Menu
Security weakness found in iOS 7

Security weakness found in iOS 7

The problem stems from being able to brute force the random number generato to predict its outcomes

A researcher has discovered a weakness in iOS 7 that would enable an attacker to bypass a number of mechanisms Apple uses to prevent exploitation of the operating system's kernel.

The problem stems from being able to brute force the random number generator, called the Early Random PRNG, to predict its outcomes. The generator is used by a number of important memory protections for iOS devices.

The PRNG generates numbers used by the physical kernel map randomization, stack-check guard, zone cookie protections and kernel map randomization. These attack mitigations prevent hackers from executing buffer overflows and other exploits that could be used to take over a device with malware that takes advantage of how memory is allocated to safely execute code.

Tarjei Mandt, senior security researcher at Azimuth Security, found that the PRNG in iOS 7, the latest version of the OS, is weaker than the one used in iOS 6. In a paper presented this week at CanSecWest, Mandt described the impact of knowing the PRNG's outputs.

"Recovering these outputs essentially allows an attacker to bypass a variety of exploit mitigations, such as those designed to mitigate specific exploitation techniques or whole classes of vulnerabilities," the paper says.

"In turn, this may allow trivial exploitation of vulnerabilities previously deemed non-exploitable."

Scott Morrison, senior vice president and distinguished engineer at CA Technologies, called Mandt's work an "important discovery."

"PRNGs are fundamental to many computer security functions, particularly those around cryptography," Morrison said. "PRNGs are a common point of attack because if they are in any way predictable, the entire security system built on them can collapse like a house of cards."

The random number generator in iOS 7 uses an algorithm called a linear congruential generator (LCG), which produces sequences of random numbers calculated with a linear equation. One of the oldest and best-known random number generators, it is known for being fast and easy to implement, the paper authored by Mandt, said.

While these algorithms work well in devices with limited resources, such as smartphones, "they exhibit severe defects and are easily broken when confronted by an adversary who can monitor outputs," Mandt wrote.

"As such, LCGs should not be used for cryptographic applications or security related work," he said.

Mandt told the security blog ThreatPost that he had not disclosed his findings to Apple. Representatives of the company had requested to see his slides shortly before his presentation.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securitymobileMobile OSes

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments