 Well guys it's been a it's been an interesting week here first of all I want to apologize because We're supposed to have the war ballooning event out back and actually do it on site I had previously gotten approval from the FAA and Other government organizations including the Riviera for for doing the war balloon out back of the facility here that went up okay up until about a week ago, and then we were informed that The city officials among other people said we couldn't bring the balloon on the property So it sort of sort of put a damper on our on our onsite war ballooning So I apologize to any of you guys that missed that however what we did we Me and my colleagues here at tenacity team tenacity sitting right here decided to Take matters into our own hands, and we get rented a Penske truck We set it up behind the treasure island casino, and we did the war ballooning covert operation on Friday, and it was great I think you guys are going to enjoy the video We got that and of course here's the gizmo that was hanging under the balloon Well With that we'll go into the presentation here so About war ballooning I did a presentation two years ago That was called war rocketing and and the problem with it was what was I put in an access point and and Up inside the rocket and the problem was The stumbling time was very limited coming down. It went to about 7,000 feet But you know you can't give me access points in about three minutes and a half So we thought we'd do it better this time render man and The press 98 several others came up to me after my speech last time and said hey You know a balloon would probably be a good idea, and I'm like yeah, you know, that's that's not that's not bad so The whole concept is here is if you're war-driving you're not you're not hitting a lot of targets that are far out because You know you got buildings and trees and stuff you maybe get 30 per block something like that. We want to do Get a little more visibility. So the war balloon here. We did is 150 feet up I mean with the war balloon we did in the city. We're limited to 150 feet But it's still pretty good As I said that that height is perfect for covering five ten mile urban areas because Basically, it's the same height as a cell tower and we all know that the cell companies are in business if they're If their access points were on the ground then your reception would suck so Please feel free to stop me during the talk if you have questions As I said this evolved from out of war rocketing that I gave it Def Con 14 We'll do a few good and bad comparisons technically about how that went versus the balloon The war balloon components how I built it basically this is just a webcam That's movable via web server on the internet or our local network in this case Which is fiber local secured fiber optic network, and we have a wrt-54g running kismet drone inside of it Here is the rocket Quite frankly the rocket would cause a lot more buzz than the net stumbling targets We got last time it was a lot of fun, but didn't get really get a lot of targets Here's our new platform the balloon that we can't bring on site, so we bought some substitutes here This is a professional photography balloon if you'll notice it has the The pads on it and and a lot of companies use it now to do real estate surveys and that kind of stuff Um The war rocket was was a cool idea. However Explosives permits required they want to like actually allow you to shoot that near any populated areas, which is probably a good idea And the stumbling was lifted to limited the parachute drift time Blooming has its challenges as well because as you all know helium is very expensive Basically it comes out to cost of 20 bucks per pound that you want to live so if you guys want to fly something I highly recommend making it really light A little more accepted by authorities like I said we started out with approval three months ago And actually got FAA approval first was not a big deal. I'll talk more about that later And of course it's still restricted near airports the same as anything else flying a little a little bit of the history Benjamin Franklin recognized the military capabilities when the first balloon was launched in France in 1783 I believe that was a hot air balloon and Wrote a lot about hey, it was going to be great for aerial reconnaissance Of course, we have the classic the zeppelins in World War two which the German Jews for both aerial surveillance and Bombing to a limited extent. They weren't real successful with the with the bombing raids with those And then here's a little known project. It's that's named genetics in 1953 the Air Force and the CIA Actually deployed camera balloons over the Soviet Union These these were phased out with the first flights of the you too. So The government's been doing this for quite some time Currently, I think there's some projects in Iraq, which I can't talk about but I Finally arrow stats, I don't know if you guys knew this but arrow stats nothing but Air Force parlance for a big tethered balloon Currently fly over to Mexican border in the Florida Keys They crank theirs up to 15,000 feet and do a footprint of about 185 square miles. These are used to track They of course they hang radar from theirs. They're used to track small flying low-flying aircraft and The beauty of it is they can take they pump them up there and they can withstand winds of like 75 miles per hour So you operate virtually without any break very low-cost 5% of the cost it would take it would