back to article iOS 7's weak random number generator stuns kernel security – claim

In an effort to improve iDevice security, Apple replaced its internal random number generator between iOS 6 and iOS 7 – but a security researcher believes Cupertino inadvertently downgraded security. The issue is outlined here by Azimuth Security, whose Tarjei Mandt also detailed the issue at last week's CanSecWest conference …

COMMENTS

This topic is closed for new posts.
  1. Busby

    Deliberate or accidental? Not beyond thinking at the moment to wonder if this could have been deliberate or that they received some form of payment or other advantage for doing so.

    1. Anonymous Coward
      Anonymous Coward

      Apple just isn't world class in security, and never have been

      Considering Apple was last on the NSA's list of "cooperating" companies, years after Microsoft, Google and Facebook caved, I don't think this is too likely to be the case, especially with all the attention that such NSA cooperation has received of late.

      You know the old saw: Never attribute to malice that which is adequately explained by incompetence.

      Apple could really benefit from the hiring of a world recognized security expert to lead their efforts, with commensurate budget to enable him to hire people as needed to identify and plug these gaps. Apple seems to be where Microsoft was a decade ago before they were forced by the pressure from all sides to take security more seriously. Hopefully Apple won't have to go through a "Code Red" type scenario and be embarrassed into it, but will be smart enough to do it of their own volition.

      1. Anonymous Coward
        Anonymous Coward

        Re: Apple just isn't world class in security, and never have been

        "Considering Apple was last on the NSA's list of "cooperating" companies, years after Microsoft, Google and Facebook caved..."

        And interestingly enough, OS X suddenly was approved for DoD usage after they caved.

        Coincidence, I'm sure.

        1. Anonymous Coward
          Anonymous Coward

          Re: Apple just isn't world class in security, and never have been

          Yeah, I'm sure Apple is going to sell out for the few thousands of Macs that will sell into the DoD which is Windows through and through. Because, you know, they need those extra few million in sales to go with the tens of billions they sell every quarter.

          But feel free to continue with the conspiracy theories. Did Google get their code from the Roswell saucer, or was that Facebook? I keep forgetting.

          1. Busby

            Re: Apple just isn't world class in security, and never have been

            Is it really beyond thinking the NSA could have made a you scratch my back reciprocal deal? For example by agreeing to hand over to Apple anything they can find on a certain Korean firms future plans. Not so long ago this type of thought would have fallen firmly in the tinfoil hat area. These days though who knows, that type of spying for US companies has been rumoured since the early days of echelon.

            Sloppiness around this sort of security is inexcusable for a company with their resources. Even if unintentional people are likely to assume otherwise in the current climate.

            1. Anonymous Coward
              Anonymous Coward

              @Busby

              Yes, I think it is beyond thinking as Apple hasn't seemed too interested in copying what Samsung does at all, let alone in advance. They haven't even made a big iPhone yet, and they haven't required early access to Samsung's plans to know the next Galaxy will be at least as big as the one before it, year after year.

              Not saying Apple hasn't done of the same things after Samsung did them, but whether they actually copied Samsung (or one of the other Android vendors that did those things before Samsung with less fanfare) or whatever that doesn't mean they'd want early access to their plans to copy them sooner. Apple's sales don't seem to be affected by not having stuff Samsung owners consider indispensable, like NFC.

              1. asdf

                Re: @Busby

                Just to clarify something for the UK readers who maybe haven't been to the US. We (the US public) really aren't as protective of our supposedly national companies such as Apple as say many in Europe are of theirs. Companies like Apple outsource most of their business anyway. The North American market is fairly open and our nationalism seems to rarely extend to our corporate masters. I have heard the same argument made about the Xbox (last generation) and I think it has a lot less to do with nationalism and more to do with better marketing in the market. We also quit buying American when it largely became impossible to do so anymore for most things (you can still get plenty of American made financial derivatives but I digress). The only time really nationalism comes up with brands is with some obvious Chinese brands for geopolitical reasons. This also speaks to how poorly Chinese branding still is as much as American jingoism.

              2. Busby

                Re: @Busby

                Not sure what business your in but I think any company would find it benefitial to get a peek at competitors plans. You dont need to be copying products there are plenty of ways to leverage an advantage beyond stealing technology. I only raised this as a possibility personally think its unlikely to have gone down this way.

                Brings me back to a point I raised earlier though it goes beyond sloppiness for this sort of error to appear currently. All technology companies are well aware of the growing backlash against NSA / GCHQ even the appearance of cooperation is enough to lose what little trust remains. Any inbuilt weakness similar to those previously engineered by the NSA is going to be jumped on publicly.

          2. Anonymous Coward
            Anonymous Coward

            Re: Apple just isn't world class in security, and never have been

            It says iOS in the article.

            The use of Blackberries has dropped and iPhones are being deployed instead.

            http://bgr.com/2013/05/17/apple-iphone-dod-approval/

          3. Anonymous Coward
            Anonymous Coward

            Re: Apple just isn't world class in security, and never have been

            i recall an NSA memo where they say something like "iPhones are marvellous devices that provide plenty of information", which means, at least to me, that the NSA didn't need the help from Apple. But soon the iboys and igirls of this world started to use imessages, the DEA http://news.cnet.com/8301-13578_3-57577887-38/apples-imessage-encryption-trips-up-feds-surveillance/, complained about the encryption.

