Last month we stumbled on new research by Tal Be’ery that revealed AWS encodes account numbers inside access key IDs (ex: AKIAQYLPMN5HPS2GDVNY).
To our surprise, simple base-32 decoding and bit shifting can transform any AWS access key credential type into the corresponding account number.
After adding account ID enumeration for both live and revoked keys in TruffleHog, we reached out to Tal to learn more about his discovery.
Below are excerpts from our interview.
Interview with Tal Be’ery (CTO of Zengo Wallet)
Truffle: What did your research process look like? What tools did you use to help identify the bit shifting and the bit mask?
Tal: Nothing too fancy. I mostly used Python and Mac’s calculator application (in programmer view) for bit manipulation and some intuition.
Scientific Mode on the OSX Calc App
I was intrigued by the meaning of the AWS ID, so I started looking into a few examples and it was very clear from the beginning that the ID is base32 encoded. Querying a non-destructive AWS API endpoint (like TruffleHog does for verification), it was clear that:
The account number is computed from the ID and not taken from some database as every syntactically correct ID retrieves an account number.
Only the first characters mattered, as changing them changed the retrieved account number and changing characters at the end had no impact.
So once I knew the account number MUST be encoded within the first characters, it was just a matter of finding the right bit arithmetics to get to the correct answer. I mainly used a calculator to do it manually, and then wrote a python script to automate it (the script is included within my post).
Some of the above mentioned insights were already known (references can be found in my blog post). I just had to put some finishing touches on to wrap it all up and get the account number out of the ID.
Truffle: AWS presumably had a reason to not include cleartext account numbers in their authentication workflows. Now that account numbers can be reversed engineered from AWS access key ids, what security implications do you foresee?
Tal: I really don’t know. Getting account numbers from IDs was possible before with the aforementioned API, so it is not “secret”. We still don’t know the meaning of the “last characters” in the ID that don’t have an impact on the account number, so maybe there is more to it.
Truffle: Do you think AWS thought anyone would ever discover embedded account numbers in the access key ids?
Tal: It’s unclear. I often find that builders underestimate the capability of others to understand the systems they build. Usually I find their mindset to be something like “this stuff is confusing to me, and I built it. I cannot imagine someone else figuring it out on their own”.
Truffle: Why do you think they structured their access key ids like this? Was it simply a performance gain (reverse an embedded number vs. DB lookup)? What else could explain their design decision?
Tal: This might be the reason, but I don’t want to speculate.
Generally, a common belief within the security community is that “security through obscurity” is a bad practice. I believe AWS should expose their authentication and authorization protocols, the way for example Microsoft has done for their on-premise technology. That way, the security community will be able to use its resources to make sure their system is secure and not waste precious resources on reverse engineering it (although these puzzles are really fun to solve!)
Truffle: For researchers interested in this topic, are there any cloud/SaaS providers that you think merit research?
Tal: I believe we need to understand the underlying security mechanics of our infrastructure. So I recommend researchers figure out AWS and all other major cloud providers’ authentication and authorization protocols.
Truffle: Tell us more about yourself. What do you primarily research and what is Zengo wallet all about?
Tal: I’ve been the CTO and co-founder of Zengo cryptocurrency wallet (https://zengo.com/) for the last 5 years. Zengo is known to be the first consumer MPC wallet that solves the vulnerability of the seed phrase, with more than 1M users and 0 hacks (https://zengo.com/security). Previously, I led the research function of multiple cyber companies. As security is one of the most important aspects of a wallet, we spend a lot of time thinking about it and researching it along with other topics in cryptography and blockchains.
Truffle: Thank you for your time, Tal!
A (small) Update to TruffleHog
Following Tal’s discovery, we updated TruffleHog so that all AWS access keys (live or revoked) will report the corresponding account number.
TruffleHog Returns AWS Account IDs for Verified and Unverified Keys
Although this is just a small update, Tal’s research has sparked many new ideas and avenues of research that we hope to incorporate into TruffleHog in the coming months.
