Hacking The Cloud
November 29, 2012

Cloud Computing Yields Cheap Hacking

Michael Harper for redOrbit.com — Your Universe Online

Our mobile devices (smartphones, tablets and the like) give us access to the Internet anywhere there is a connection. Not all devices are created equal, however, and some are simply better suited than others to handle the task of browsing the web. To level the playing field, some browsers, such as the browser on Amazon´s Kindle Fire tablets, work in the cloud. Rather than depend on the device to render the content (text, javascript, pictures, etc.), the “heavy lifting” as it were, is done in the cloud. Then the device simply pulls down the completed picture, providing the user with a faster web browsing experience.

Now, some researchers from North Carolina State University and the University of Oregon have found a way to hack this technique, tricking the cloud-based servers into doing some of their intensive calculations without having to buy their own workhorse machines.

These computer scientists have described this new hack in a paper entitled: "Abusing Cloud-Based Browsers for Fun and Profit,” and plan to present their results on December 6th at the 2012 Annual Computer Security Applications Conference in Orlando, Florida.

While there are plenty of choices for cloud-based browsers, these computer scientists used Puffin, a mobile browser currently available in both the iTunes App Store and Google´s Play store. By creating a browser that mimics Puffin, this East-Meets-West team was able to trick the servers in the cloud to perform some of their computations, all for free and relatively anonymously. Out of ethical considerations, the team limited what they asked these servers to calculate, taking care not to overload or crash the computers. However, while these scientists may have nothing but noble intentions, they also warned that others could use this same security hole to perform attacks, such as DDoS. Hackers could also trick these cloud-based servers into running the intensive calculations necessary to crack password codes with relative anonymity.

"By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays," writes the team in their paper.

"The example applications shown in this paper were an academic exercise targeted at demonstrating the capabilities of cloud browsers. There is great potential to abuse these services for other purposes."

They estimate that this hack could be used to trick these cloud-based computers into generating more than 24,000 cryptographic hashes in one second. The current method works with Puffin on both Android and iOS devices, though the team warned this method could be used on other cloud-based browsers, such as Amazon´s Silk browser and Opera Mini.

In order to fly under the radar, the team´s method also breaks down the heavy jobs into smaller fragments, then sends them as separate instances into the cloud. Once the tasks are completed, they are sent back through the browser and reassembled into one larger task.

According to Ars Technica, these cloud browser providers are already taking steps to cinch up their offerings and keep these kinds of attacks at bay. The researchers are likely pleased with their efforts, saying: "Based on our findings, we observe that the computational ability made freely available by cloud browsers allows for an open compute center that is valuable and warrants substantially more careful protection."