Researchers found a number of security holes in virtual machines created on Amazon Web Services. But, surprise! The problem wasn't with Amazon, but the customers themselves.
researchers uncovered multiple security problems within Amazon's cloud-computing
services caused by customers ignoring or forgetting security tips.
looked at some 1,100 Amazon Machine Images and found a majority of them
contained security keys used to authenticate with other services and servers,
Thomas Schneider, a post-doctoral researcher in the System Security Lab of
Technische Universitat Darmstadt, wrote
in a paper
[customers] just forgot to remove their API keys from machines before
publishing," Schneider said.
Images are preconfigured operating systems and application software used to
create virtual machines. Anyone can create these images and allow others to use
them when rolling out their own virtual infrastructure. Anyone with an Amazon
Web Services account can browse through the public AMIs.
found that the private keys used to authenticate with Amazon services such as EC2
(Elastic Compute Cloud) or S3 (Simple Storage Service) were published in those
AMIs. About a third of the studied AMIs also contained SSH (Secure Shell) host
keys or user keys. SSH is a common tool used to log into and manage a virtual
machine and the keys authenticate the user onto the server.
host key is removed and replaced from the AMI, every virtual machine created
from that image will use the same key, creating the possibility of a malicious
user impersonating the server and launching phishing attacks. SSH user keys are
also used for root-privileged log-ins. With the user keys, the interloper can
log in using super-user privileges unless the owner discovers and closes the
"backdoor," researchers said.
authentication keys for EC2 and S3, any third-party miscreant can connect and
create "virtual infrastructure worth several thousands of dollars per day
at the expense" of the original customer, the researchers found.
The AMIs also
contained valid SSL (Secure Sockets Layer) certificates and their private keys,
which would allow attackers to impersonate the servers. The researchers also
uncovered source code for unpublished software products, passwords and personal
identifiable information such as pictures and notes.
Services is very easy to use, and customers can easily purchase and roll out
servers and storage services. It's also so easy to use that users are creating
virtual machines without following Amazon's recommendations on security and
implementation, according to Schneider.
guidelines are very detailed," Schneider said.
experts have paid close attention to underlying cloud infrastructures and
providers, but have underestimated or ignored the "threats caused by the
cloud customers when constructing services," the researchers said. Flawed
configurations meant anyone could harvest critical data such as passwords and
cryptographic keys and certificates from virtual machines. Attackers would be
able to "operate criminal virtual infrastructures, manipulate Web services
and circumvent security mechanisms," the researchers wrote.
endanger themselves and other users with the "careless and error-prone
manner" in which AMIs are handled and deployed, the researchers said.
researchers uncovered the problem, they contacted Amazon Web Services with
their findings at the end of April. Amazon notified those account holders of
the security issues, Schneider said.
The study was
done by the Center for Advanced Security Research Darmstadt and the Fraunhofer
Institute for Security in Information Technology in Darmstadt, Germany.