Cloud cracks home wireless router; giant hammer squishes ant

WLAN exploit is overkill, but proves the concept for other attacks

In what is certainly the clearest sledgehammer-vs.-ant matchup of the week, German security specialist Thomas Roth found a way to use the massive power and elasticity of the Amazon EC2 multi-datacenter cloud-computing platform to crack the password on a wireless router.

Roth's attack is straight brute force. He wrote a script that creates millions of possible passwords, encrypts them and tries them on the network he's attacking at 400,000 passwords per second.

The app, which he plans to release at this year's Black Hat conference later this month in D.C., uses a feature of EC2 that allows GPU chips to be used for processing as well as graphics, vastly expanding the encryption-cracking potential of the grid.

His accomplishment will fill in the gap for hackers who have not been able to figure out how to sniff, crack and spoof wireless identities using any of the 321,000 how-to guides and videos available on a first-pass search of Google.

An Amazon spokesperson was quoted by Reuters as saying Roth didn't violate its policies by building the app or doing the crack, as long as he wasn't using it for nefarious purposes.

Many of those are kind of old, of course. Some only show how to crack the much simpler WEP encryption, rather than WPA, which is the level of security Roth said he can crack in about six minutes.

That's far better than an apparently competing service called WPA Cracker that also runs as a cloud-based application and promises to crack WPA encryption in about 20 minutes, for $17.

Both approaches are a lot quicker and cheaper than trying to brute-force a WPA password with an ordinary PC, which could take days.

Most of the wireless-cracking schemes on those thousands of how-to guides don't use brute force, though. There are more efficient ways to approach it, including using pre-defined lists of common passwords rather than randomly generated ones.

Given the evidence from the recent hack of Gawker Media, which exposed the email addresses and passwords of more than a million Gawker.com users, you don't really need a lot of exotic, random phrases to crack most accounts.

Among the most common were 12345, password, qwerty, letmein, and trustno1.

Not the kind of security you need a massive grid to crack, even assuming most people use throwaway passwords for sites like Gawker that force them to register but on which they don't do anything important.

But if you can point a weapon like Roth's at a small, insecure home wireless router with WPA encryption, you could also point it at a larger, more secure site running 802.1x authentication.

It wouldn't be subtle, and Amazon presumably wouldn't be shy about helping law enforcement or corporate security ferret out a cracker.

Roth's exploit probably isn't a big threat.

Sophisticated, Eastern-European organized cybercrime gangs probably aren't lining up to use EC2 to help crack the wireless passwords that are otherwise kept securely written on Post-It notes taped to end-users' terminals.

Disgruntled ex-employees, experimenters like Roth, or mildly intrusive and slightly uneducated corporate spies might give it a shot.

It's worth realizing, though, that cloud platforms give ordinary people with ordinary checkbooks access to massively scaled computing resources only big companies or government agencies could afford five or 10 years ago, and not all of them are going to use the cloud just for email.

That may not mean they're about to hit your edge defenses all at once using all the computing resources of the Western Hemisphere.

It does mean having to keep in mind that the cloud may present security problems entirely separate from the risk that data you put in it will disappear or get cracked by someone from outside.

It may mean potential attackers you figured would never have the means to accomplish much suddenly can.

It will take a while for that realization to filter out to non-crackers, in the same way it took a while for normal end users to realize they could walk out with gigabytes of data on USB drives in their pockets.

I don't know what they'll be using cloud-based high-performance clusters to crack when they do figure it out. I'm relatively sure it won't be home-based wireless routers, though.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies