Tuesday, January 18, 2011

Researcher Breaks Wi-Fi Passwords Using Cloud Computing Power

According to a press report, a German security specialist plans to give attendees at a hackers convention next week code that they can run on high-performance cloud computer systems to help them break passwords on seemingly secure, low-cost wireless networks – Wi-Fi, for instance.


As much as anything else, however, it's a demonstration of how much computing power is becoming available to larger numbers of people as a service for a fraction of what it costs to buy and maintain a supercomputer.


According to a report in Reuters, Thomas Roth, a security consultant in Cologne, used high-performance capabilities in Amazon.com's (NASDAQ: AMZN) Elastic Compute Cloud (EC2) service to "brute force" breaking passwords on wireless networks.


Roth will be speaking at next week's Black Hat Security Conference in Washington, D.C. His talk is titled "Breaking encryption in the cloud: GPU accelerated supercomputing for everyone."


The main focus of Roth's recent demonstration, however, was to show how easy, given the availability of such high-powered computing power in the cloud, it is today to break passwords that use an encryption algorithm he says was never meant to secure systems.


Roth reportedly said he was able to breach the relatively sophisticated encryption technology -- SHA-1 (Secure Hash Algorithm) -- by tapping a cluster of Nvidia graphics processors, available through Amazon's services, to provide the horsepower needed for the task of zipping through 400,000 possible passwords per second.


"SHA-1 was never made to store passwords. [It] is a hash algorithm ... made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast," Roth said on his blog in November.


Prices for the equivalent of a supercomputer provided as a service via the cloud are low as well. Roth told Reuters that it took 20 minutes to break into a network in his neighborhood, at a cost of 28 cents per minute -- and that, with improvements in the code, he could do the same in as few as six minutes now.


The problem is, as computing speeds climb ever higher and the price falls, the barrier to hackers falls as well.


"The speed of computers is increasing incredibly fast, and so brute forcing will get faster and faster, and the new cloud offerings make parallelization of such use tasks easy and affordable," Roth continued.


An Amazon spokesperson was not available at publication. However, in speaking with Reuters, a spokesperson made the point that the same feat could be achieved on competing cloud computing services as well.


By Stuart J. Johnston
January 12, 2011