Amazon EC2 Used to Crack Password Encryption on Wireless Networks

A security researcher will reveal at Black Hat DC how he deployed password-testing software on Amazon EC2 to break into a secured wireless network using WPA-PSK.

Specialized software running over Amazon's cloud services can be used to crack passwords on wireless networks, said a German security researcher on Jan. 7.

Thomas Roth, a security and software engineering consultant at Lanworks AG, in Cologne, Germany, will be publicizing his research at the Black Hat conference in Washington, D.C., Jan. 16-17.

According to Reuters, the password-cracking software on Amazon's servers took about 20 minutes of processing time to break into a WPA-PSK protected wireless network in Roth's neighborhood. Since then, he has updated the tool to cut down processing time to 6 minutes.

"People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," he told Reuters.

WPA-PSK scrambles data flowing on wireless networks using a single password. Once the intruder figures out the password, the network is wide open. The most commonly used encryption for wireless networks, WPA-PSK, can be cracked if the attacker has enough powerful computers testing password combinations, said Roth.

His password-cracking software employs a "brute force" attack, where passwords are deciphered by successively varying combinations of numbers and digits. Weak passwords that are "too short and simple" are particularly vulnerable to this kind of technique, Roth told eWEEK.

"If you're using easy words or sentences, it's pretty likely that it's in a wordlist," he said in an e-mail to eWEEK.

Roth's password-cracking software can test 400,000 potential passwords per second using Amazon's cloud clusters, according to Reuters.

Anyone can lease computers on Amazon Web Services or Elastic Computing Cloud, which is an inexpensive way to obtain the required processing power. Amazon charged 28 cents a minute for the computers Roth deployed in his research.

"Just imagine a whole cluster of these machines cracking passwords for you, which is now easy for anybody to do, thanks to Amazon," Roth wrote on his site, where he discusses using the cloud to accelerate the time needed to break encryption algorithms.

Using brute force to find passwords has long been assumed to be too expensive to be widespread because of the costs of obtaining and maintaining the powerful equipment necessary to run the calculations.

Roth will discuss his research at Black Hat later this month to convince network administrators that WPA-PSK is not strong enough to keep out intruders and that they should be using stronger encryption algorithms.

"Once you are in, you can do everything you can do if you are connected to the network," he said.

The existence of the tool does not violate Amazon's usage policies, Drew Herdener, an Amazon spokesperson, told Reuters. "Testing is an excellent use of AWS," Herdener said, as Roth's research can be used to "show how the security of some network configurations can be improved," he said. It would be a violation of the site's usage policies if the software was used to actually break into a network without the permission of its owner, he said.

Roth told eWEEK in an e-mail that he had permission from his neighbor to perform the attack.

Herdener also noted that Roth's research isn't "predicated" on using Amazon EC and can be used on any cloud service. There is ample evidence that criminals can lease botnets very cheaply as well.

This isn't the first time Roth has used Amazon's cloud services to prove that inexpensive cloud computing services make it easier and faster for hackers to crack encryptions and passwords. Using a cluster he rented from Amazon for $2.10 per hour, he was able to break the SHA1 encryption algorithm to decipher 14 passwords in 49 minutes in November.

Even though SHA1, developed by the National Security Agency, has been deprecated in favor of the stronger SHA2 algorithm, it is still commonly used, he said.

He also noted on Twitter that even though hash algorithms like SHA1 are not intended to be used as passwords, the recent breaches at Gawker and Mozilla indicate that plenty of administrators are doing so. Both Gawker and Mozilla used MD5 hash to store passwords.

Amazon is "providing a pretty comfortable and large-scale password-cracking facility for everybody," Roth said.