Hacker Deploys Cloud to Smash Passwords

With the emergence of cyber-weaponry, recent military data breaches, and hacks of commercial PC hardware and chips, perhaps it is time to rethink military computing.

We know when another Black Hat Conference is just around the corner. It seems to follow the now almost obligatory “revelatory” press reports about some new hack or other as a warm-up to the event.

The most recent news item involves Thomas Roth and his use of Amazon’s EC2 cloud computing resources to break into password-protected WiFi networks.

A brute-force attack, which is an automated search to determine a password, uses heavy computer processing power. This may be black hat, but such attacks are old hat, too. Roth, though, has used an old trick and combined it with the power of new technology to demonstrate “what can be done using the latest high performance computing possibilities.” He has managed to force through an attack that few thought was possible, considering the sheer number of computations required. The “cloud,” or, more precisely, its now easily accessible resources, changes that, as Roth is about to show at Black Hat.

Roth’s latest exposé involves a tool that starts up instances on the Amazon EC2 cloud and uses them to “crack encryptions in a distributed way.” Roth reveals on his blog that he intends to “demonstrate how to break a WPA-PSK (WiFi security protocol) handshake at a speed of ~400.000 PMKs/s, and possibly at a speed of over 1.000.000 PMKs/s.” WPA-PSK handshakes are the steps taken to verify secure connection, speed, and authorization on a WiFi network.

In other words, Roth’s hack threatens to use the power of a cloud service to speedily hack thousands of passwords on a WiFi network. In doing this, the hack has exposed the weakness of combining microprocessor (GPU) cluster nodes and SHA-1 hashing algorithms, as Amazon’s latest service does.

GPUs are excellent accelerators for cracking passwords. SHA-1 is a National Institute of Standards and Technology (NIST) standard that essentially is made for verifying data and not for storing passwords. Security flaws in SHA-1 have been known since about 2005, although it is still widely used -- and SHA-2 is available (SHA-3 is currently being devised).

Amazon launched its Cluster GPU Instances for Amazon EC2 in November. Roth was quick on the uptake and later that month showed how he could successfully force through attacks on passwords of up to six characters in length in just 49 minutes, at a cost of just $2.

Roth’s hack shows that instead of relying on GPU and SHA-1, a better solution would be to use Password-Based Key Derivation Functions (PBKDF2), which uses key strengthening technology and is much harder to crack.

So what is Roth’s motive behind the revelations? Roth himself says on his blog: “I hope that this article helps some people understanding the real impact of using the cloud for cracking passwords.” An attacker, he says, would be able to spawn a gigantic cluster of cloud nodes, and it would be no problem for him to crack eight-character-long passwords in a nice timeframe, especially useful for determining banking access via stolen debit and credit card information.

As is the case with publicizing any vulnerability, exploit, and cyber-attack POC (proof of concept), the question may be asked whether it is an altruistic move, or a self-promoting exercise.

Whichever is the case, this is as always a tricky question with lots of gray areas. It is the same question we might ask about the furor and conflicting opinions surrounding Wikileaks: Is it for the good of everyone or fraught with vested interest?

One simple piece of advice: Ensure any passwords you use are at least nine characters long, contain upper- and lower-case letters, and mix alphanumeric characters with the likes of &}>^!~... To crack these will take a great deal of Amazon’s EC2 cloud power.