Menu
Security weakness found in iOS 7

Security weakness found in iOS 7

The problem stems from being able to brute force the random number generato to predict its outcomes

A researcher has discovered a weakness in iOS 7 that would enable an attacker to bypass a number of mechanisms Apple uses to prevent exploitation of the operating system's kernel.

The problem stems from being able to brute force the random number generator, called the Early Random PRNG, to predict its outcomes. The generator is used by a number of important memory protections for iOS devices.

The PRNG generates numbers used by the physical kernel map randomization, stack-check guard, zone cookie protections and kernel map randomization. These attack mitigations prevent hackers from executing buffer overflows and other exploits that could be used to take over a device with malware that takes advantage of how memory is allocated to safely execute code.

Tarjei Mandt, senior security researcher at Azimuth Security, found that the PRNG in iOS 7, the latest version of the OS, is weaker than the one used in iOS 6. In a paper presented this week at CanSecWest, Mandt described the impact of knowing the PRNG's outputs.

"Recovering these outputs essentially allows an attacker to bypass a variety of exploit mitigations, such as those designed to mitigate specific exploitation techniques or whole classes of vulnerabilities," the paper says.

"In turn, this may allow trivial exploitation of vulnerabilities previously deemed non-exploitable."

Scott Morrison, senior vice president and distinguished engineer at CA Technologies, called Mandt's work an "important discovery."

"PRNGs are fundamental to many computer security functions, particularly those around cryptography," Morrison said. "PRNGs are a common point of attack because if they are in any way predictable, the entire security system built on them can collapse like a house of cards."

The random number generator in iOS 7 uses an algorithm called a linear congruential generator (LCG), which produces sequences of random numbers calculated with a linear equation. One of the oldest and best-known random number generators, it is known for being fast and easy to implement, the paper authored by Mandt, said.

While these algorithms work well in devices with limited resources, such as smartphones, "they exhibit severe defects and are easily broken when confronted by an adversary who can monitor outputs," Mandt wrote.

"As such, LCGs should not be used for cryptographic applications or security related work," he said.

Mandt told the security blog ThreatPost that he had not disclosed his findings to Apple. Representatives of the company had requested to see his slides shortly before his presentation.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityMobile OSesmobile

Featured

Slideshows

Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
HP re-imagines education through Auckland event launch

HP re-imagines education through Auckland event launch

HP New Zealand held an inaugural Evolve Education event at Aotea Centre in Auckland, welcoming over 70 principals, teachers and education experts to explore ways of shaping and enhancing learning using technology.

HP re-imagines education through Auckland event launch
Show Comments