Skip to Content

Harnessing the Cloud for Hacking

Cloud password cracker is a sign of things to come.
December 10, 2009

Want to check if the password to your wireless network (or your neighbor’s) passes muster? For $34, you can do just that by using a password-cracking service that’s primarily aimed at “penetration testers”–people who are paid by a company to test its network’s security.

The service, known as WPA Cracker, is one of the first hacking services to rely on cloud computing. WPA Cracker went live on Monday–it uses pay-as-you go cloud computing resources to search for an encrypted WiFi Protected Access (WPA) password from 135 million different possibilities, says creator and hacker Moxie Marlinspike. Normally the task would take a single computer about five days, but WPA Cracker uses a cluster of 400 virtual computers and high-performance computing techniques. It takes only 20 minutes, he says.

“Security is moving into the cloud … so the attacks will follow security into the cloud as well,” says Marlinspike. “Password cracking is an obvious thing. Normally, it is cost-prohibitive to run CPU-intensive jobs. [With cloud computing] it costs a lot less money than doing it yourself.”

At its core, cloud computing is about providing services or infrastructure through the Internet that can easily be ramped up to meet demand. Online giants, including Amazon, Google, and Microsoft, all have services that offer the ability to run an application in a large data center or to rent time on a cluster of virtual computers, allowing customers to tap into large amounts of computing power more efficiently.

Security experts say the performance and costs advantages of cloud computing are already luring cybercriminals.

“We have seen attacks emanate from IP ranges associated with cloud-based computing services,” says Tom Cross, manager of advanced research at IBM’s X-Force security team. Cross would not elaborate on which services were involved, however.

Yet other real-world examples exist. In 2008, a spammer used Amazon’s Elastic Computing Cloud (EC2) service to blast out a massive campaign of porn-related junk e-mail. And last month, security firm Arbor Networks reported that a cloud application hosted on Google’s AppEngine platform appeared to be the command-and-control hub for a small botnet. However, Google removed the application for usage-policy violations and said that the malicious behavior was the result of a programming error, not criminal intent.

Even if the intent was not malicious, however, the example shows that poorly behaved applications can run in the cloud, says Danny MacPherson, chief security officer for Arbor.

“As more people start using cloud infrastructure, I absolutely think we will see malicious uses as well,” says MacPherson. “I would encourage anyone using those infrastructures to not make security a chewing-gum, bolt-on-after-the-development sort of infrastructure.”

In some ways, criminals have already started their own cloud services by compromising users’ computers and centrally controlling them. These botnets, as such networks are called, can be used for different tasks, such as sending spam, hosting malicious content, or sending a flood of data to overwhelm a target network. Some underground entrepreneurs even created an online market, dubbed Golden Cash, where criminals could buy or lease any number of compromised computers.

If a cloud service provider does not monitor its network sufficiently, a criminal could use the service to do the same thing.

“When you are building a botnet, what you are trying to do is use a lot of computers for some purpose,” Cross says. “If you can get a hold of a credit card, you can purchase a whole slew of virtual computers from a cloud provider.”

Already, Amazon’s service has become a playground for security researchers. This past summer, security firm SensePost revealed a number of techniques for abusing cloud services. By misusing the account creation process, for example, the researchers easily avoided Amazon’s 20-computer limit per customer. SensePost’s security team also demonstrated ways that malicious developers could create virtual-machine templates that included rootkits or other malicious code. If another Amazon customer used the template, they could find themselves vulnerable to attack.

“The cloud is going to offer the serious criminal huge computing resources on tap, which has lots of interesting applications,” says Haroon Meer, director of security research for SensePost. “If nothing else, it should change a few threat models.”

Keep Reading

Most Popular

This new data poisoning tool lets artists fight back against generative AI

The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models. 

Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist

An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.

The Biggest Questions: What is death?

New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.

Driving companywide efficiencies with AI

Advanced AI and ML capabilities revolutionize how administrative and operations tasks are done.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.