Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hacker-Built PC Scans 300 Wifi Networks At Once

Posted by Zonk on Fri Sep 01, 2006 11:19 PM
from the quite-the-multitasker dept.
Wireless Networking Hardware
An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hacker-Built PC Scans 300 Wifi Networks At Once 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Just another way to get thrown into Gitmo. (Score:3, Funny)

    by Anonymous Coward on Friday September 01 2006, @11:20PM (#16028517)
    Bush would be proud.

    • Re: (Score:2, Informative)

      by LiquidCoooled (634315)
      The poster isn't wrong, from the thg article

      After the Instant Off switch is hit, a USB key with a 2000-bit passkey and a manually entered password are needed to access the computer. Williams said that even if someone managed to grab the USB key, they would still have to "torture or bribe me" to get the password.

      In the UK, the RIP act allows you to be thrown in jail for 3 years for not supplying the encryption keys, in America I can quite easily picture this guy wearing his leather hat and some fetching oran

        • Re: (Score:3, Interesting)

          by hazem (472289)
          If you are not under arrest, and if they are simply investigating, you don't have as many protections and you can be charged with interfering with a federal investigation. There's some kind of legal "trilemna" that is considered unethical - but is often used by the government to get around the "self-incrimination" issue:

          Your three choices are:
          1) answer the questions/comply with information requests - which ends up incriminating you
          2) refuse to answer the questions - now you can be charged with interfering
  • Time to enable encryption on your wireless network. It's not foolproof, but it'll make you a smaller target.
    • Encrypted networks ARE the target when it comes to wireless "hacking"
      • I hate to be needlessly cruel, but did you even read the fing summary? It's about SCANNING, not necessarily hacking; if you have 250 users worth of unencrypted data, and 50 users with strong encryption, you'll probably find that the encrypted ones aren't worth your time.

        I don't think that this machine can scan, decrypt, and record 300 WiFi Networks in real-time.

        • Re:Just about time (Score:5, Interesting)

          by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Friday September 01 2006, @11:35PM (#16028567) Homepage Journal
          Did you even read the article?
          In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic.
          ...
          Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

          No, it can't decrypt traffic from 300 networks at once, but it can certainly crack one that's encrypted with some of the most common algorithms rather quickly. It's more than just a recording device. Although, if it really can crack networks that quickly, then concievably you could crack all the WEP-enabled networks in range, and then start logging all the traffic on all the networks that you could hear, encrypted and not, for later analysis.
          • He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

            Oh come on... That just makes him sound like a nutcase.
        • It is pretty good at cracking WEP

          In addition to scanning for wireless traffic, Williams says the computer can break most WEP keys very quickly by focusing all eight wireless cards on the access point. Using a combination of common utilities like airreplay, airdump and aircrack, Willams said, "When I use all 8 radios to focus in on a single access point, [the WEP key] lasts less than five minutes." However, he added that some retail wireless access points will "just die" after being hit with so much traffic

    • Too true. Secure wireless is an oxymoron. If it's wireless, it's insecure depending only upon on how determined the snooper is so if your data is sensitive, don't broadcast it. The only way to fully guarantee the integrity of your wireless network is to disconnect your WAP and bury it in the backyard.
      • What if you use a strong VPN between your wireless computer and your access-point? Granted, there is no proof that encryption cannot be cracked, but up to this day, strong encryption is considered pretty secured.

  • Already a common feature (Score:5, Funny)

    by Kagura (843695) on Friday September 01 2006, @11:24PM (#16028533)
    "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access.

    I use a hammer, you use an instant-off switch that you'll never be able to turn back on. At the end of the day, at least one of us will have released some pent-up frustration and anger. :)
    • There are so many hammers [hammernet.com] to choose from!

      (OMG - and you thought Geek sites were bad - "hammernet". Sheesh!)

    • Must feel great when he has the USB key in his shirt pocket, leans over a railing on top of a cliff or tall building and then the USB key leaps for freedom. 'Nobody turn the computer off... PLEASE!!'

  • This device is against FCC Part 15 rules (Score:5, Interesting)

    by w9ofa (68126) on Friday September 01 2006, @11:32PM (#16028555) Homepage
    The one watt amplifiers mentioned in the article almost guarantees that this device is operating outside the FCC part 15 rules.

    I know everyone on /. hates the FCC, but consider how many nearby wireless networks might be effectively DoS'ed while he is trying
    to hack some schmuck's WEP key.

  • Sell? (Score:3, Interesting)

    by SocialEngineer (673690) <<moc.liamg> <ta> <adnapdetrevni>> on Friday September 01 2006, @11:34PM (#16028563) Homepage

    I'm sorry, but I don't see much in the way of commercial application for this thing - we know standard wireless networking encryption isn't secure. We know it can be cracked, and it can be cracked with just 2 cheap laptops to capture the data. There isn't much more of a need for proof-of-concept anymore.

      • The military probably already has similar cheaper devices

        Oh, not so sure about the military, but you know the FBI / NSA / CIA have them - BUT I bet they are not cheaper. EVERYTHING the government does costs more. After all, it's not like they guys buying shit are using their own money now... Network General has been making network sniffers for years, but their $20K boxes really don't do much more than a cheap laptop running ethereal(wireshark) and other misc open source tools.

  • :o\ (Score:5, Insightful)

    by TubeSteak (669689) on Friday September 01 2006, @11:37PM (#16028575) Journal
    From his Riviera hotel room and using a 1W amplified antenna, Williams said his Janus computer was able to capture data from 300 access points simultaneously. He said over 2000 access points were scanned and 3.5 GB of traffic was captured during the entire convention.
    ...
    Williams told us that he has spent a few thousand dollars building the Janus computer and hopes to make his money back by selling commercial versions to big companies and government organizations. "Maybe one day I could get the military to be a customer," said Williams.
    Forget the military, how about corporate espionage?

    I imagine that'd be a bit more productive.

  • I wish them good luck! (Score:5, Funny)

    by Browzer (17971) on Friday September 01 2006, @11:42PM (#16028591)

    Williams is improving the Janus computer to crack wireless networks even faster. He is optimizing software routines to use the C7 chip to crack WPA and WPA2 protected networks without the use of Rainbow tables. He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.


    • He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

      move.l <key>,d0

      That was easy.
      I'm not sure it's possible in x86 processors though.
    • In other news, he has also announced that the next version of the Janus project will be powered by the Easter Bunny running on a very small, internally mounted gerbil wheel.

    • Re: (Score:3, Informative)

      by LiquidCoooled (634315)
      Actually, if you read the documentation for the VIA Padlock [via.com.tw] hardware encryption/decryption engine, you would realise that they talk about realtime encryption/decryption, its not a software operation, its a set of on-die commands.
    • He is also working on breaking SHA1 and RSA encryption in a single processor instruction cycle.

      RISC is so passe nowadays.
      • If we account for reporter incompetence, it seems he is claiming that he is looking for a way to determine that the hash doesn't match, in constant time. Probably working under some assumptions about the length, etc.

        But considering how mangled that sentence is, theoretically, I'd wait for a claim directly from the source before claiming crackpot.

  • So use VPNs. (Score:5, Interesting)

    by Randseed (132501) on Friday September 01 2006, @11:45PM (#16028597)
    You'd think by now that people would go ahead and use WEP or WPA, but tunnel traffic over a VPN even to internal sites. That's what I do. While someone may be able to crack my WEP or WPA keys, all that gets them is the ability to access the VPN port on the router. Everything else, including traffic to internal machines, is dropped unless it comes from the VPN. And since the VPN address is on a seperate subnet, the WAP won't route the traffic if you force your IP address to be open, but appear as the VPN IP address.

    Obvoiusly not foolproof. I need to get all the machines to drop the traffic unless it's routed through the router. In other words, it doesn't matter where it comes from, but the machines will only listen to traffic coming in off the VPN subnet, and then only listen to that if it's being routed by the internal router. That keeps someone from being cute somehow and confusing the network by plugging something in with an IP address that's on the VPN subnet; since it wouldn't come via the internal router (VPN server), the machines would go "Uh, WTF?"

    • You'd think by now that people would go ahead and use WEP or WPA, but tunnel traffic over a VPN even to internal sites. That's what I do. While someone may be able to crack my WEP or WPA keys, all that gets them is the ability to access the VPN port on the router.

      That is because you truly take wireless security seriously where as 97% of the people do not. This is the ONLY proven way to secure wireless short of unpluging it. In such cases like this, all a hacker could do is DoS you, which is minor.

    • Re: (Score:3, Informative)

      by walt-sjc (145127)
      I don't bother with wep at all. My AP is wide open, and connects to a dedicated interface on my gateway server. Similar to your setup, the only ports open on that interface are for VPN - other than that it's stealth. No point in the additional encryption that just slows things down without proividing any real security.

  • Some corrections (Score:5, Informative)

    by Anonymous Coward on Friday September 01 2006, @11:48PM (#16028602)
    The "2000 bit passkey" is really the disk encryption keys for loop-aes. See http://loop-aes.sourceforge.net/loop-AES.README [sourceforge.net] . They are longer than 2000 bits.

    The disk encryption keys are stored on USB and decrypted via passphrase (key encryption key) using a custom init process that mounts the encrypted loop-aes disk(s) and does the pivot_root / exec init into the target. This gives you full disk encryption booting from a trusted read-only kernel+initrd iso image. (or hdd bootloader)

    The "instant off" is the key zeroisation mechanism where loop-aes keys (rotated in memory) are flushed and the disks are now inaccesible. A reboot and passphrase auth with USB key device present is then required to get back to a working state.

