Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Encryption IOS Security Apple

Weak Apple PRNG Threatens iOS Exploit Mitigations 143

Posted by Soulskill
from the also-makes-you-lose-at-poker dept.
Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"
This discussion has been archived. No new comments can be posted.

Weak Apple PRNG Threatens iOS Exploit Mitigations

Comments Filter:
  • by YesIAmAScript (886271) on Friday March 14, 2014 @10:59AM (#46483575)

    So "this one is deterministic" seems like a weak complaint.

    This is essentially what makes them PRNGs instead of RNGs.

  • by Anonymous Coward on Friday March 14, 2014 @11:22AM (#46483833)

    Its called FIPS140-2. Among other things it requires that PRNG implementations are strong.

    Sadly most people/companies/products do not require FIPS140-2 certification. If they did we wouldn't have weak PRNG implementations out there.

  • by TechyImmigrant (175943) on Friday March 14, 2014 @11:47AM (#46484145) Journal

    The article incoherently addresses entropy extraction, not matters of PRNGs but the author doesn't appear to understand the difference.
    However the 'issue' is still an issue. Predictable output is bad in this context.

    What amazes me is when designers flap around looking for 'random looking' things in memory and interrupts to munch together to get entropic numbers when it's in a phone with a radio next to it which as directly sampling noise and is entirely capable of making it available to the OS for used in seeding PRNGs.

    It's not just Apple. They all do it.

  • by petermgreen (876956) <plugwash@p10l i n k . n et> on Friday March 14, 2014 @11:55AM (#46484235) Homepage

    For a CSPRNG* the primary aim is to make it computationally infeasable for an attacker to predict the output even if the attacker has an aribiterally long sample of the output and even if the attacker knows how much output has been requested from the prng since it started.

    To do this places demands on both the prng itself (it must be computationally infeasible to reverse the operations done by the prng and hence determine it's internal state from an output sample) and on the seed data fed into the prng (it must be sufficiently unknown/unpredictable to the attacker that the attacker can't obtain the seed state through a combination of his knowlage of the state of the system and brute force checking of different seed values)

    Afaict it is the latter where things usually go wrong.

    * Cryptographically secure psuedo-random number generator.

  • by cryptizard (2629853) on Friday March 14, 2014 @01:09PM (#46485121) Homepage
    Good thing we just had that and it was called the SHA-3 competition.

"Pascal is Pascal is Pascal is dog meat." -- M. Devine and P. Larson, Computer Science 340

Working...