Security researcher uses Amazon cloud to hack WPA-PSK passwords

A security researcher in Germany is warning that Amazon's cloud service can be used to brute force weak passwords used to protect Wi-Fi security.

Thomas Roth says it is quite easy to break weak passwords using brute force methods with access to Amazon's cloud-based computing service, which is capable of testing 400,000 potential passwords every second. Amazon rents its service to customers for 28 cents per minute.

Networks that use the WPA-PSK setup to secure their networks are always going to be vulnerable to weak passwords (or more accurately, the pre-shared key). Short and weak passwords would be vulnerable to a brute force attack, especially at the speeds offered by Amazon's services.

"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener.

"Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorization."

Roth claims to have found the key for a network in his neighborhood using his method and Amazon's service. The brute force attack took about 20 minutes to get the correct key, but Roth is making changes to his code which he reckons could bring the time down in such a case to about 6 minutes.

Roth will distribute his software publicly and give demonstrations on using it at the Black Hat conference in Washington D.C. He is releasing it to convince skeptical network administrators that nowadays, these such a attacks will often be successful against protected networks.

Of course, using a long and complex key to protect a network will make this method next to useless, even at 400,000 attempts per second.

Written by: James Delahunty @ 11 Jan 2011 2:09

Zealousi

wow renting out rainbow tables to the internet, would this not be illegal due to security risk. I don't think they are promoting a positive image towards the internet. but then again they are making money.

11.1.2011 09:34 #1

champman

The only way to combat brute force is the have limited attempts then it should shut down for a set time to put off hackers. How should a password need to be to so that a brute force attack would fail?

If you are renting that many machines, surely you would pick juicer targets than home networks.

||Intel QX6700 @3.3GHz|Gigabyte X48-DS5|XFX 5970 2GB B.E.|OCZ Reaper DDR2 800MHZ|X-Fi Fatality|Vista Home Prem. x64|2x WD Raptor 150GB|1TB WD RE3|LG GGW-H20L Super Multi Blu-Ray/HD-DVD||

15.1.2011 15:39 #2

Zealousi

Originally posted by champman: The only way to combat brute force is the have limited attempts then it should shut down for a set time to put off hackers. How should a password need to be to so that a brute force attack would fail? Try a Cd key example (using random keys)

3hf7-4ydn-6oix-n5uf-htyx-jru5i

I find these pwd's impossible to crack in a million years also Cy keys are unique too aslong as you don't give them out. I find them great passwords if you can remember the whole thing :P
Quote:
If you are renting that many machines, surely you would pick juicer targets than home networks.

I would also agree but who could pass up free internet but there could be a business wireless or the one next door to work for your iPhone to have internet during the day. Even a WOW addict would use this service if it means wow on the move at work.

You could find many reasons but the ethical matter of this service seams fishy.

16.1.2011 05:52 #3

Zealousi

haha i use my XP cd key from years ago 25 long and i have never had a pwd hijack yet and even then if someone did get it, they may think it is just a random generated pwd.

Best pwd ever used and you can make soo many combination of it for different services if you can remember it i highly suggest a original cd key not a leaked one.

3.2.2011 08:09 #4

AfterDawn: News