A team at Penn State University discovered that user information can be leaked during the fairly common process of companies leaving a public cloud service and their old IP address being handed off to the next tenant.
Acting as “cloud squatters,” the PSU researchers demonstrated how attackers could potentially get a hold of valuable data meant for a previous destination—information that could even include bank-transaction details.
And when you’re a cloud squatter, the data comes to you
“People will be trying to connect, and they’ll be sending you potentially privileged information intended for other customers,” said Eric Pauley, a graduate research fellow and PhD candidate at Penn State who led the vulnerability discovery.
Pauley and his team found over 5,400 organizations potentially leaking sensitive data.
What is cloud squatting?
Clouds help organizations reduce costs and scale workloads, but there are only so many IP addresses to go around.
When one company’s service is terminated, cloud providers often lease the same server space and IP addresses to another company. A new cloud client with a reused IP address, it turns out, can receive network traffic from end users trying to connect to the original service.
So, during this kind of switch, a lot of end users are calling the wrong number. If you’re the new tenant, you can ignore the call, so to speak—and most organizations do. If you’re an attacker, you can answer the phone, and, if you find the right IP address, it’s possible to pretend to be a bank.
“While this traffic is usually ignored by the new organization, an attacker can purposefully record this traffic and extract sensitive user data,” Pauley told IT Brew.
Pauley and the team discovered a financial-services organization that had set up a server in the public cloud to receive financial-transaction messages, and clients kept sending them, it turned out.
“Unfortunately, what happened was when they no longer ran that service, the IP address went back to the cloud provider, but those messages were still sent,” said Pauley. “An attacker, if they received that IP address, would just continue to receive those messages.”
The cloud-squatting vulnerability becomes a potentially high-risk one when an adversary can listen for traffic connecting to it. An attacker, for example, could appear to be the bank’s homepage and record a customer’s input.
“If the customer, for example, typed their password into the website, they could receive the bank password,” said Pauley.
In addition to financial messages, Pauley and the team also discovered mobile devices sending analytics and tracking data intended for other organizations. While the companies no longer ran services to collect the data, devices were still configured to send it.
“What we found was that references to IP addresses were being stored in various cloud services, they were being hard-coded into mobile applications, and so mobile applications would connect to the IP even when the service was no longer being run,” said Pauley.
To demonstrate the potential for attack, the Penn State team did some squats, renting cloud servers from Amazon Web Services for 10-minute intervals. Not asking for data, the cloud squatters received information sent to the address intended for previous tenants: 5 million pieces of data, in fact, including sensitive information like financial transactions, GPS locations, and personal identifiable information. A request received by one IP address was to HHS.gov, Health and Human Services.
“We did not knowingly receive health data, but did confirm that an adversary could receive that data,” said Patrick McDaniel, holder of the William L. Weiss Chair in Information and Communications Technology in the School of Electrical Engineering and Computer Science at Penn State, in a news release from the university.
The researchers, in compliance with Amazon’s Vulnerability Reporting program, immediately contacted the three major cloud server companies—AWS, Microsoft, and Google—as well as at-risk US government agencies, to inform them of the vulnerabilities in their server practices. To protect user data, the team collected, encrypted, and sent data to a secure location for analyses.
A crowd in the cloud
Many organizations lease cloud services, from small businesses to enterprises to government agencies, which means the kinds of data at risk varies greatly.
In some cases, businesses will set up cloud services and keep services active for years. Others will scale their cloud efforts, and perhaps have more cloud services activated during one part of the day and less deployed at night; they’ll provision and decommission frequently.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“In a worst case, we see that IP addresses can change hands as often as every 30 minutes on the cloud provider that we studied,” said Pauley.
How serious is the threat?
To exploit the vulnerability an attacker would have to get lucky…for now, at least.
In cloud services, you get assigned an IP address, and when you terminate the resource or release the IP, the address gets added to a pool of IPs to be reissued. It’s meant to be a helpful bit of randomness.
“Customers don’t get to choose what IP they get, so you can’t really intentionally target a specific customer for this kind of squatting attack,” said Mike Rothman, president of the cloud security operations platform DisruptOPS and analyst at the security firm Securosis.
But an attack is possible: You can wait around, and try IP addresses until you get one that is a target for sensitive data. An attacker can listen to see if a client is requesting information like bank details, for example, but that kind of match would be hitting the big one, according to Kurt Seifried, chief blockchain officer and director of special projects at Cloud Security Alliance.
“You’re basically…buying a lottery ticket. It’s probably going to be a losing ticket,” Seifried told IT Brew. “To make it a winning ticket is just a lot of work.”
An attacker would have to acquire IP addresses and comb through them all, but a level of automation could ease that workload.
“There are simple techniques to quickly evaluate an IP address and see if it’s doing anything interesting or not, based on what the clients talking to it want to do,” said Seifried. “If someone writes that into a toolkit and sells it to attackers, well now we’ve automated that sophistication, and you or I could just run a script that does it.”
What the server companies (and the leasers) can do
To protect against these data leaks, cloud server companies can try to limit IP reuse as much as possible, reserve blocks of IP addresses for big clients, or delay the recycling of IP addresses, according to a post on the topic by Pauley. Organizations can bring their own IP addresses for use within the cloud or use private IP addresses; some cloud servers offer IPv6 addresses.
To avoid misconfigured IP references, those renting cloud server space should refer to IP addresses through one location: DNS. IT organizations must also have one centralized source of oversight, said Pauley.
“One of the biggest issues that we saw was that organizations had many different subunits deploying cloud services and each of those subunits failed to adhere to best practices,” Pauley told IT Brew. “From the higher levels of the organization, it was difficult to sort of keep tabs on what was going in on those units.”
A major best practice is oversight of the full cloud presence—and oversight of where references to these IP addresses are being stored. IT teams can audit the IP addresses in their DNS zone on a regular basis, looking for suspicious sites requesting sensitive data.
Companies must understand what their external attack surface looks like, said Rothman, and teams should allocate a strict number of IP addresses for external use case. Additionally, IT teams need to ensure resources are properly configured, updated, and cleaned up after use.
More importantly, said Rothman, applications must be built securely to prevent the apps from sending out tracking data.
“Applications should not be hard-coding IP addresses or credentials in the code,” said Rothman. “That’s just poor practice and could result in being vulnerable to this kind of attack.”
While cloud has the obvious benefits of reducing costs and increasing scale, new threats emerge with a model that encourages quick server rentals. The way that cloud services are architected really changes a lot of the assumptions that people have had of private data centers up to this point, added Pauley.
“We already know that this information is being leaked. It’s just a question of whether anybody is listening for it.”—BH