Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker-Built PC Scans 300 Wifi Networks At Once

Posted by ryuzaki0 on from the quite-the-multitasker dept.

An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.

28 of 121 comments (clear)

  1. Just another way to get thrown into Gitmo. by Anonymous Coward · · Score: 3, Funny

    Bush would be proud.

    1. Re:Just another way to get thrown into Gitmo. by LiquidCoooled · · Score: 2, Informative

      The poster isn't wrong, from the thg article

      After the Instant Off switch is hit, a USB key with a 2000-bit passkey and a manually entered password are needed to access the computer. Williams said that even if someone managed to grab the USB key, they would still have to "torture or bribe me" to get the password.

      In the UK, the RIP act allows you to be thrown in jail for 3 years for not supplying the encryption keys, in America I can quite easily picture this guy wearing his leather hat and some fetching orange clothing.

      After all, his box does look like the computers the criminal ring leaders use in most movies.

      --
      liqbase :: faster than paper
    2. Re:Just another way to get thrown into Gitmo. by hazem · · Score: 2, Interesting

      If you are not under arrest, and if they are simply investigating, you don't have as many protections and you can be charged with interfering with a federal investigation. There's some kind of legal "trilemna" that is considered unethical - but is often used by the government to get around the "self-incrimination" issue:

      Your three choices are:
      1) answer the questions/comply with information requests - which ends up incriminating you
      2) refuse to answer the questions - now you can be charged with interfering with the investigation
      3) lie - and now you're lying to a federal investigator, which is also a crime

      Sure, the 5th ammendment says you're not supposed to be compelled to testify against yourself - but you have to be arrested before that protection really comes into play.

      Oh, I know, if you haven't done anything wrong, you have nothing to worry about... because the government never makes mistakes, never does things out of malice, and never has an agenda other than liberty and justice for all.

  2. Already a common feature by Kagura · · Score: 5, Funny

    "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access.

    I use a hammer, you use an instant-off switch that you'll never be able to turn back on. At the end of the day, at least one of us will have released some pent-up frustration and anger. :)

    1. Re:Already a common feature by legoburner · · Score: 2, Funny

      Must feel great when he has the USB key in his shirt pocket, leans over a railing on top of a cliff or tall building and then the USB key leaps for freedom. 'Nobody turn the computer off... PLEASE!!'

      --
      Warhammer forums
  3. This device is against FCC Part 15 rules by w9ofa · · Score: 5, Interesting

    The one watt amplifiers mentioned in the article almost guarantees that this device is operating outside the FCC part 15 rules.

    I know everyone on /. hates the FCC, but consider how many nearby wireless networks might be effectively DoS'ed while he is trying
    to hack some schmuck's WEP key.

    1. Re:This device is against FCC Part 15 rules by TooMuchToDo · · Score: 5, Insightful

      If you're using this device, you most likely don't care about Part 15.

      -b

    2. Re:This device is against FCC Part 15 rules by RyuuzakiTetsuya · · Score: 4, Insightful

      On the contrary, the FCC regulating my microwave not to interfere with my WiFi or my wireless phone I like.

      The FCC regulating whether or not i can say FUCK on the radio, I don't.

      --
      Non impediti ratione cogitationus.
    3. Re:This device is against FCC Part 15 rules by argStyopa · · Score: 3, Insightful

      Of course on /., this is "insightful". To me, it's just juvenile egoism shining brightly.

      "I like the way the rules help me in one way, I don't like the way the rules constrain me in another way."

      At some point, the organism understands that society - the collective "we" that live together - cannot exist without compromise, and the essence of compromise is empathy.

      Perhaps you might consider that some of us would prefer that you pollute your own yard, not the collective commons that is the public airwaves.

      --
      -Styopa
  4. Sell? by SocialEngineer · · Score: 2, Interesting

    I'm sorry, but I don't see much in the way of commercial application for this thing - we know standard wireless networking encryption isn't secure. We know it can be cracked, and it can be cracked with just 2 cheap laptops to capture the data. There isn't much more of a need for proof-of-concept anymore.

    --
    "Better to be vulgar than non-existent" -Bev Henson
  5. Re:Just about time by Kadin2048 · · Score: 4, Interesting
    Did you even read the article?
    In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic.
    ...
    Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

    No, it can't decrypt traffic from 300 networks at once, but it can certainly crack one that's encrypted with some of the most common algorithms rather quickly. It's more than just a recording device. Although, if it really can crack networks that quickly, then concievably you could crack all the WEP-enabled networks in range, and then start logging all the traffic on all the networks that you could hear, encrypted and not, for later analysis.
    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  6. What kind of hammer? by NotQuiteReal · · Score: 2, Funny
    There are so many hammers to choose from!

    (OMG - and you thought Geek sites were bad - "hammernet". Sheesh!)

    --
    This issue is a bit more complicated than you think.
  7. Re:Just about time by TheOtherChimeraTwin · · Score: 2, Informative
    It is pretty good at cracking WEP

    In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic.
  8. :o\ by TubeSteak · · Score: 4, Insightful
    From his Riviera hotel room and using a 1W amplified antenna, Williams said his Janus computer was able to capture data from 300 access points simultaneously. He said over 2000 access points were scanned and 3.5 GB of traffic was captured during the entire convention.
    ...
    Williams told us that he has spent a few thousand dollars building the Janus computer and hopes to make his money back by selling commercial versions to big companies and government organizations. "Maybe one day I could get the military to be a customer," said Williams.
    Forget the military, how about corporate espionage?

