Apple Made iOS6 Security Flaw Worse for iOS7

iOS7 security has a hole where its random numbers should be
iOS7 security has a hole where its random numbers should be.

A flaw in the security enhancements Apple added to its iOS7 operating system make the latest version even weaker than the problematic previous version, according to researchers who analyzed the flaws in both systems.

The problem with both versions is that the very effective protections built around the kernel of the mobile operating system depend on random numbers generated by a cryptographic pseudo-random number generator (PRNG). A “serious defect” in the random number generator in iOS6 made the numbers predictable, weakening all the new security measures that depended on it, according to a 2012 analysis from Mark Dowd and Tarjei Mandt of Azimuth Security, who wrote iOS 6 Kernel Security: A Hacker’s Guide to detail the problem.

For iOS7, Apple replaced the random number generator with one that uses a different approach and should be more effective. In practice, however, the new version is less random than the previous one, making iOS7 more prone to both hacking and jailbreak than even iOS6, which was heavily criticized despite enormous improvements in security compared to previous versions.

Analysts praised iOS6 for many of its improvements, which made most of the existing exploits and jailbreaks useless. But most of those benefits depended on a series of kernel protections that, in turn, depended on data produced by the PRNG being as close to genuinely random as possible. The PRNG runs during the boot process, providing randomized data to encryption-dependent security processes while the kernel and its core encryption module are still launching.

Due to a “serious defect” in the way the iOS6 version went random, the resulting numbers were fairly predictable, allowing potential attackers to guess the sequence and take control of the kernel at any time, Dowd and Mandt wrote. Apple overhauled the kernel protections again with iOS7 and completely replaced the PRNG with another version called the Early PRNG, whose data allows iOS to add physical kernel map randomization, stack-check guards, zone cookie protections and other barriers that could protect against buffer overflows and other exploits that take advantage of the operating system’s partial control of its components during the boot process.

According to a report Mandt presented at the CanSecWest 2014 conference March 12, however, the PRNG in iOS7 is “alarmingly weak” in practice because it produces far fewer sequences of unique numbers before beginning to repeat itself. “All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,” Mandt wrote. “It must provide sufficient entropy and non-predictable output.”

By showing “a high degree of determinism” in what should be random number generation, PRNG “allows an attacker to trivially brute-force the relevant portion of the PRNG’s internal state by observing a very small set of outputs,” the white paper concludes. (Copies of the slides are available here.) With that kind of view of the numbers being generated inside the PRNG, “attacks on the early random PRNG in iOS 7 are shown to be highly practical.”

Image: lucadp