[ISN] A wireless hacking computer that can't be hacked

From: InfoSec News (alerts@private)
Date: Wed Aug 30 2006 - 23:05:25 PDT


By Humphrey Cheung
August 30, 2006

Las Vegas (NV) - If you think seeing a dozen wireless networks makes
your computer the ultimate scanning box, think again. A small security
firm has made a portable computer that is capable of scanning 300
networks simultaneously. Dubbed the "Janus Project", the computer also
has a unique "Instant Off" switch that renders the captured data

The computer is the brain-child of Kyle Williams from the Janus
Wireless Security Research Group in Portland, Oregon. We first spotted
Williams sitting quietly and sipping Mountain Dew at the recently held
Defcon security convention at the Riviera Casino in Las Vegas, Nevada.  
While it appeared as if Williams wasn't very busy, the bright yellow
Janus computer in front of him was scanning and capturing data from
hundreds of wireless networks in range.

At first glance, the Janus computer looks like a laptop, but Williams
said it is much more powerful than that. Inside the rugged yellow case
sits a mini-computer motherboard powered by a 1.5 GHz VIA C7 processor
and an Acer 17" LCD screen. Ubuntu 6.0 Linux runs the eight Atheros
a/b/g Gold mini-PCI cards which continuously scan wireless networks.  
The mini-PCI cards are connected to two four-port PCI to mini-PCI
converter boards. The wireless data is stored onto a 20 GB hard drive.

While the eight Wi-Fi cards are impressive, the Janus box also has two
Teletronics 1 watt amplifiers along with external antenna ports in the
back of the Pelican case. Williams made every port watertight by
sealing them with epoxy and silicone. "When the lid is closed, it is
essentially waterproof," said Williams.

So what does all of this wireless firepower provide? The Wi-Fi cards
allow Williams to continuously scan and capture traffic from any
wireless channel. Williams likes to continuously dump the raw network
traffic to the hard drive, while running the Kismet scanner to get a
"bird's eye" view of the area. From his Riviera hotel room and using a
1W amplified antenna, Williams said his Janus computer was able to
capture data from 300 access points simultaneously. He said over 2000
access points were scanned and 3.5 GB of traffic was captured during
the entire convention.

In addition to scanning for wireless traffic, Williams says the
computer can break most WEP keys very quickly by focusing all eight
wireless cards on the access point. Using a combination of common
utilities like airreplay, airdump and aircrack, Willams said, "When I
use all 8 radios to focus in on a single access point, [the WEP key]
lasts less than five minutes." However, he added that some retail
wireless access points will "just die" after being hit with so much

In addition to the capturing process, the hard drive and memory
contents are continuously encrypted with AES 256-bit keys. There is
also an "Instant Off" switch that, according to Williams, renders the
captured data inaccessible to anyone but him.

Williams and his friend Martin Peck optimized the OS crypto software
to take advantage of the C7's hardware crypto engine. During normal
operation the operating system loops the XFS file system, along with
the swap partition, through the AES 256-bit encryption. For added
security, the encryption keys are rotated throughout the entire memory

After the Instant Off switch is hit, a USB key with a 2000-bit passkey
and a manually entered password are needed to access the computer.  
Williams said that even if someone managed to grab the USB key, they
would still have to "torture or bribe me" to get the password.

Williams is improving the Janus computer to crack wireless networks
even faster. He is optimizing software routines to use the C7 chip to
crack WPA and WPA2 protected networks without the use of Rainbow
tables. He is also working on breaking SHA1 and RSA encryption in a
single processor instruction cycle.

Williams told us that he has spent a few thousand dollars building the
Janus computer and hopes to make his money back by selling commercial
versions to big companies and government organizations. "Maybe one day
I could get the military to be a customer," said Williams.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

This archive was generated by hypermail 2.1.3 : Wed Aug 30 2006 - 23:18:06 PDT