New Hack Abuses Cloud-Based Browsers
Researchers show how attackers could anonymously pilfer free cloud computing power -- for cracking passwords, denial-of-service attacks, or other nefarious activities
Kelly Jackson Higgins,
November 28, 2012
Turns out those cloud-based browsers that offload processing in the cloud for mobile devices can also be a cybercriminal's best friend: Researchers have found that those browser services can be abused to crack passwords, wage denial-of-service attacks, or perform other unauthorized computations with the free computing power.
A team of NC State University and University of Oregon researchers in their proof-of concept used Google's MapReduce technique that allows parallel computing for performing fast computing in the cloud and the Puffin cloud-based browser service. They stored large data packets on URL-shortening sites to disguise the traffic between multiple nodes in order to test how the browsing service could be used for more than browsing.
"To do that computation normally, you would rent space. If you want to do a job anonymously, like cracking passwords ... you could use these available services" rather than paying for Amazon EC2 services, for instance, says William Enck, assistant professor of computer science at NC State and a co-author of the research paper published today by the team. "This is a way of getting that computation [power] without going through the hurdle [of payment fraud]."
The researchers were able to generate more than 24,000 hashes per second in password-cracking tests with Puffin and their proof-of-concept.
Cloud-based password cracking using cloud-based computing has been proved before, with tools like the WPACracker service, created by researcher Moxie Marlinspike, to test the strength of passwords used in the encryption of wireless access points, and the Cloud Cracking Suite, built by European researcher Thomas Roth, that uses the Amazon EC2 cloud to decrypt passwords and break into wireless networks via a brute-force password-cracking attack.
[Apparent mistranslation by a German newspaper of English-speaking reports on researcher's Amazon EC2-based password-cracking tool led to raid, frozen bank account. See Researcher Overcomes Legal Setback Over 'Cloud Cracking Suite'.]
With this latest research in what is sometimes called "parasitic computing," the problem lies with the cloud browser providers themselves, whose resources can be abused by bad actors.
"Like any other online service, cloud browser providers must ensure adequate security controls are in place to prevent their end users from abusing the system," says Jeremiah Grossman, CTO of WhiteHat Security.
NC State's Enck says there are ways for cloud-based browsing providers to better monitor their traffic -- namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. "It's similar: You can say, 'Here are the clients from where [the traffic] is coming from and the IP addresses.'"
Cloud browser providers can also limit the computing resources used by each user or client, he says, which also would help detect abuse.
Some providers currently employ features that can help minimize abuse. The Amazon Kindle Fire's Silk browser, for example, entails user registration and also sends a private key specific to the tablet as part of its handshake with the cloud-based servers. "Such a strategy is particularly helpful in mitigating the ability to clone instances. Additionally, existing techniques such as CAPTCHAs can limit the rate of creating new accounts," the researchers wrote in their paper.
In their proof-of-concept, the researchers used 1-, 10- and 100-megabyte data packets rather than larger ones. "When we ran our experiments, we didn't overly tax the services. Our goal was to show these things are feasible and not to demonstrate large-scale use of this in practices and put undue strain on the technology we were using," Enck says.
"By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays. The example applications shown in this paper were an academic exercise targeted at demonstrating the capabilities of cloud browsers. There is great potential to abuse these services for other purposes," Enck and his co-authors -- NC State graduate students Vasant Tendulkar and Ashwin Shashidharan, the University of Oregon's Joe Pletcher, Ryan Snyder and Kevin Butler -- wrote in their paper.
The researchers will present their "Abusing Cloud-Based Browsers for Fun and Profit" paper next week at the 2012 Annual Computer Security Applications Conference in Orlando, Fla.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.