Researchers claim attackers can exploit co-located virtual machines to scoop up RSA keys of other users on Amazon’s EC2 cloud service
Researchers have discovered that Amazon’s EC2 cloud storage platform can be manipulated to steal the cryptographic keys of other users.
The researchers, from Worcester Polytechnic Institute, devised a method that recovers the full private key used in the RSA crypto system by starting a CPU cache attack over two Amazon EC2 accounts that are stored on the same chip.
However, the vulnerabilities have now been fixed, according to Amazon Web Services.
2048-bit RSA key
The paper explains how the researchers used one Amazon EC2 instance to recover a whole 2048-bit RSA key used by a separate instance.
Amazon EC2, which stands for Elastic Compute Cloud, is the cloud storage platform of Amazon’s AWS cloud computing division.
But the researchers said that they notified AWS’ security team of the vulnerabilities in June 2015, and the issues should now have been addressed.
“The cross-VM leakage is present in public clouds and can become a practical attack vector for both co-location detection and data theft,” warned the researchers.
“Users have a responsibility to use latest improved software for their critical cryptographic operations. Additionally, placement policies for public cloud must be revised to diminish attacker’s ability to co-locate with a targeted user. Even further, we believe that smarter cache management policies are needed both at the hardware and software levels to prevent side-channel leakages and future exploits.”
A similar co-located VM attack method was found in cloud service providers back in 2009, but this was fixed by Amazon Web Services.
But this new vulnerability comes at a time when data privacy is at the forefront of everyone’s mind, and could spark issues for Amazon when it comes to government data compliance.
However, the paper, titled ‘Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud’ did show methods of prevention.
One countermeasure outlined by the researchers was using single-tenant instances. The paper read: “Placing multiple instances of a user on the same physical machine prevents co-location with a malicious attacker. Most cloud service providers including Amazon EC2 offer single tenant instances albeit as an expensive option. This option offers a number of benefits including isolation from other users.”
But the paper gives hope for IaaS cloud security towards the end, where the researchers said: “While the attack is still possible, our results show that, through combined efforts of all involved parties, the bar for performing successful attacks in the cloud is quickly rising. Specifically, we show that many co-location techniques that gave high accuracy in 2009 no longer work.
“Similarly, increased hardware complexity and better protected crypto- graphic libraries increase the cost and required sophistication of attacks to succeed.”
Amazon Web Services was keen to point out to TechWeekEurope that any such attack would require a willing co-conspirator from within the organisation, and said: “This research shows Amazon EC2 continues to strengthen its built-in, base level security measures, even when researchers perform complex attacks with extremely rare, unlikely pre-existing conditions and outdated 3rd party software. AWS customers using current software and following security best practices are not impacted by this situation.”