A security reseacher has revealed how he used Amazon’s cloud service to hack into his neighbour’s Wi-Fi network
Network administrators and even home users are being warned about a potentially serious security risk, from a cloud-based attack that could crack their Wi-Fi network’s password.
Thomas Roth, a computer security consultant based in Cologne, Germany, said that he had developed specialised software run on Amazon’s cloud-based computers. It tests 400,000 potential passwords per second using Amazon’s high-speed computers, in what is called a brute force attack.
Roth will reportedly distribute his software to the public and teach people how to use it later this month at the Black Hat hacking conference on 19 January in Washington, DC.
He defended this, saying he is trying to convince sceptical network administrators that he can crack the encryption method, PA-PSK, which scrambles data using a single password.
Six Minutes To Breach
Traditionally, passwords have been difficult for hackers to crack because of the sheer computing power required to perform the mathematical calculations needed to break the passwords. But with Amazon’s EC2 cloud service, users or companies can lease power computers for as little at $0.28 or £0.17 a minute.
Roth told Reuters that he had used his software and Amazon’s cloud-based computers to break into a WPA-PSK (Wi-Fi Protected Access, Pre-Shared Key) protected network in his neighbourhood. It took about 20 minutes of processing time. He has since updated his software to speed its performance and believes he could hack into the same network in about 6 minutes.
“Once you are in, you can do everything you can do if you are connected to the network,” he was quoted as saying by Reuters. “People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so. But it is easy to brute force them.”
Predictably, Amazon took a dim view of Roth’s actions.
A spokesman for Amazon said that Roth’s research would violate their policies if he were to use Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service to break into a network without permission of its owner.
“Nothing in this researcher’s work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved,” Amazon spokesman Drew Herdener was quoted as saying on Reuters.
“Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorisation.”
Wi-Fi Security Concerns
The demonstrations shows the necessity of fully securing a Wi-Fi network and the importance of using a sizeable network password that combines both characters and numbers. Last month, a Lenovo study found that some small businesses are using nearby unsecured Wi-Fi networks for their Internet access.
And back in May last year, the introduction of the Digital Economy Act with its new powers, meant that UK users could well face the prospect of a fine if they do not password-protect their Wi-Fi networks, and someone uses their network to download copy protected data.
In 2009 for example, a publican was hit with a £8,000 fine after someone used his Wi-Fi network to illegally download content. And in Germany a court fined a person €100 (£85) after his Wi-Fi network was used to illegally download music.
The German case came to light after an unidentified musician sued the person whose wireless connection was used to illegally download a song, which was then subsequently offered on an online file-sharing network.
Google, of course, has found itself in no end of hot water after its Street View cars accidentally stole people’s Wi-Fi data.