take to send up an airplane or a chopper to do these missions As I said before the stumbling comp concept is basically think of us as a big mobile Our us in the Penske truck We were a big mobile cell tower site as soon as we throw the balloon out the back of that sucker It goes up to 150 feet. Well, guess what? We don't need to build no cell tower because now we got all the 802 11b targets within that footprint This was my first idea that I the first thing I grappled with with trying to Put all this stuff up in the air was you know, you can't just hang electronics from strings It doesn't work too well So I got one of these big orange traffic cones and I said, okay It's gonna be nice and it's gonna be nice and stable and I can fit everything in there You know, it'll look cool Wrong don't ever try to build anything in a traffic cone. They suck I'm also told that by my fellow engineers that Rick, you know, if you want to show you drawing, you know, why don't you get a copy of Vizio, dude? You really can't draw you're not Joe Grand. Okay, so, you know stick with the Vizios Anyway, the first the first thoughts and I think this was a bar and resting As far as designing it all the components obviously had to be very late and low power consumption this fiber that goes that went up to the balloon is solely for communications all the webcam I mean the webcam the WRT in there and as well as the fiber optic link had to have had to be supplied with power The other design considerations are safety, of course, you don't want to use hydrogen. It's very very flammable and The Riviera amongst others demanded that this be passive which was it's a kismet drone It is only it's received only if you guys know know how that works Already said this balloon mentioned the balloon is used for professional area of photography WRT 54g version 3 do not reuse version 1 ever if you guys are into hacking WRT's and hook it up to a 12 volts About power supply my first one made a cloud of smoke about to fill the path my kitchen when I turned it on So the specs say it'll take it it won't What I packed this thing with was a bunch of lithium-ion batteries very similar to your laptop batteries to For power I need one 9 volt source and one 12 volt source That's eight double a batteries by the way and two 9 volt lithium batteries the Other hardware components we used of we only used the yaggy antenna because it's 15 DB and it hits a lot of targets And it was practically a windows day Friday when we want when we launched the balloon So I did have other antennas, which I'll show you guys after the talk once pretty cool PC board That's basically about three inches square and it's highly directional. So I'll show you guys that if you're interested the container My better half here Diana was we were sitting around the kitchen as I was struggling trying to put Stuff a bunch of crap in a traffic cone. I looked over her cooler and I said honey You do you really have a need for that cooler? I said I could probably buy you a new one So she donated her cooler and here here it is today. It worked out great. If you don't know the igloo the igloo cooler is This is one of the oldest products still made in America and it's nothing but plastic with styrofoam inside of it So it's perfect for electronic isolation and making sure your stuff doesn't short out and burn out Which is I mean it burn up which is a very bad thing to happen after you put a couple months work into it Here's here's a distribution of all the stuff that went into the war balloon payload Believe it or not just that cable there comprises 30% of the weight. That's about a pound and a half a cable. Basically. It's a pound per hundred feet So you could probably get away with another Two to three hundred foot a cable, but you're you're ceiling on this particular payloads about 500 feet The other things of course the batteries are big big hitter electronics come in pretty small at the the WRT and the fiber optic converter and The hardware and antenna are only 6% of the weight of peace very critical. This whole thing weighs three and a half pounds without the cable For the software components. I burned talisman 1.3.6 on the WRT 54g The d-link which is the cool security camera. I'm going to use back at my house for monitor monitoring my house over the internet is Got a web server on board and is remotely steerable over the internet and addressable using ddns The Susie I used two laptops for this venture one was Susie Linux, which is one of my favorite distribution Needed that for the kismet server and to talk to to gather all the wireless data and another add-on which one of my colleagues recommended to me was speech synthesis of software and Was really neat during the the flight because we could Hear as well as see when the new networks came in as the balloon went higher and higher Kismet you guys probably familiar with that did some of my analysis of that I've got a got a Mac friend and who donated his Mac to me for this project and in various Unix utilities We secure shelled in and and made it super secure since we were Supposedly going to be operating on-site here The network itself of course is passive monitoring only The data is streamed from the WRT on here to the kismet server on the Linux box To the hard drive and save there and of course it saves all the files the one We're going to publish after the after the conference is the is the common delimited file I think we already talked about the camera here. We were thinking about doing a Cell phone link and broadcasting it broadcasting out to the conference However, that became problematic since we weren't on site this camera. Like I said is addressable be a dds over the internet And you can hit it with a g3 cell phone The Riviera made me Well aware and of this as well as the DEF CON staff of the security considerations here This is a secure standalone network. This is what the whole thing looks like it's It is The big balloon you see there the cam the cam and the configuration we flew hung underneath of course This one we just mounted up here so we could carry it in the room easily The WRT 54 G's inside of it and of course the antenna pointed down straight towards the horizon basically Going to a little bit of the hardware and software hacks I had to had to do to Get this project going This is your WTRT 54 G taken out of the case and What we had to do here is if you see that connector on the right that actually had to go up top to get to feed The wire out of the cooler. I had to definitely chop that sucker off with a With a little Dremel tool and mount it up top and these these things are very delicate I don't know if you guys ever work with any microwave or any any very small electronics, but it's it's very delicate work So that was the first hack remove the case case weighs about three times what the actual circuit board and you need does The D-Link camera I wanted to you know, it's like a $250 camera I didn't like want to toss it in the trash or lose it since I want it for miles I took it apart gently and you can see in the picture here on the left It's just a little tiny circuit board and a motor that runs in there goes into it both pans and tilts so my problem there was to Mount the antenna securely to it. I drilled a couple holes in each side on the arms and As you can see here it worked out. Okay, that's about the latest antenna you can buy That that'll give you 15 DB. I think the antenna like weighs like three and a half ounces So thank you Lowe's store for that all the hardware came from Lowe's The finish unit you see on the right is is just like it flew on the balloon the We already went through this stuff you basically the fibers just regular computer room fiber multi-mode 65 millimeter or something like that. I don't remember it's regular computer room cable Here's the fiber optic transceiver. I had to have two of these one up one up in the air and one on the ground We had to remove the case because it was very heavy You can see that in the backside of the cooler there and here's the finished product if you open up the top of it Like I say the cooler worked out great. There's there's the battery packs. Those will Run the the war balloon for about two hours I was going to do a little short device demo, but since we didn't have time to hook up here We're going to skip that for right now One thing I didn't want to touch on is a very popular topic these days is IP based robotics I've done some of this as far as I worked in an automotive assembly plant for about 10 years and did a lot of Siemens work a lot of a lot of monocons and In the early days like 10 years ago this started out as monitoring machines on the production floor and mainly for You know statistical and how many parts did you make per day kind of deal? However lately? Industrial control has gotten heavily into actually remote control which you know can be a good thing But can also be very dangerous if you're making car parts and got people walking around the machines and stuff But you want to be around a 50 ton ram when it comes down because Some idiot or you know got in got into your machine As a consequence all the PLC's at least that I've worked with now come with interlock switches and stuff That will turn the memory on you can't actually write to any memory without without physically being there talking to somebody Anyway, there's a web a website that's got some cool IP remote control stuff on it control by web.com Security of course is becoming the Achilles heel for skaters for all the skater stuff. It's always been the Achilles heel It's just been it's been sort of in the background because not a lot of Thank goodness not a lot of attacks have occurred so far One company I do want to mention that that I know the guys and have done some work with his digital bond They have out Of course the latest thing is all the Nessus plug-ins for skater systems if you're doing any kind of industrial control This this stuff comes highly recommended Some of my colleagues work down at the Department of Homeland Security and you know you guys know any skater security work Please let us know Department of Energy uses this IP based I mean uses skater security surveys extensively and there's digital bonds website www.digitalbond.com Wanted to talk a little bit about why I've had such a long week like I said we started this whole approval process three months ago I will confess to having friends at the FAA because I've worked there and also I'm a high-power rocketeer. So I have to call these guys routinely I know who to call right to shoot my rocket up 7,000 feet. So it really wasn't that tough getting FAA approval After that we had gotten the Riviera approval, which was about a month ago And now I'll talk in a second here about the developments just before DEF CON which was like last Friday The following is my letter to the Las Vegas the Las Vegas terminal radar approach control affectionately known in the FAA is the Trey con who's the guy out here. He controls The