A German security researcher says Amazon's cloud computing service can be used to crack weak passwords used to protect Wi-Fi networks.
Security researcher Thomas Roth told Reuters that he will show off his findings at the Black Hat conference in Washington, D.C., next week. Roth claims that he used Amazon's Elastic Compute Cloud (EC2) to deploy password-testing software to break into secured wireless networks that use the WPA-PSK security standard. Roth said his software can test 400,000 potential passwords per second on Amazon's servers and that it took about 20 minutes for him to break into a WPA-PSK-protected Wi-Fi network in his neighborhood. After some tweaking, Roth told Reuters, he was able to whittle that time down to 6 minutes.
"Once you are in, you can do everything you can do if you are connected to the network," Roth told Reuters.
WPA-PSK is an encryption method that scrambles data using a single password. That password grants access to devices on the wireless network. Roth said that a Wi-Fi network can be cracked if hackers leverage enough compute power to "brute-force" their way into figuring out passwords.
"People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," Roth told Reuters. "But it is easy to brute-force them."
Roth said Amazon's EC2 cloud computing service, which runs about 28 cents a minute for compute power, is an affordable option and provides enough power to use brute-force techniques.
"Just imagine a whole cluster of [these] machines (Which is now easy to do for anybody thanks to Amazon) cracking passwords for you, pretty comfortable. Large scaling password cracking for everybody!," Roth wrote in a post on his blog about using Amazon's cloud service to crack passwords.
Meanwhile, Amazon said Roth's research, if used to access wireless networks without permission, is in violation of the acceptable use policies of Amazon's cloud computing service. Amazon also said Roth's research does not highlight a flaw in Amazon EC2.
"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener in a statement to Reuters.