Changes in iOS 7 Security Make Kernel More Vulnerable to Attack

Discussion in 'iOS Blog Discussion' started by MacRumors, Mar 17, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A security researcher claims changes Apple made to tighten its kernel security system in iOS 7 instead weakened the system, making it less secure than its iOS 6 counterpart. (Via CNET and ThreatPost) Azimuth Security researcher Tarjei Mandt discovered the flaw and presented his findings last week at CanSecWest.

    The security flaw involves the random number generator Apple uses to secure its kernel. In iOS 6, the number generator that encrypted the kernel derived its values in part from the CPU clock counter. Because it was based on time, the encryption was only marginally secure as the output values were predictable, especially when examining successive numbers.

    [​IMG]
    Apple was aware of the limitations in iOS 6 and attempted to tighten security in iOS 7 by changing the random number generator to a linear congruential generator, which is more susceptible to brute force attacks.
    This flaw potentially allows a malicious hacker to gain kernel-level access to an iOS device via an unpatched vulnerability. The kernel is the base part of the iOS operating system and controls low-level functions such as security and resource allocation.

    Apple approached Mandt about his findings and asked for his CanSecWest slide presentation.


    Article Link: Changes in iOS 7 Security Make Kernel More Vulnerable to Attack
     
  2. macrumors 6502

    Mums

    Joined:
    Oct 4, 2011
    #2
    Deliberate back door?
     
  3. macrumors 68000

    Joined:
    Jun 2, 2010
    #3
    Perhaps It will facilitate a 7.1 Jailbreak.
     
  4. macrumors 65816

    Joined:
    Aug 28, 2013
    #4
    No. Apple would never do this. They never compromise on customer security for anyone.
     
  5. macrumors newbie

    Joined:
    Mar 3, 2014
    #5
    Couldn't have been an accident that someone missed, could it? Nah....everyone get your tin foil hats out cause everyone's out to get us.


    In reality, props to white-hat hackers like Mandt
     
  6. macrumors 68000

    Kariya

    Joined:
    Nov 3, 2010
    #6
    iOS 7.2 here we come.
     
  7. macrumors 6502a

    Joined:
    Jun 20, 2012
    Location:
    London, UK
    #7
    So they replaced one floored system where the code could be derived based on time to another that can only be cracked with bruit force guesses. So one is no more secure than the other. In other words its probably no more or less than it was before. Of course the tin foil hat brigade will have us all believe its a government conspiracy:rolleyes:
     
  8. macrumors 603

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #8
    Modern Intel chips (made after 2008 I think) have ISK which produces actual random values rather than pseudo ones. I guess ARM lacks that right now.
     
  9. macrumors regular

    Joined:
    May 22, 2013
    Location:
    where ever I am at.
    #9
    This doesn't seem like a hole the way some other vulnerabilities are. This seems more like a structural weakness in the architecture (like using a softer steel than something bulletproof in construction). I doubt there will be a 'fix' for this; more likely iOS 8 or 9 will simply use stronger steel.
     
  10. macrumors 68000

    Joined:
    Nov 4, 2008
    #10
    I fear you are right. I also fear that iOS8 will only be available to the iP5 and upward.
     
  11. macrumors 6502a

    ZacNicholson

    Joined:
    Jun 25, 2011
    Location:
    Indiana
    #11
    hopefully
     
  12. macrumors 6502a

    Joined:
    Feb 26, 2009
    #12
    7.1 has more bugs than 7 it seems with my iPad Air.
     
  13. macrumors 65816

    Joined:
    Mar 13, 2006
    #13
    wonder if phil schiller knows
     
  14. macrumors 68030

    Analog Kid

    Joined:
    Mar 4, 2003
    #14
    What about the phrase "brute force attack" suggests "deliberate back door" to you?
     
  15. macrumors 65816

    Joined:
    Jun 18, 2010
    #15
    Random Number Generators are a tricky business. The company I work for has a whole slew of patents and protected IP just for the RNG we use.
     
  16. macrumors 6502

    Joined:
    Aug 21, 2008
    #16
    He'll need to stop watching The Black Knight Trilogy and get to his job.
     
  17. macrumors G5

    Joined:
    Jun 22, 2009
    #17
    The new iPhone. We made everything thinner. Including security and the randomness of numbers. :eek: :p
     
  18. macrumors member

    Joined:
    May 14, 2012
    #18
    Except that the Intel stuff isn't particularly trusted currently.

    And with the new "we will run certain people run below the microcode level so that we can stop unauthorized programs and viruses that the OS can't see"... do you really trust those things? :confused::confused:
     
  19. macrumors 6502a

    dugbug

    Joined:
    Aug 23, 2008
    Location:
    Somewhere in Florida
    #19
    They have such great sources of entropy: signal strength, gyros, accelerometers, temperatures. I thought they employed some of these? At least arc4random()?
     
  20. macrumors 6502

    street.cory

    Joined:
    Oct 13, 2009
    #20
    Steve Gibson is that you?
     
  21. macrumors 65816

    Joined:
    Jul 6, 2007
    #21
    The article states this entropy pool is not available at boot time, when the number is generated.
     
  22. macrumors 6502a

    dugbug

    Joined:
    Aug 23, 2008
    Location:
    Somewhere in Florida
    #22
    ah makes sense how this would have been introduced then.
     
  23. macrumors 603

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #23
    I'm not familiar with the things you're alluding to.
     
  24. macrumors 6502a

    springsup

    Joined:
    Feb 14, 2013
    #24
    Yikes! That makes for some pretty worrying reading.

    Apple can change the PRNG implementation without breaking things, and there are a number of good tips given in the slides. I'm sure we'll see a more robust generator in iOS8, but these fixes may be important enough to make it to iOS 7, too.

    ----------

    I think he's talking about the NSA, and leaked reports where they claim to have inserted backdoors into hardware random number generators.
     
  25. macrumors G5

    gnasher729

    Joined:
    Nov 25, 2005
    #25
    Uneducated knee-jerk reaction?
     

Share This Page