Researchers at France’s Eurecom technology institute, Northeastern University and the security firm SecludIT ran automated scanning tools on more than 5,000 of the virtual machines images published on Amazon’s catalog of virtual machines set up with preset software and configurations and ready to run on Amazon’s Elastic Compute Cloud (EC2) service. They looked for security and privacy issues like malware, software vulnerabilities, and leftover data and user accounts from the administrator who set up the server’s software.
The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud. Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine.
“If the guy who set up the machine forgot to erase his credentials or left them there on purpose, everyone who has the credential can log into the server,” says Marco Balduzzi, one of the Eurecom researchers on the team. “You rent this machine for personal use, and someone else has a kind of a backdoor to it already.”
Balduzzi points out that it would be possible to publish a server image in Amazon’s catalog with the intent of infecting the user with malware or exploiting a backdoor to steal information. But in some cases it was the creator of the machine image who was put at risk by leaving private keys on the server or failing to completely erase his or her own data before publishing it for customers to use, Balduzzi says.
The research team notified Amazon about the issues last summer, and the company responded by posting a notice to its customers and partners about the problem. “We have received no reports that these vulnerabilities have been actively exploited,” the company wrote at the time. “The purpose of this document is to remind users that it is extremely important to thoroughly search for and remove any important credentials from an [Amazon Machine Image (AMIs)] before making it publicly available.”
Amazon spokesperson Kay Kinton sent me a statement, noting that “Customers have complete control over what information they include, or not, within the AMIs they choose to make publicly available,” and pointing to a couple Amazon pages on using AMI’s securely.
Balduzzi says that an Amazon representative similarly told him that the company considers the issue to be one between users and the third party companies that offer software on Amazon’s platform. “They told me it’s not their concern, they just provide computing power,” Balduzzi says. “It’s like if you upload naked pictures to Facebook. It’s not a good practice, but it’s not Facebook’s problem.”
The Eurecom team’s research isn’t the first to point out security issues in Amazon’s cloud services. Just earlier this week, a team of German researchers revealed a collection of vulnerabilities in Amazon’s web interface that allowed potential data theft from the company’s cloud platform. Amazon has now patched those flaws.
This article was written by Andy Greenberg for Forbes Magazine. The original copy can be found here.
Photo by Andy Greenberg, Forbes Staff – Eurecom’s researchers (from the left) Jonas Zaddach, Davide Balzarotti, and Marco Balduzzi