Hacker-Built PC Scans 300 Wifi Networks At Once

An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.

Already a common feature

[Kagura]

"In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access.

I use a hammer, you use an instant-off switch that you'll never be able to turn back on. At the end of the day, at least one of us will have released some pent-up frustration and anger. :)

This device is against FCC Part 15 rules

[w9ofa]

The one watt amplifiers mentioned in the article almost guarantees that this device is operating outside the FCC part 15 rules.

I know everyone on /. hates the FCC, but consider how many nearby wireless networks might be effectively DoS'ed while he is trying
to hack some schmuck's WEP key.

Re:This device is against FCC Part 15 rules

[TooMuchToDo]

If you're using this device, you most likely don't care about Part 15.

-b

Re:This device is against FCC Part 15 rules

[RyuuzakiTetsuya]

On the contrary, the FCC regulating my microwave not to interfere with my WiFi or my wireless phone I like.

The FCC regulating whether or not i can say FUCK on the radio, I don't.

Re:Just about time

[Kadin2048]

Did you even read the article?

In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic.

...

Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

No, it can't decrypt traffic from 300 networks at once, but it can certainly crack one that's encrypted with some of the most common algorithms rather quickly. It's more than just a recording device. Although, if it really can crack networks that quickly, then concievably you could crack all the WEP-enabled networks in range, and then start logging all the traffic on all the networks that you could hear, encrypted and not, for later analysis.

:o\

[TubeSteak]

From his Riviera hotel room and using a 1W amplified antenna, Williams said his Janus computer was able to capture data from 300 access points simultaneously. He said over 2000 access points were scanned and 3.5 GB of traffic was captured during the entire convention.
...
Williams told us that he has spent a few thousand dollars building the Janus computer and hopes to make his money back by selling commercial versions to big companies and government organizations. "Maybe one day I could get the military to be a customer," said Williams.

Forget the military, how about corporate espionage?

I imagine that'd be a bit more productive.

I wish them good luck!

[Browzer]

Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

So use VPNs.

[Randseed]

You'd think by now that people would go ahead and use WEP or WPA, but tunnel traffic over a VPN even to internal sites. That's what I do. While someone may be able to crack my WEP or WPA keys, all that gets them is the ability to access the VPN port on the router. Everything else, including traffic to internal machines, is dropped unless it comes from the VPN. And since the VPN address is on a seperate subnet, the WAP won't route the traffic if you force your IP address to be open, but appear as the VPN IP address.

Obvoiusly not foolproof. I need to get all the machines to drop the traffic unless it's routed through the router. In other words, it doesn't matter where it comes from, but the machines will only listen to traffic coming in off the VPN subnet, and then only listen to that if it's being routed by the internal router. That keeps someone from being cute somehow and confusing the network by plugging something in with an IP address that's on the VPN subnet; since it wouldn't come via the internal router (VPN server), the machines would go "Uh, WTF?"

Some corrections

The "2000 bit passkey" is really the disk encryption keys for loop-aes. See http://loop-aes.sourceforge.net/loop-AES.README . They are longer than 2000 bits.

The disk encryption keys are stored on USB and decrypted via passphrase (key encryption key) using a custom init process that mounts the encrypted loop-aes disk(s) and does the pivot_root / exec init into the target. This gives you full disk encryption booting from a trusted read-only kernel+initrd iso image. (or hdd bootloader)

The "instant off" is the key zeroisation mechanism where loop-aes keys (rotated in memory) are flushed and the disks are now inaccesible. A reboot and passphrase auth with USB key device present is then required to get back to a working state.

The use of 8 radios means most of them are in monitor mode attached to different antennas. There are two amplified cards (1W teletronics in line) which can be used for injection / active attacks, but 2 transmitting radios is about the limit practically speaking due to 802.11MAC / CSCA.

The WPA/WPA2 cracking references WPA-PSK dictionary attacks / cowpatty speedup via the Padlock hash engine SHA1 instruction. This gives you about a 10-20x increase in dictionary attack throughput but is still slow compared to most attacks. Many other kernel functions (loop-aes, IPsec, entropy in /dev/random) and user space applications (openssl, openvpn) are also tweaked to utilize the padlock core described here: http://www.via.com.tw/en/initiatives/padlock/hardw are.jsp . Montgomery multiplication offload is still in the works...

[The "breaking SHA1 and RSA encryption in a single processor instruction cycle" line appears to confuse the implementation of these primitives (SHA1/MontMult) in a single instruction. These are not cracked by a single instruction.]

The comment about government sales is likely due to the fact that this system is well over FCC EIRP limits, thus restricting commercial sales to military or emergency services.

Additional images here:
http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox.jpg&refPage=&imgAnc h=imgAnch3
http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox-dev.jpg&refPage=&im gAnch=imgAnch2

Re:Also in the next version

[rolfwind]

Perhaps you mean the Energizer Bunny.

The Easter Bunny would just melt into a chocately mess.

Re:love the picture in the tgdaily article

[Clover_Kicker]

> However, my penis is touched by a woman regularly. I win.

I've told you before, we don't want to hear about the herpes clinic.