January 8, 2011

Amazon Cloud Can Help WiFi Hackers

A fairly cheap and quick way to break a commonly used form of password protection for wireless networks has been found, according to a security researcher, who says it can be done using powerful computers that anybody can lease from Amazon.com over the Web.

Thomas Roth, a computer security consultant from Cologne, Germany, says he can hack into protected networks using special software that he has written that runs on Amazon's cloud-based computers. The software tests 400,000 potential passwords every second using Amazon's high-speed computers.

If true, it would leave businesses and home networks prone to attack if they use relatively simple passwords to secure their networks.

Amazon leases computers to developers and other companies that do not have the money to buy their own equipment, or do not use it frequently enough to warrant doing so. Amazon's customers include individual programmers as well as corporate users.

An Amazon spokesman said that Roth's research would only violate hi company's policies if he were to use Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service to hack into a network without permission.

"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," Amazon spokesman Drew Herdener told Reuters.

"Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorization," said Herdener.

Roth says he will distribute the software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington DC. He said he is publicizing his work in a bid to convince skeptical network administrators that a commonly used method for scrambling data that travels across Wi-Fi network passwords is not strong enough to keep crafty hackers from breaking into networks.

The encryption method, dubbed WPA-PSK, scrambles data using a single password. If a potential intruder is able to decipher the password, he or she can gain access to computers and other devices on the network.

Roth said that the networks can be hacked if anyone uses enough computer power to force their way into deciphering the passwords that protect networks.

The average hacker would have a difficult time figuring out those passwords until Amazon.com started leasing out their high-speed, powerful computers at relatively inexpensive rates. It takes the processing capability of multiple computers to perform mathematical calculations needed to break the passwords.

Amazon charges users 28 cents per minute to use machines that Roth used in his research. It would cost at least tens of thousands of dollars to purchase and maintain that equipment.

Roth said he used his software on Amazon's cloud-computers to break into a WPA-PSK protected network in his neighborhood. It took 20 minutes of processing time to achieve the feat. He said he has since updated the software to speed the performance and believes he could hack into the same network in about 6 minutes now.

"Once you are in, you can do everything you can do if you are connected to the network," he said.

Roth said he was not making the software public to encourage crime, but to change a misconception among network administrators. "People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so. But it is easy to brute force them," he said.


On the Net: