Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Changes in iOS 7 Security Make Kernel More Vulnerable to Attack

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,469
30,691



A security researcher claims changes Apple made to tighten its kernel security system in iOS 7 instead weakened the system, making it less secure than its iOS 6 counterpart. (Via CNET and ThreatPost) Azimuth Security researcher Tarjei Mandt discovered the flaw and presented his findings last week at CanSecWest.

The security flaw involves the random number generator Apple uses to secure its kernel. In iOS 6, the number generator that encrypted the kernel derived its values in part from the CPU clock counter. Because it was based on time, the encryption was only marginally secure as the output values were predictable, especially when examining successive numbers.

ios7-early-random-number.jpg
Apple was aware of the limitations in iOS 6 and attempted to tighten security in iOS 7 by changing the random number generator to a linear congruential generator, which is more susceptible to brute force attacks.
The problem with the new generator in iOS 7 is that it uses a linear recursion algorithm, Mandt said, which has "more correlation" between the values it generates. That makes them easier to extrapolate and guess, he said.
Click to expand...
This flaw potentially allows a malicious hacker to gain kernel-level access to an iOS device via an unpatched vulnerability. The kernel is the base part of the iOS operating system and controls low-level functions such as security and resource allocation.

Apple approached Mandt about his findings and asked for his CanSecWest slide presentation.


Article Link: Changes in iOS 7 Security Make Kernel More Vulnerable to Attack
 
Article Link
https://www.macrumors.com/2014/03/17/ios-7-kernel-security/
E

everything-i

macrumors 6502a
Jun 20, 2012
827
2
London, UK
So they replaced one floored system where the code could be derived based on time to another that can only be cracked with bruit force guesses. So one is no more secure than the other. In other words its probably no more or less than it was before. Of course the tin foil hat brigade will have us all believe its a government conspiracy:rolleyes:
 
ArtOfWarfare

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,557
6,058
Modern Intel chips (made after 2008 I think) have ISK which produces actual random values rather than pseudo ones. I guess ARM lacks that right now.
 
jfx94

jfx94

macrumors regular
May 22, 2013
134
17
where ever I am at.
This doesn't seem like a hole the way some other vulnerabilities are. This seems more like a structural weakness in the architecture (like using a softer steel than something bulletproof in construction). I doubt there will be a 'fix' for this; more likely iOS 8 or 9 will simply use stronger steel.
 
H

H2SO4

macrumors 603
Nov 4, 2008
5,650
6,938
jfx94 said:
This doesn't seem like a hole the way some other vulnerabilities are. This seems more like a structural weakness in the architecture (like using a softer steel than something bulletproof in construction). I doubt there will be a 'fix' for this; more likely iOS 8 or 9 will simply use stronger steel.
Click to expand...

I fear you are right. I also fear that iOS8 will only be available to the iP5 and upward.
 
L

Laird Knox

macrumors 68000
Jun 18, 2010
1,956
1,343
Random Number Generators are a tricky business. The company I work for has a whole slew of patents and protected IP just for the RNG we use.
 
S

samcraig

macrumors P6
Jun 22, 2009
16,779
41,982
USA
The new iPhone. We made everything thinner. Including security and the randomness of numbers. :eek: :p
 
B

b0fh

macrumors regular
May 14, 2012
152
62
ArtOfWarfare said:
Modern Intel chips (made after 2008 I think) have ISK which produces actual random values rather than pseudo ones. I guess ARM lacks that right now.
Click to expand...

Except that the Intel stuff isn't particularly trusted currently.

And with the new "we will run certain people run below the microcode level so that we can stop unauthorized programs and viruses that the OS can't see"... do you really trust those things? :confused::confused:
 
dugbug

dugbug

macrumors 68000
Aug 23, 2008
1,865
1,926
Somewhere in Florida
They have such great sources of entropy: signal strength, gyros, accelerometers, temperatures. I thought they employed some of these? At least arc4random()?
 
PBG4 Dude

PBG4 Dude

macrumors 601
Jul 6, 2007
4,266
4,477
dugbug said:
They have such great sources of entropy: signal strength, gyros, accelerometers, temperatures. I thought they employed some of these? At least arc4random()?
Click to expand...

The article states this entropy pool is not available at boot time, when the number is generated.
 
ArtOfWarfare

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,557
6,058
b0fh said:
Except that the Intel stuff isn't particularly trusted currently.

And with the new "we will run certain people run below the microcode level so that we can stop unauthorized programs and viruses that the OS can't see"... do you really trust those things? :confused::confused:
Click to expand...

I'm not familiar with the things you're alluding to.
 
springsup

springsup

macrumors 65816
Feb 14, 2013
1,221
1,209
Yikes! That makes for some pretty worrying reading.

Apple can change the PRNG implementation without breaking things, and there are a number of good tips given in the slides. I'm sure we'll see a more robust generator in iOS8, but these fixes may be important enough to make it to iOS 7, too.

----------
ArtOfWarfare said:
I'm not familiar with the things you're alluding to.
Click to expand...

I think he's talking about the NSA, and leaked reports where they claim to have inserted backdoors into hardware random number generators.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom