Amazon EC2 enables brute-force attacks on the cheap

German researcher attributes success to GPU clusters, weaknesses in SHA-1

The cloud is proving itself a double-edged sword: It grants individuals and organizations with limited resources quick, inexpensive access to a wealth of computing power. That's all well and good for a research organization crunching data to cure a debilitating disease or a developer who has authored the next big mobile app. But bad guys can harness that same inexpensive power to commit cyber crimes in a new, convenient way.

A German white-hat hacker named Thomas Roth claims he has found a way to use EC2 and some custom software to crack the password of WPA-PSK-protected networks in around 20 minutes. With some tweaks to his software -- which tests 400,000 passwords per second using the EC2 compute power -- Roth said he has could reduce that cracking time to six minutes, about $1.68 worth of time on Amazon EC2. (Amazon charges 28 cents per minute to use its services.)

The exploitation of public cloud services to perform misdeeds isn't entirely new, a point that Roth himself acknowledges in his blog: "Moxie Marlinspike, a hacker/sailor/pyrotechnician, is running a service called WPACracker that can be used for cracking handshake captures of WPA-PSK using several very large dictionaries on a 400 CPU cluster that runs on the Amazon cloud."

What's new here, according to Roth, is the speed with which password storage on SHA-1 hashes can be extracted, thanks to Amazon's new cluster GPU instances. "GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD," Roth explained.

GPU-assisted servers were previously available only in supercomputers and not to the public at large, according to Roth; that's changed with EC2. 

Roth attributes the success of his brute-force technique to a weakness in SHA-1. In an earlier blog posting, he wrote, "SHA-1 was never made to store passwords. SHA-1 is a hash algorithm, it was made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast! ... Instead of hash algorithms, one should use key-derivation functions like PBKDF2 or scrypt. Some of these functions hash passwords some thousand times and make brute forcing a lot harder."

Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes? Clearly, these services are being exploited to commit crimes. Yet is it reasonable to expect a provider to scrutinize and monitor all of its customers' activities in a Big Brother-like manner, in the name of preventing potential crimes from being committed. Few customers would likely accept that sort of invasiveness.

Notably, even Amazon's decision to to boot WikiLeaks from its servers has received mixed reactions, earning both praise and criticism.

Follow Ted Samson on Twitter at tsamson_iw.

This article, "Amazon EC2 enables brute-force attacks on the cheap," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog, and for the latest in business techonology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform