Building a War Spying Box

To demonstrate the dangers of unencrypted wireless cameras, Kevin Rose and Dan Huard reveal how to build and use the first ever handheld auto-switching warspying device. Designed from the ground up, they take a helpful step-by-step process to go from the basic circuit construction to the complete warspying box design.

To demonstrate the dangers of unencrypted wireless cameras, Kevin Rose and Dan Huard reveal how to build and use the first ever handheld auto-switching warspying device. Designed from the ground up, they take a helpful step-by-step process to go from the basic circuit construction to the complete warspying box design.

Small wireless cameras have become increasingly popular in the past few years. They are used to monitor activity around homes and businesses in an effort to attain an extra hint of security. Most of these types of cameras, however, are unencrypted so their signals can be picked up by anyone with a compatible, off the shelf, receiver. This isn't necessarily a deal breaker for everyone, but if you use such cameras you should be aware of the potential danger of allowing someone to peek inside your home or place of business.

Searching for open video camera feeds is known as 'warspying.' Usually this is done with a handheld video camera, a wireless video receiver, and an inverter to power the whole rig from one's car. We weren't satisfied with that setup so we built a portable, autoswitching, warspying device to demonstrate that it can be very easy to find and possibly exploit these cameras.

In order to accomplish our goal we needed 5 things:

  1. a wireless video receiver
  2. a screen
  3. a portable power source
  4. a means of automatically switching between the various receiver channels
  5. an enclosure for the components

Wireless Receiver

We started with a standard X10 wireless receiver. The X10s are pretty popular due in part to their aggressive internet ad campaign. But these can't be used as-is and will require some modification that we'll get to later.

LCD Screen

As far as screens go the easiest choice are ones made for car entertainment systems. We used a non name brand widescreen headrest model. These are relatively inexpensive and can be stripped down to the bare LCD. They also have the added benefit of using a standard composite video connector for their input which can connect straight to the wireless receiver. Finally, it runs off of 12 volts which is relatively easy to power portably.

Power Supply

Both the LCD and X10 wireless receiver run off of 12 volts. But our switching circuit that we'll construct later runs off 5 volts. After some internet searching and trips to our local surplus electronics store we decided to go with a UPS (uninterruptable power supply). The UPS we found is not the kind typically used as backup power for your computer. Do not try to use that kind of UPS, they can be dangerous and aren't a good solution for this project anyway. Our UPS can connect to a standard 12V lead acid battery and provides 12, 5, and 3 volt outputs. This takes care of charging the battery for us and gives us nice clean power for all our components.

Some notes about power supplies:

  • BE CAREFUL!!
  • Usually you won't get clean voltage outputs until they are under load. That means that if you just plug it in and measure the voltage outputs then you're likely to see strange results. You need to connect one of the power outputs to something first. An LED and resistor in series is a good candidate for this.
  • Many UPSs will not produce output when connected to the battery alone. They need to be jump-started with AC power first. Once they get going they can be disconnected from external power and will run until the battery dies or you turn off the devices that it is powering.

Automatic Switching

Now here is where we get into the nitty gritty electronics. We modified the X10 wireless receiver and added an automatic switching circuit to replace the 4 position manual switch that you'd normally find on the bottom of the unit.

First you'll need to take the receiver apart. This isn't as easy as it sounds. Once you take apart the plastic enclosure you'll notice that the channel switch is mostly inside a metal enclosure. A lot of solder is used to keep this enclosure closed and in place. Think of this as a great opportunity to better familiarize yourself with desoldering wicks and solder suckers.

Once you remove all the solder and completely disassemble the enclosure you'll see that the channels are switched with a 12-pin 4-position slider switch. This switch has small solder points that we found difficult to remove. Keep trying though, it'll come out eventually.

The switch works as follows:

Pins:
-----
A B C D E F 
(the halves don't connect to each other)
a b c d e f

Positions:
----------
In position one, pin A connects to pin C 
and pin a connects to pin c and so on.

1. A-->C and a-->c
2. B-->D and b-->d
3. C-->E and c-->e
4. D-->F and d-->f

Once we knew how the switch worked we created a circuit that mimcs the functionality of the switch. In order to keep things cheap and simple we went with using common off the shelf integrated circuits. You can find the details of how to wire the circuit in this schematic. We used the wire-wrap method of wiring because we had the tools and mistakes are easier to correct.

An explanation of the circuit can be found in this episode's video. It basically works like this:

  • the 555 timer chip produces a clock signal
  • the 4017 Decade counter/divider counts the clock ticks from the 555 chip
  • two 4066 quad bilateral switches are wired to replicate each half of the switch we're replacing. It takes a signal from the 4017 in order to know which pins to connect.

To accompany this circuit we added a button to switch between automatic and manual switching. The manual switch is constructed from a momentary switch connected to a 7400 quad NAND gate (wired as a switch debouncer). Finally we added a variable slider resister to control the auto-switching rate and an LED that is turned on and off by the switching circuit to have a better idea of when the switching is actually taking place.

The circuit is fairly straightforward, but if you're very new to electronics do yourself a favor and buy extras of each chip (they each go for under $1).

Enclosure

A standard lockbox for money turned out to be the best enclosure we could find. It will be modified quite a bit so get a sturdier double walled version. This is where you'll have to get creative. The modifications you'll need to make to the box will depend on the exact components you chose. A rotary tool and drill with many bits will be your best friends here. This will also require digging around various hardware and surplus stores to find the exact screws, brackets, standoffs, and connectors to make everything fit securely.

Finishing Touches

We added a few extra features to make life a little easier for us. The signal from the wireless receiver was split and wired to a component jack we mounted to the outside of the box. Also, the X10 antenna was replaced with a coax connector on the outside of the box so we could have more flexibility and range with the antennas we choose. Finally we added a cutoff switch that allows us to cut power to the switching circuit and the receiver to save battery life.

Final Notes

There is more than one way to construct such a device. Our design was largely a result of what was available to us in our local surplus electronics shop. Live there while building the device, you'll learn a lot and may come up with a better design than we did.

Take note of the wattage of the power supply you use. Our power supply turned out to be too weak to drive all our components so we had to wire our LCD directly to the battery.