airspace I think 185 mile circle around Las Vegas. So he's he's the man that can say yeah You can fly your balloon within five miles of the airport or you know go away. You're out of your mind You can't do this. So here's a little letter. I sent him This comes from the FAA regulations, I think it's part 101 or part 103 for Mord balloons and kites and the biggest thing they're concerned about with is you being near The airport, you know, you don't want to ruin somebody's day that's coming in for vacation on a on a Boeing 747 or something Very bad form So I'd recommend if any of you guys want to do war ballooning the first thing you need to look out for is Make make sure you're not near an airport You know Google Earth is very useful for this and anybody that's a pilot can help you out with that But they're too in the Vegas area. We avoided those during our covert mission that as far as the five mile radius They're pretty hard up on that and they will arrest you for flying stuff near the airport So anyway, here's the letter what it boils down to is you can fly your balloon if it's no bigger than six foot in diameter And a hundred thirteen foot helium capacity basically that's Probably three-quarters of a full-size helium tax something like that. I think they're like 180 or 200 If it's below that and it's outside the airport five mile perimeter then it's considered no different from one of these Flying advertising balloons you see at the car dealership So you really don't need to notify anybody as long as you meet those criteria And you can look that up online at if at faa.gov. I mean there there's the whole regulation thing there This was our plan we were gonna operate an unmanned tethered balloon more via the supply tethered tethered line From the edge actually it was the back of the Riviera Convention Center I Think some of you guys probably saw it on the map again. I apologize. We weren't there but be on our control Balloon three point five pound payload. That's as big as you can get to that's in the regulations If you can't build it later net, I don't recommend you fly it near the airport They also made us equip it with a Self-deploying parachute capable of lowering the payload. I guess you don't want to ruin somebody's day And I'm gonna head with an igloo cooler So You know easy for me again because I fly like 25 and 30 pound rockets. I had plenty of parachutes actually my honey. They're designed the rainbow colored shoot I'm sure you guys didn't get see it. I forgot to bring it today The other thing is if you're flying near skyscrapers like we would have been down here You can pretty much go up to 500 feet go if you're shielded by a skyscraper You're fairly safe and whatever you want to fly as far as a tethered balloon or kite because obviously the planes are going over The skyscraper is going to shield going to shield your operation So they're they're pretty comfortable with that in our case the turnberry towers is there's those huge towers right across the street from our Was going to be from our proposed launch site Considered some alternatives. I don't know if you guys are familiar with this one, but this is some insane man in LA that got like I Think this took like 50 balloons and these these are almost as big as the six foot diameter balloon that we That we use for our war ballooning project Just think of the money this guy spent. Okay. I mean that's 20 bucks per pound I don't know what he weighed But I would have personally just flown first-class, you know like on Virgin Airlines or something. I mean come on all right, so like I said we We were we were pretty much in angst about this the first of the week we Diane and I've been and my team to nasty been in Vegas here for about a week and We said failure is not an option You know what we're going to do this and I thought about it I said, you know rolling out helium tanks the cops are Looking for us probably not a good idea to like put a lot of laptops on the ground So hey, we went out and got in one of these big Penske trucks 22 foot long nice moving trucks conveniently 22 feet by 7 feet by 7 feet our balloon is 6 feet So basically took all the all the network gear and stuff that we had ready your to rock and roll for Defconn here and we packed it and pre-stage the balloon and equipment out back of the treasure Island casino where we're staying and Had a couple we actually inflated the balloon behind there in the truck So we can minimize our time on site and drove out to site X which is basically in the western part of Las Vegas City And so now with that I've got our 10-minute video of our operation. I think you guys are going to enjoy here. Let me get it fired up here Any questions before I launch into the video guys? All right, let me make sure I have some volume here guys All right, here we go the covert war ballooning operation. We're here for the war ballooning Plan B since we couldn't appear on the Riviera site in true Defconn fashion We've got a simple team to nasty here and this is the war ballooning truck. So Everybody's going to get together. We're going to load it up pre-stage it and get all the network gear and stuff ready to go The idea is here is the balloons going to be inside the truck Ready to roll and we're going to pull up the site the site or sites and just push it out and get and collect our data and stuff so We're going to be working to set it up and we'll see you guys So here we are we just arrived in So here we are we just arrived at the site It's just 150 miles