Amazon Patches Cloud Crypto Key Vulnerability

September 30, 2015 at 11:42 am By

Following a report of a hack in Amazon’s EC2 platform that would allow attackers to steal the cryptographic keys, the company issued a patch to solve the issue while pointing out that researchers are performing hacks with rare and unlikely conditions.

“I’d point out that this research shows Amazon EC2 continues to strengthen its built-in, base level security measures, even when researchers perform complex attacks with extremely rare, unlikely pre-existing conditions and outdated 3rd party software,” said an Amazon spokesperson in an e-mail response to Arstechnica.

“AWS customers using current software and following security best practices are not impacted by this situation. Further, a patched version of the open source software targeted by this research (Libgcrypt) is publicly available for Amazon EC2 customers via their operating systems’ standard software update mechanisms or direct download from the Libgcrypt project page at”

The report compared the new lapse to one of the initial “key-recovery attacks on co-located machines” in 2009. Researchers used a CPU cache attack on two Amazon accounts which contained the same chipset, according to the report.

The newer technique works by probing the last level cache (LLC) of the Intel Xeon processor chipsets used by Amazon computers,” according to the article.

The research shows that co-location is still detectable in 2015 some 6 years after it’s original exposure in 2009. It’s a fairly complex hack to carry-out and as the AWS pointed out there is an “extremely rare and unlikely condition” that is necessary for the hack to be carried out. That being said, the company still found it necessary to patch the issue in a very timely manner.

Read the full story.