Senators Urge FTC Probe On ‘Defective’ AWS Cloud Services In Capital One Breach

‘Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective services to businesses, government agencies and to the general public,’ U.S. Democratic Sens. Elizabeth Warren and Ron Wyden wrote in a letter to the FTC chairman.

U.S. Sens. Elizabeth Warren and Ron Wyden are calling on the Federal Trade Commission to investigate whether Amazon Web Services’ alleged failure to secure its servers at the center of a Capital One hacking constitutes an unfair business practice and a violation of federal law.

Warren (D-Mass.), whose calls for breaking up big technology companies including Amazon along with tougher regulation are part of her presidential campaign platform, and Wyden (D-Ore.) claim that AWS, Amazon’s massive cloud-based computing unit, “continues to sell defective services to businesses, government agencies and to the general public.”

The senators have asked FTC chairman Joseph Simons to open an investigation into AWS’ potential culpability in the Capital One breach, revealed in July, by a former AWS employee who gained access to sensitive personal data of 100 million of the bank’s U.S. credit card customers and applicants, and six million customers in Canada. The hacker gained access to AWS servers rented by Capital One via an alleged server side request forgery (SSRF) attack, the lawmakers’ letter states.

While AWS cloud computing competitors Google and Microsoft have included mandatory protections against SSRFs since 2013 and 2017, respectively, “Amazon’s failure to add a similar software protection against SSRF attacks to its (AWS) cloud computing product has been the subject of significant public discussion among cybersecurity experts for the past five years, including in presentations at major industry conferences,” Warren and Wyden wrote in the letter dated today.

While Amazon likely has known that its AWS product was vulnerable to SSRF attacks since the first high-profile demonstration by a cybersecurity researcher in 2014, the company “has certainly” known since mid-2018 at the latest, according to the senators.

“…The FTC has made it clear that companies have an obligation to act on third-party reports of cybersecurity vulnerabilities,” their letter to the FTC states. “Amazon failed to act on a third-party report and has not provided an explanation for its inaction. Amazon knew, or should have known, that AWS was vulnerable to SSRF attacks. Although Amazon’s competitors addressed the threat of SSRF attacks several years ago, Amazon continues to sell defective services to businesses, government agencies and to the general public. As such, Amazon shares some responsibility for the theft of data on 100 million Capital One customers.”

An AWS spokesperson attacked Warren and Wyden’s letter as “baseless and a publicity attempt from opportunistic politicians.”

“As Capital One has explained, the perpetrator attacked a misconfiguration at the application layer of a Capital One firewall,” the AWS spokesperson said. “The SSRF technique used in this incident was just one of many subsequent steps the perpetrator followed after gaining access to the company's systems and could have been substituted for a number of other methods given the level of access already gained.”

The FBI in July arrested 33-year-old, Seattle-area resident Paige Thompson, who worked as an AWS systems engineer in 2015 and 2016, for allegedly orchestrating the Capital One hack, and she’s been charged with computer fraud and abuse. Thompson also allegedly data from more than 30 other companies, according to federal prosecutors.

A Capital One spokesperson declined comment today.

“The government has stated they believe the data has been recovered, and that there is no evidence the data was used for fraud or shared by this individual,” Capital One stated on its website.

An FTC spokesperson confirmed the commission had received the senators’ letter but declined additional comment.

In an Aug. 13 letter to Wyden, AWS chief security officer Stephen Schmidt wrote that “SSRF was not the primary factor” in the Capital One hack.

“As Capital One outlined in their public announcement, the attack occurred due to a misconfiguration error at the application layer of a firewall installed by Capital One, exacerbated by permissions set by Capital One that were likely broader than intended,” Schmidt said in the letter. “After gaining access through the misconfigured firewall and having broader permissions to access resources, we believe a SSRF attack was used (which is one of several ways an attacker could have potentially gotten access to data once they got in through the misconfigured firewall).”

Schmidt said AWS was not aware of any other “noteworthy” SSRF compromises of AWS customers, and that AWS gives “clear guidance” to customers on the importance and necessity of protecting themselves from SSRF and other attacks.

“We also offer our own AWS Web Application Firewall, which has expansive capabilities through which customers can completely block SSRF and other attacks,” Schmidt wrote.