Yeah, we're gonna take the fiber to it Make sure you clear that fiber Here Guys what you're seeing we were struggling a little bit because we didn't have a helium the balloon we started out So it's actually it's gonna go it's gonna go pie in just a second. We got to your rising now. That's good Let's try to get stuck on his lines Are the cops here Let's look see how many we got I'd like to get some more arrow shots actually Let's try that I mean if we get a little higher we get some more arrow shots. We see it won't go up What's going To Yeah, it looks like we lost our up capability, but it'd be nice if we get a little Yeah, we're getting video feed in the neighborhood all around The other for some up down in the lens for some reason Oh That was awesome the things we do for that's gone. Thank you We're here for the war-blooding Plan B since we couldn't appear on the Riviera site Thanks Thanks to my mates to help me pull this off up here team to nasty My adrenaline obviously got up a little bit at the end there because one of the one of the things a riff told us when we were Cancel was you know the Vegas Metro police had called down here and some people who complained about us flying a war balloon I can't imagine nine IT people being worried about a war balloon, but At any event we couldn't have paid money for that it was it was great the guy showed up and obviously thought we were just flying a balloon for kids or whatever and that was that was It was near a city park by the way. So that that that was great Let me just show you some of the results here It it was just like a War drivers dream here because as the balloon kept getting higher I couldn't even control the screen that the networks were rolling in so fast. I had no idea how many were there So Let me go over the results a little bit. I give you a couple of aerial shots from the balloon Which was pretty neat. Yeah, I just need to open up my notes. I mean my Excel spreadsheet here. All right, so We actually got well, I thought I was 370, but I think there's a header line something like 369 or 370 networks in a little around 15 minutes, which is pretty phenomenal I don't know if you guys are experienced war drivers, but those of you are know it would take quite a bit of driving around to do that Some of the things we hit it actually worked out better than what I have on site because we were five miles out if you saw in the video clip there you could actually see we had scanned the whole Vegas strip and It's it's Wednesday. You know, we were five miles out So we got a seven and a half mile range on this antenna We basically scanned the entire strip as you can see we got planted Hollywood here We also got Mandalay Bay Somewhere up here. Let me see if I can find that one but Just just tremendous reception. I mean, I was I was thrilled with it I tried to talk my teammates into driving around a little more and just Going out to sites and throwing the balloon out and doing it a couple more times They weren't really keen on that after the cops showed up. So But you know, I think it worked out. Okay, let me go up here and show you guys a couple more things one of the interesting things about war ballooning versus just war driving is is You know war drivers typically go around with GPS, which means hey, okay I found this wireless access point here, but where's here? Well, it's it's really your car, right? I mean, it's not where you really found it get real this one the cool thing is since the Computer logs the first captured time the kids met and the last scene time actually first captured times what we're interested in if you notice the Well, let me just show you a shot and I'll show you what I'm talking about here All right so here's here's one of the best shots that we got of the Vegas Strip and Planet Hollywood just happens to be just to the left in the antenna there and guess what the Mandalay base Like we picked up and you can see how far out this is. I mean, it's uh, this is this is no small shot for war driving This this shows you the advantage We're basically we're way up there and and picked up a ton of targets off the strip Here's another shot This is pointing right at Def Con if anybody can tell me Some networks to hunt for here. We'll go we'll go down the spreadsheet and see if they're there Well, what I'm gonna do is publish the CSV files I'm not gonna do any packet dumps or anything, but you guys are certainly welcome to see our stumbling targets that we acquired during during the war ballooning effort Another shot. This is a really pretty lake where we were and looking western westerly out towards the mountains One of the concepts here was to be able to directionally aim the antenna obviously because then you can see where your targets are Somewhat problematic with a regular car dealer kind of balloon. Have we not done it on site? I highly recommend one of these dirigibles the Air Force and all the professional photographers They're steerable and they tend to cock into the wind So they're easily they're more easily maneuverable in our case I really didn't have to use the webcam to rotate the antenna a lot because The balloon just naturally sort of sort of circle, which was great All I had to do was maintain a horizon and and we got everything out there So to wrap it up, I think we pretty much prove aerial platforms do provide superior line of sight to Wi-Fi targets It's easy to correlate the kismet logs and camera targets This this works really good if you if you compare the time stamps You can look at a time stamp in the log and go look at the video of the imprint of the time imprint on the video and see Exactly what you were looking at If you try war ballooning, I can tell you get up early in the morning It's like a fishing expedition. I'll I drug all these guys out of bed at like 6 a.m Wind is not your friend. Wind is calm in the morning. It will take your balloon down towards the ground It will screw up your camera. It'll it'll try to eat everything you've got up there. So And also affects, you know, what kind of directional pointing capability you have So sum it up our expedition covers 7.5 mile radius in the city of Las Vegas snare 370 networks and Effectively surveyed the Las Vegas trip all in less than 15 minutes That's about it And I would just like to take this time to thank team tenacity and everybody helped me put it together Leo in particular for for providing me some of the financial support and Eddie Mikulski for putting together this this fine video Questions anybody Say again the question was what was the problem that the Riviera? Finally didn't let us do it. I think it was upper management Actually, I worked with the convention organizer here named Theresa Madsen She was very helpful in their IT security department had even approved this like a month ago We thought we were good to go the Riviera was gonna get us a tent out back We were gonna hand out t-shirts as we will here in the room across the way in just a minute, but we I Think upper management just freaked about it somebody in upper management did and or the Vegas police called also understand it You know when word got out it was a war balloon and retrospect I should have probably called it the kismet and this guy right because not IP I mean imagine that not IT people are a little intimidated by These what this war stuff so? say again and The police I never talked to the police directly the only police we've seen is what we saw in the parking lot drive through and I I would I would venture a guest if they were looking for us that they would have probably stopped so But you know that that's about all I can say about that one any other questions Totally because that was the cheapest fiber transceiver I could get required to fibers of like 70 bucks Hey, I'm a redundancy kind of guy man. If you fly anything you want redundancy Any more questions can we transmit from this? That's a negative it ran in passive mode. I actually did WL disassociate WL passive And I push the kismet drone to the box every time so no there was no transmit capability on this thing at all And there never was any plan to do that Yes, I'm probably done with flying for a while Yeah, but that's not a bad idea people have mentioned kites You know I mean your only thing is if you want directional control or you want you want to do aerial photography You know your kites gonna sort of kind of doing this if I showed you actually I can I'm just showing another short clip here. I'll show you some I'll actually show you some of the the boat ride on the It looks like riding a boat on on the balloon the footage actual footage from the balloon hold on I'll show you that You can see what it looks like we didn't show it because it it looks like Blair which quite frankly Approximately 70% of the networks were secure Approximately 30% no encryption at all including some of the bigger ones at the hotels On the strip it was it was sort of shocking, but yeah You'll see that we will publish the data. We can't publish. Obviously any any packet dumps or any candy Reveal any Personal info on there, but we will show you that we'll publish out Any more questions you can see this is the thing taken off right now and it's pretty much the Wild hair right here. Yes putting a compass on it Not a bad idea. I mean if I had a like a Dirigible stable platform where it was not panning quite so badly as you see here Yeah, that's a great idea that way you at least know where you're pointing I knew from the layout where we were because I'd Google Earth this a bunch of times and seeing You know, like I said, you have to be very careful if you want to do this not to get near any airport Know exactly where you're where you are geographically Haha No, unfortunately, you know the power line deal becomes that kind of dangerous You might want to One of the first things you need to do before you fly a balloon rocket or anything Make sure you know power lines up there because you know, even though it's not conductive Yeah, I wouldn't really want to try it and it would probably ruin your blowing balloons day anybody else Say get I'm not aware of any aerial networks I think we've got like 370 on the ground and that was panning the entire skyline. So that's in that seven and a half mile circle Oh, they were coming in very slowly. You know, I don't know. We were all focused on Get her done, you know, we were on site and figured. Hey, you know, the cops might be showing up well They did but so we were I can tell you Probably half a screen worth or something like that. I don't know how many that is on the kismet screen But it wasn't it wasn't tremendous. They just started rolling in as the thing went up. Obviously I think probably 150 is about the optimal height for this thing Um, well guys, we'll we're uh handing out some tenacity swag next door at the q&a room, right Jeff at the q&a room. So you guys come on down. I'll be happy to entertain more questions or Meeting any you guys and uh really enjoyed you coming out today. Thank you