians won’t convince the nation to abandon wasted war efforts. If you even want a prayer at convincing, we need a more viable and independent 4th estate that can present the facts with reason. Talking heads need not apply. Face it, if you are fox or CNN, war means more viewers. I also must say that once we broke Iraq, it would be better to successfully buy it (using Colin powell’s words) than to leave it broken. Unfortunately, the politics we played here and there, with a new and corrupt government only leaves you with a tactical victory that would most likely soon erode. In the same manner, Vietnam could have succeeded if the south actually had a viable govt, which it certainly didn’t. It would have also required that substantial commitment we didn’t give it. Neither materialized, especially the crucial government.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.