A security researcher will reveal at Black Hat DC how he deployed password-testing software on Amazon EC2 to break into a secured wireless network using WPA-PSK.
Specialized software running over Amazon's cloud services can be used to
crack passwords on wireless networks, said a German security researcher on Jan.
Thomas Roth, a security and software
engineering consultant at Lanworks AG, in Cologne,
Germany, will be
publicizing his research at the Black Hat conference in Washington,
D.C., Jan. 16-17.
According to Reuters,
the password-cracking software on Amazon's servers took about 20 minutes of
processing time to break into a WPA-PSK protected wireless network in Roth's
neighborhood. Since then, he has updated the tool to cut down processing time
to 6 minutes.
"People tell me there is no possible way to break WPA, or, if it were
possible, it would cost you a ton of money to do so," he told Reuters.
WPA-PSK scrambles data flowing on wireless networks using a single password.
Once the intruder figures out the password, the network is wide open. The most
commonly used encryption for wireless networks, WPA-PSK, can be cracked if the
attacker has enough powerful computers testing password combinations, said
His password-cracking software employs a "brute force" attack,
where passwords are deciphered by successively varying combinations of numbers
and digits. Weak passwords that are "too short and simple" are
particularly vulnerable to this kind of technique, Roth told eWEEK.
"If you're using easy words or sentences, it's pretty likely that it's
in a wordlist," he said in an e-mail to eWEEK.
Roth's password-cracking software can test 400,000 potential passwords per
second using Amazon's cloud clusters, according to Reuters.
Anyone can lease computers on Amazon Web Services or Elastic Computing
Cloud, which is an inexpensive way to obtain the required processing power.
Amazon charged 28 cents a minute for the computers Roth deployed in his
"Just imagine a whole cluster of these machines cracking passwords for
you, which is now easy for anybody to do, thanks to Amazon," Roth wrote on
his site, where he discusses using the cloud to accelerate the time needed to
break encryption algorithms.
Using brute force to find passwords has long been assumed to be too
expensive to be widespread because of the costs of obtaining and maintaining
the powerful equipment necessary to run the calculations.
Roth will discuss his research at Black Hat later this month to convince
network administrators that WPA-PSK is not strong enough to keep out intruders
and that they should be using stronger encryption algorithms.
"Once you are in, you can do everything you can do if you are connected
to the network," he said.
The existence of the tool does not violate Amazon's usage policies, Drew
Herdener, an Amazon spokesperson, told Reuters. "Testing is an excellent
use of AWS," Herdener said, as Roth's research can be used to "show
how the security of some network configurations can be improved," he said.
It would be a violation of the site's usage policies if the software was used
to actually break into a network without the permission of its owner, he said.
Roth told eWEEK in an e-mail that he had permission from his neighbor to
perform the attack.
Herdener also noted that Roth's research isn't "predicated" on
using Amazon EC and can be used on any cloud service. There is ample evidence
can lease botnets very cheaply as well.
This isn't the first time Roth has used Amazon's cloud services to prove
that inexpensive cloud computing services make it easier and faster for hackers
to crack encryptions and passwords. Using a cluster he rented from Amazon for
$2.10 per hour, he was able to break the SHA1 encryption algorithm to decipher
14 passwords in 49 minutes in November.
Even though SHA1, developed by the National Security Agency, has been
deprecated in favor of the stronger SHA2 algorithm, it is still commonly used,
He also noted on Twitter
that even though hash algorithms like SHA1 are not intended to be used as
passwords, the recent breaches
at Gawker and Mozilla indicate that plenty of administrators are doing so.
Both Gawker and Mozilla
used MD5 hash to store passwords.
Amazon is "providing a pretty comfortable and large-scale password-cracking
facility for everybody," Roth said.