Covert operation floats network-sniffing balloon
- — 11 August, 2008 08:04
Rick Hill won't say where he launched his "wardriving" balloon on Friday, but he will tell you that it got a pretty good look at about 370 wireless networks, while scanning up and down the Las Vegas Strip.
Hidden in the back of a 22 foot (6.7 meters) moving truck, Hill and his team of about a dozen volunteers launched the balloon Friday morning, sending it 150 feet into the air for about 20 minutes to use special antennas and scanning software to scope out the Las Vegas skyline for unsecured wireless networks, an activity Hill calls "warballooning."
Hackers have practiced wardriving for years, driving around in cars with computers and specialized software that sniffs for networks.
Two years ago Hill set his sights a little higher and fired off a model rocket loaded with similar equipment -- and gave a Defcon presentation on that project -- but warballooning is something new. In his day job Hill is a senior scientist with Tenacity Solutions, a security services consultancy in Reston, Virginia, that works with the government.
Despite methodical preparation for this year's Defcon, and Federal Aviation Authority (FAA) approval, Hill's warballoon almost didn't take off at all.
That's because management at the Riviera Hotel, host of the Defcon hacking conference, changed its mind late last week and told him that he could not launch the balloon from hotel property. In fact, the Riviera said, he couldn't even bring the warballoon into the hotel. The reason for the grounding was vague. Riviera staffers told Hill that local police were concerned after a nearby casino had complained of the operation.
Hill suspects that local authorities might have been spooked by the fact that he called his device a warballoon. Something less bellicose might not have caught anyone's attention.
Still, he and the team who helped him were upset at being grounded. They felt that they had met all the legal requirements, but they couldn't get FAA approval to launch the balloon from another nearby location on such short notice.
But Hill, an amateur rocketeer, knows his FAA regulations, and he realized that if he launched the balloon more than five miles from Las Vegas's McCarran International Airport, he wouldn't need any federal sign-off.
The balloon he was using was rented from a national company that rents out the devices for real-estate photography. And though he knew that the balloon was perfectly legal to fly, he was still a little worried about local police shutting him down."That's when we did plan B: the covert operation," he said.
To cut down on any chance of the operation being shut down, they quietly inflated the balloon inside a rented moving truck while parked in the Treasure Island hotel parking lot. Then they drove to a nearby park and set it off from an abandoned parking lot. "It probably took us less than five minutes to get the balloon airborne." he said.
The tethered warballoon scanned the strip and found that about a third of the networks were unencrypted. From the balloon's 15 story height, they were able to survey about a 7 1/2 mile (12 kilometers) radius, Hill said. The balloon sent so much data, it just started rushing by on his screen. About one-third of all the networks they spotted were unencrypted, he said.
Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.
No one at the Riviera could be reached who had knowledge of the warballooning incident, but Defcon director Jeff Moss confirmed Hill's account. Hill will talk about his warballooning adventures Sunday at Defcon.t.