A new paper has revealed what its authors call “alarming” vulnerabilities in controls over Amazon’s cloud service, but the problems were fixed before anyone could exploit them in real life. If they hadn’t been addressed, the weaknesses could have allowed hackers to sidestep cryptographic protections and reprogram or delete customers’ virtual computers and steal their data, the researchers say.
The paper—titled “All Your Clouds Are Belong to Us,” a play on a decade-old Internet meme—was produced by several researchers based at Ruhr University in Germany. It showed flaws in the client controls of Amazon’s Elastic Compute Cloud (EC2) service, which is used by a growing number of large Web companies including Foursquare and Yelp, government agencies including the National Renewable Energy Lab, media companies such as the Washington Post, and academic institutions such as the University of Barcelona and the University of Melbourne.
The principal hack described involves a messaging system that companies use to do things like create and delete virtual computers as needed. The researchers were able to change those messages in a way that Amazon’s cryptographic authentication systems failed to detect. And Amazon’s service would have executed the malicious instructions along with the proper ones. The approach exploited a specific kind of vulnerability first reported by IBM researchers in 2005.
The effects were potentially devastating. “One eavesdropped message—or a message gained another way—was enough to get control over the whole user’s cloud,” says Juraj Somorovsky, one of the researchers involved in the study. “Cloud interfaces are generally a prominent attack target. If an attacker compromises a cloud interface, he could misuse its vulnerabilities to get control over users’ data.” Users’ computations could also be manipulated, he adds.
Kay Kinton, an Amazon spokeswoman, said in an e-mail statement that “the potential vulnerabilities reported by researchers […] have been corrected and no customers have been impacted.” She also disputed that data would have been at risk, saying that the process Amazon uses to store customer data would not have allowed even the researchers to see and expose passwords or other information.