Researchers show off homemade spy drone at Black Hat

Wi-Fi Aerial Surveillance Platform can crack Wi-Fi passwords and intercept cell phone calls

LAS VEGAS -- Two security researchers Wednesday unveiled a remote controlled, unmanned aerial vehicle (UAV) that is capable of cracking Wi-Fi passwords, exploiting weak wireless access points and mimicking a GSM tower to intercept cell phone conversations.

The Wi-Fi Aerial Surveillance Platform (WASP) was built by Mike Tassey and Richard Perkins, two security researchers seeking to show how an ordinary remote controlled hobby airplanes can be easily converted into something more sinister.

The WASP system, introduced by the pair at the at the Black Hat conference being held here this week, is upgraded version of a model unveiled at last year's Defcon hacker conference in Las Vegas.

The bright yellow, six-foot, 13-pound spy drone is capable of flying at altitudes of up to 22,000 feet and staying aloft for up to 45 minutes at a time.

Updates include the ability to function as a spoofed GSM tower to intercept cell phone conversations, and to intercept Bluetooth communications.

The airframe of WASP is a surplus U.S. Army drone that was used for target practice purposes. The rest of the hardware and the software used in the drone are all readily available technologies, according to Tassey and Perkins.

The plane packs a small Linux-based computer running the Backtrack 4 suite of penetration testing tools. Another of its systems is designed to collect telemetry data that is sent to a ground-based base station which then uses it for real-time tracking.

The base station also serves as a network router for connecting other workstations to the payload on the drone, and houses systems used to offload processor intensive applications, such as password cracking.

Perkins and Tassey also installed a new Universal Software Radio Peripheral (USRP) that allows the drone to mimic a GSM cell phone tower. The technology can be used to spoof a cellular provider's mobile service so that outbound calls made by users of that server are routed through the USRP.

The GSM spoofing ability is borrowed from a demonstration last year at Defcon by hacker Chris Paget, which showed how cell phones could be tricked into connecting with specially rigged "towers' placed close enough to the target phones.

The updated unmanned aerial vehicle supports 4G networks and is capable of receiving and executing instructions delivered over the Internet from anywhere in the world.

The pair said the drone parts and its construction cost some $6,000.

According to Perkins, such drones are easy to build and deploy.

The model displayed at BlackHat yesterday can stay aloft for about 45 minutes and can travel up to 25 miles, he said. It can be programmed to fly a particular route, and to circle over and gather data from specific targets, Perkins added.

Though UAVs are required by law to fly under 400 feet, the drone that was displayed at Black Hat can fly at up to 22,000 feet where it would be relatively hard to spot by many radar systems.

"It allows you to bypass physical security barriers. Fences and walls are no longer barriers" with this kind of an aerial eavesdropping, Perkins told Computerworld after the Black Hat presentation.

Perkins and Tassey said they built the updated drone demonstrate how easy it is for someone with basic engineering skills to cobble together a system the could be used for nefarious purposes.

"You don't need a PhD from MIT to do this," Perkins said. "Everything is easily available."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon