Amazon's Infrastructure-as-an-offering (IaaS) the EC2, though synonymous with cost savings for businesses, is also gaining reputation as a potential tool in the hands of malicious code crackers.
Reuters reported that a researcher in Germany Cologne, Thomas Roth, used Amazon's Elastic Compute Cloud (EC20 service to run software he developed to crack regular passwords to enter into protected wireless networks. The custom software tests 400,000 passwords per second using the EC2 compute power.
Amazon leases compute power to developers and companies who cannot invest in such infrastructure. It is primarily used for testing purposes.
The German researcher took 20 minutes to crack the password of a WPA-PSK protected network. The WPA-SPK encryption method scrambles data over a WiFi using a single password. Roth said that the networks can be broken into if hackers use enough computer power to brute force their way into figuring out the passwords that protect the wireless network.
Brute force attack is the most unsophisticated form of hacking a password as it involves using all possible permutations of keys until the exact key is found. Hackosis explains that for example, if your password is 2 characters long and consists of letters and numbers - and is case sensitive, then a brute force attack would see a potential 3,844 different guesses at a password. This is because the first character lower case letters includes 26 letters + upper case letters includes 26 + numbers (10) = 62 and the second character also involves the same number 62. Thus, the total permutations are 62*62 = 3,844.
Hence, for passwords with more characters the process becomes more time consuming requiring many computers to do the mathematical calculations.
However, with Amazon EC2 massive compute power the process becomes faster. Amazon charges only 28 cents per minute to use its services. Thus, Roth paid only $1.68 to crack the password.
Geek.com reported in November, that Thomas Roth had used Amazon EC2 to hack 14 SHA1-encrypted hashes in 49 minutes using the brute force attack. He had used off-the-shelf CUDA Multiforcer software to aid the hack.
Also, Cloudcomputing.info reported in August 2010, how two security researches used EC2 infrastructure to produce a Denial-of-service (DoS) attack against a SMB at the DEF Con 2010, a software security conference held in Las Vegas.
Amazon also came under considerable scrutiny last month as whistle-blower site Wikileaks used its EC2 infrastructure to host the controversial diplomatic cables, however, Amazon purged its servers of Wikileaks contents later. Thus, the current hack by Roth further reveals how easy it is for malicious hackers to use Amazon's EC2 power to manipulate simple passwords at such a minor cost.