    I imagine that'd be a bit more productive.
    --
    [Fuck Beta]
    o0t!
  9. I wish them good luck! by Browzer · · Score: 5, Funny

    Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.


    1. Re:I wish them good luck! by keeboo · · Score: 2, Funny

      He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

      move.l <key>,d0

      That was easy.
      I'm not sure it's possible in x86 processors though.

    2. Re:I wish them good luck! by LiquidCoooled · · Score: 3, Informative

      Actually, if you read the documentation for the VIA Padlock hardware encryption/decryption engine, you would realise that they talk about realtime encryption/decryption, its not a software operation, its a set of on-die commands.

      --
      liqbase :: faster than paper
  10. So use VPNs. by Randseed · · Score: 4, Interesting
    You'd think by now that people would go ahead and use WEP or WPA, but tunnel traffic over a VPN even to internal sites. That's what I do. While someone may be able to crack my WEP or WPA keys, all that gets them is the ability to access the VPN port on the router. Everything else, including traffic to internal machines, is dropped unless it comes from the VPN. And since the VPN address is on a seperate subnet, the WAP won't route the traffic if you force your IP address to be open, but appear as the VPN IP address.

    Obvoiusly not foolproof. I need to get all the machines to drop the traffic unless it's routed through the router. In other words, it doesn't matter where it comes from, but the machines will only listen to traffic coming in off the VPN subnet, and then only listen to that if it's being routed by the internal router. That keeps someone from being cute somehow and confusing the network by plugging something in with an IP address that's on the VPN subnet; since it wouldn't come via the internal router (VPN server), the machines would go "Uh, WTF?"

    1. Re:So use VPNs. by walt-sjc · · Score: 2, Informative

      I don't bother with wep at all. My AP is wide open, and connects to a dedicated interface on my gateway server. Similar to your setup, the only ports open on that interface are for VPN - other than that it's stealth. No point in the additional encryption that just slows things down without proividing any real security.

  11. Some corrections by Anonymous Coward · · Score: 5, Informative

    The "2000 bit passkey" is really the disk encryption keys for loop-aes. See http://loop-aes.sourceforge.net/loop-AES.README . They are longer than 2000 bits.

    The disk encryption keys are stored on USB and decrypted via passphrase (key encryption key) using a custom init process that mounts the encrypted loop-aes disk(s) and does the pivot_root / exec init into the target. This gives you full disk encryption booting from a trusted read-only kernel+initrd iso image. (or hdd bootloader)

    The "instant off" is the key zeroisation mechanism where loop-aes keys (rotated in memory) are flushed and the disks are now inaccesible. A reboot and passphrase auth with USB key device present is then required to get back to a working state.

    The use of 8 radios means most of them are in monitor mode attached to different antennas. There are two amplified cards (1W teletronics in line) which can be used for injection / active attacks, but 2 transmitting radios is about the limit practically speaking due to 802.11MAC / CSCA.

    The WPA/WPA2 cracking references WPA-PSK dictionary attacks / cowpatty speedup via the Padlock hash engine SHA1 instruction. This gives you about a 10-20x increase in dictionary attack throughput but is still slow compared to most attacks. Many other kernel functions (loop-aes, IPsec, entropy in /dev/random) and user space applications (openssl, openvpn) are also tweaked to utilize the padlock core described here: http://www.via.com.tw/en/initiatives/padlock/hardw are.jsp . Montgomery multiplication offload is still in the works...

    [The "breaking SHA1 and RSA encryption in a single processor instruction cycle" line appears to confuse the implementation of these primitives (SHA1/MontMult) in a single instruction. These are not cracked by a single instruction.]

    The comment about government sales is likely due to the fact that this system is well over FCC EIRP limits, thus restricting commercial sales to military or emergency services.

    Additional images here:
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox.jpg&refPage=&imgAnc h=imgAnch3
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox-dev.jpg&refPage=&im gAnch=imgAnch2

  12. Snazzy little yellow box? by Ec|ipse · · Score: 2, Informative

    FYI, it's a Pelican box, I have several that I use for SCUBA diving.

  13. Also in the next version by Kadin2048 · · Score: 2, Funny

    In other news, he has also announced that the next version of the Janus project will be powered by the Easter Bunny running on a very small, internally mounted gerbil wheel.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    1. Re:Also in the next version by rolfwind · · Score: 4, Funny

      Perhaps you mean the Energizer Bunny.

      The Easter Bunny would just melt into a chocately mess.

  14. Simpler version scans almost as many by noidentity · · Score: 2, Insightful

    SSID="linksys" (or SSID="default")

  15. 283 * 0 = 0 by Doc+Ruby · · Score: 3, Interesting

    The WiFi bandwidth has 17 data channels, each of which can be controlled by only one network at one time. How can a single node sniff more than 17 networks simultaneously.

    --

    --
    make install -not war

    1. Re:283 * 0 = 0 by anethema · · Score: 2, Informative

      Actually, while 11 channels are claimed, there really are only 3.

      1, 6, 11.

      Any other channels are just varying degrees of overlap with these 3.

      --


      It's easier to fight for one's principles than to live up to them.
  16. Why modded overrated? by dch24 · · Score: 2, Insightful

    Okay, this is one of the most informative posts ever. People are thinking this is Williams, the original guy who built the box (even though the thread credits someone else).

    I don't see how that post could be modded overrated. If I get modded troll and otherwise ignored...

  17. Re:love the picture in the tgdaily article by Clover_Kicker · · Score: 4, Funny

    > However, my penis is touched by a woman regularly. I win.

    I've told you before, we don't want to hear about the herpes clinic.