Hacker Shows How Cloud Could Wash Out Wireless Security
A hacker claims he's used Amazon's cloud services to bust open SHA-1, a wireless network security standard, and he says he'll be demonstrating his process at an upcoming Black Hat get-together. Malicious hackers could quickly set up brute-force attack systems using the cloud, but critics say real-world password cracks might not come so easily.
Jan 11, 2011 3:08 PM PT
German hacker Thomas Roth's announcement that he used Amazon.com's cloud service to crack a wireless network security standard has left some security researchers scratching their heads. Others are merely shaking them in disbelief.
That attack was launched against the SHA-1 hash algorithm.
Roth's conclusions are that the SHA-1 algorithm is not fit for password hashing, and the compute power offered by cloud services makes it cheap and easy to launch brute-force attacks on passwords.
However, it's been known since 2005 that the SHA-1 algorithm has flaws, and the National Institute of Standards and Technology is seeking to replace it.
Also, undertaking a brute-force attack using the cloud can be costly.
"The cloud is certainly the fastest way to stand up many computers hammering on the same brute-force problem," Shawn Edmondson, director of product management for rPath, told TechNewsWorld."But that power doesn't come cheap."
Roth used a Cluster GPU instance from Amazon EC2. This has 22 GB of memory, two Intel Xeon X5570s using quad-core Nehalem architecture, two Nvidia Tesla Fermi M2050 GPUs and 1,690 GB of instance storage, Roth wrote in his blog.
It also offers a 64-bit platform and uses 10 gigabit Ethernet for "very high" I/O (input/output) performance, Roth said.
Using this platform, Roth claims he cracked all hashes from a file for passwords one to six characters long in 49 minutes.
However, Sophos security expert Paul Ducklin pointed out that Roth recovered 10 of 14 passwords on a challenge list while Ducklin recovered eight out of those 14 by merely using his MacBook Pro, running in the background, in the same time.
Further, Ducklin said that real-world password hashing schemes are more complex than the one used in the challenge list.
Ducklin added that the attack worked against very weak passwords used with a very weak password hashing system.
The System Roth Attacked
Roth reportedly claims that his attack can break wireless networks secured by applications using the WPA-PSK standard.
WPA stands for WiFi Protected Access. The WPA protocol implements the bulk of the IEEE 802.11i standard. However, it's not a strong protocol, as it was unveiled as an intermediate measure to replace the WEP protocol while 802.11i was being readied for release.
WEP, or Wired Equivalent Privacy, is a security algorithm for IEEE 802.11 wireless networks that was introduced as part of the original 802.11 protocol in 1997. It's relatively easy to crack and was superseded by WPA in 2003.
WPA has been replaced by WPA2, which requires testing and certification by the WiFi Alliance.
PSK stands for Pre-Shared Key Mode, which is also known as "Personal Mode." It's designed for home and small-office networks that don't require an 802.1x authentication server.
The Weakness of the Cloud?
Widespread criticism led Roth to subsequently point out that his real aim was to show how easy the new Amazon cloud cluster makes it to launch massively parallel attacks.
However, said rPath's Edmondson, "If you want to run 1,000 powerful servers 24/7 for a year on a hard computational problem, a roomful of blades is cheaper than public cloud time. So large-scale brute-force attacks still come down to resources and are well beyond the reach of most black-hat hackers. The cheapest and most illegal way is to use a black-market cloud -- namely, a botnet."
Roth told TechNewsWorld that he'll give a talk on his findings at the Black Hat conference, to be held in Washington, D.C., next week.
Clouds Can Strike Back Too
If such a hack using Amazon's cloud services did occur, the company would probably not be to blame because it would essentially be in the same position as a hotel owner if one of whose guests committed unlawful acts in his or her room.
But what can cloud service providers like Amazon do when people who rent their services do things they shouldn't?
"This poses a very interesting challenge for a public cloud provider, both in their acceptable use policy and in their self-policing," Edmonson said."But, as in the WikiLeaks example, Amazon is clearly willing to drop customers who break the policy."
Amazon kicked WikiLeaks off its servers after the site released sensitive diplomatic cables.
"Our terms of usage are clear, and we continually work to make sure the services aren't used for illegal activity," Amazon spokesperson Kay Kinton told TechNewsWorld."We take all claims of misuse of our services very seriously and investigate each one. When we find misuse, we take action quickly."
Searching for Security Salvation
Despite its flaws, SHA-1 is the most widely used SHA has function. Since then, some variants, like SHA-2, have been developed. However, they're too similar to SHA-1 algorithmically.
In 2007, NIST launched a competition to develop a new hash standard, SHA-3. The winner will be selected in 2012.
"SHA-3 is still in development," Richard Wang, manager of SophosLabs U.S., told TechNewsWorld. "NIST have not yet determined which of the candidate algorithms will become SHA-3."