    The use of 8 radios means most of them are in monitor mode attached to different antennas. There are two amplified cards (1W teletronics in line) which can be used for injection / active attacks, but 2 transmitting radios is about the limit practically speaking due to 802.11MAC / CSCA.

    The WPA/WPA2 cracking references WPA-PSK dictionary attacks / cowpatty speedup via the Padlock hash engine SHA1 instruction. This gives you about a 10-20x increase in dictionary attack throughput but is still slow compared to most attacks. Many other kernel functions (loop-aes, IPsec, entropy in /dev/random) and user space applications (openssl, openvpn) are also tweaked to utilize the padlock core described here: http://www.via.com.tw/en/initiatives/padlock/hardw are.jsp [via.com.tw] . Montgomery multiplication offload is still in the works...

    [The "breaking SHA1 and RSA encryption in a single processor instruction cycle" line appears to confuse the implementation of these primitives (SHA1/MontMult) in a single instruction. These are not cracked by a single instruction.]

    The comment about government sales is likely due to the fact that this system is well over FCC EIRP limits, thus restricting commercial sales to military or emergency services.

    Additional images here:
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox.jpg&refPage=&imgAnc h=imgAnch3 [photobucket.com]
    http://s103.photobucket.com/albums/m127/coderman42 /?action=view&current=janusbox-dev.jpg&refPage=&im gAnch=imgAnch2 [photobucket.com]
    • Okay, this is one of the most informative posts ever. People are thinking this is Williams, the original guy who built the box (even though the thread [slashdot.org] credits someone else).

      I don't see how that post could be modded overrated. If I get modded troll and otherwise ignored...
      • i don't know who suggested/queued the original article intro posted by Zonk. i am involved on the software side and posted the anonymous corrections (prior to recovering this long idle acct) since neither Kyle nor myself were contacted prior to publication to verify technical details in content as evidenced by the couple of mis-quoted or mis-interpreted points above.

        or perhaps this is all an elaborate rouse designed to make you think in that direction... ;)
      • Do we have to worry about the device falling into the wrong hands?

        Accidental sterilization due to prolonged RF absorbtion is a serious problem. Also, a bottle of excedrin helps keep the microwave headaches at bay...

        [but seriously, use a properly keyed VPN over wireless and you're in good shape against any attacker.]

  • Snazzy little yellow box? (Score:3, Informative)

    by Ec|ipse (52) on Saturday September 02 2006, @12:09AM (#16028636)
    FYI, it's a Pelican box, I have several that I use for SCUBA diving.
  • SSID="linksys" (or SSID="default")

  • 283 * 0 = 0 (Score:4, Interesting)

    by Doc Ruby (173196) on Saturday September 02 2006, @12:33AM (#16028691) Homepage Journal
    The WiFi bandwidth has 17 data channels, each of which can be controlled by only one network at one time. How can a single node sniff more than 17 networks simultaneously.
    • 17 theoretical channels, but only 11 are used in the US. As for sniffing multiple networks on the same channel, it is possible if they are far enough apart and you are between them. You could pick up both as long as they didn't happen to send a packet at the same time. But 300 distinct networks at a single location? Seems far fetched to me.

      • Re: (Score:3, Informative)

        by anethema (99553)
        Actually, while 11 channels are claimed, there really are only 3.

        1, 6, 11.

        Any other channels are just varying degrees of overlap with these 3.
  • I'm skeptical. If all you had to do to recieve faint signals was to amplify the antenna, then everyone would do it and you'd have awesome range without needing to increase the signal strength. But it doesn't work like that. The higher the gain, the more noise you get. And with all those people broadcasting on overlapping channels along with normal interferrence, noise is exactly what you're going to get.
  • So what exactly does he do with all those purloined keys?

    I employ two of three possible methods to secure my network, MAC filters and WPA keys. So I was thinking, how does this deal with MAC filters. Then it came to me that the first two octets of the MAC are easy - Intel has a pretty big lock on wireless, as does Broadcom. So that's 65,535 fewer combinations to look for. But where it gets interesting is in the last four octets. That leaves 4,294,967,296 possible combinations. Not that you couldn't brute
    • Presumably they just wait until someone else joins the network, listen to their MAC address, and use that. Since it's a bus network, it isn't even always obvious when you have two conflicting MACs.
  • Drop the leading letter off the name of your project then it would be funny.
    • Just refer them to this post.

      When they trace the VoIP calls back to your network, just tell the cops; "Um, yeah, I saw those guys leave, just as I as pulling up. They were using my secured network without my permission, then they entered my secure house and took my snacks from my child-proof cabinet. Then drove off in my locked car, carrying my secured weapons safe..."

      Just add network access to the list of "secured" items that can be taken.

    • See the clarification post. The passphrase is used to decrypt disk keys for loop-aes which contain more than 2000 bits of entropy. (23400 bits / 2925 bytes across 65 key lines to be precise. see the loop-aes readme for more detail)

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.