        2. Anonymous Coward
          Anonymous Coward

          Re: Apple just isn't world class in security, and never have been

          >And interestingly enough, OS X suddenly was approved for DoD usage after they caved.

          Nothing sudden about it at all - it took that long for Apple to meet spec - but it was too late by then...The US Navy were amongst the biggest users of Xserve servers since day one - but they ran Yellow Dog not OSX.

      2. Anonymous Coward
        Anonymous Coward

        Re: Apple just isn't world class in security, and never have been

        "Apple just isn't world class in security, and never have been"

        And yet iOS is the first widely adopted consumer OS that I'm aware of where all 3rd party apps are sandboxed. As a result, malware for iOS is basically a non-issue. Can't say the same for Android.

        1. Oninoshiko

          Re: Apple just isn't world class in security, and never have been

          What difference does it make? Apple's wonderful sandbox gives you enough to compromise the prng.

          Can't say the same about Android.

          1. Anonymous Coward
            Anonymous Coward

            Re: Apple just isn't world class in security, and never have been

            "What difference does it make? Apple's wonderful sandbox gives you enough to compromise the prng."

            Erm, not sure you're understanding the issue at hand here. Actually, pretty sure you aren't. The problem is if apps use the PRNG that Apple provides to try to do something that requires a secure PRNG, e.g., encrypt something. (And I'd assume that most apps that need a secure PRNG use their own and don't rely on the system's, where the quality of the RNG is basically unknown.) Nothing has anything to do with the sandboxing of anything.

          2. Anonymous Coward
            Anonymous Coward

            Re: Apple just isn't world class in security, and never have been

            Android has had more holes than Swiss Cheese, so such exotic attacks are not required...

  2. MrDamage Silver badge

    Inadvertently?

    Why do I have my doubts that it was down inadvertently?

    I havent donned a tinfoil hat yet, bu the way things are going, it wont be long until Ive got a shiney bonce.

    1. Anonymous Coward
      Anonymous Coward

      Re: Inadvertently?

      "I havent donned a tinfoil hat yet, bu the way things are going, it wont be long until Ive got a shiney bonce."

      Shan't work, polarized gravitons pass right through tin, aluminum, steel and lead.

      You need shiny Mylar. It won't work either, but it looks more cool.

  3. M Gale

    SIlly question but...

    ...what would be wrong with the output of a reverse-biased transistor being used to seed ye olde Merseinne Twister?

    I couldn't think of many things more random, myself.

    1. Michael H.F. Wilkinson Silver badge

      Re: SIlly question but...

      That's one solution. I also like the least significant bits of the output of a covered webcam with gain at maximum. Really random bits are easily obtained from noise in the outside world if your device has inputs like cameras and microphones.

      For quick and dirty work NOT involving security (but e.g. for Monte-Carlo simulations) I used to use the additive PRNG from Knuth (with 2^55-1 period). This needs 55 seeds in my case, and webcam noise or similar is fine for that. With the development of the Mersenne Twister this subtractive generator is a bit out of date. I gather it is faster (and also faster than the LCG), however.

      1. MadMike

        Re: SIlly question but...

        I am going to need to do Monte Carlo simulations too, soon. What PRNG would you recommend? Mersenne twister or the the "PRNG from Knuth"? What is the name of the Knuth one, so I can check it up? How do I find more details, references?

        1. John Gamble
          Boffin

          Re: SIlly question but...

          As good as Knuth is, there's been a lot of advancement since he wrote that PRNG (assuming I'm thinking of the same one as the OP of this thread). Mersenne Twister is very good (although not a cryptographic PRNG) and it has implementations in a lot of different languages (which the Wikipedia article links to).

          I'm wondering about the name of the function -- is early_random() only supposed to be run before iOS7 accumulates enough entropy to use its standard random number function? The articles linked to don't seem to say.

        2. Michael H.F. Wilkinson Silver badge

          Re: SIlly question but...

          I would use the Mersenne Twister now, in particular because loads of implementations exist (R, matlab, PHP, Python, GNU Scientific Library, etc). When I implemented the additive (or subtractive) generator (1989) it did not exist, and most if not all languages used the LCG. Knuth's one is a variant of the Lagged Fibonacci generator. Apart from being a better generator than the LCG, if initialized properly, it is much faster, because I only have to do one subtraction, and a conditional addition (if the result of the subtraction is negative, which is a cheap test), as opposed to a multiplication, modulus, and addition for the LCG. Numerical Recipes in C has an implementation (ugly code, but it works). The speed difference on an 8 MHz 80286 (used for image processing) was massive.

          1. Michael Wojcik Silver badge

            Re: SIlly question but...

            I would use the Mersenne Twister now, in particular because loads of implementations exist (R, matlab, PHP, Python, GNU Scientific Library, etc).

            Agreed.

            If for some reason the Twister was not suitable for a non-cryptographic PRNG application (though I can't think of any reasons why that might be, off the top of my head) that required something better than an LCPRNG, I'd probably recommend Marsaglia's Complementary-Multiply-with-Carry (CMWC) generator. He posted an implementation to Usenet some years back; it shouldn't be hard to find.

    2. Michael Wojcik Silver badge

      Re: SIlly question but...

      ...what would be wrong with the output of a reverse-biased transistor being used to seed ye olde Merseinne Twister?

      You'd have to reseed frequently to avoid running out of entropy. With a cryptographic PRNG (CPRNG), the PRNG is just there as a schedule and whitener for the entropy source. Between seedings, an attacker could grab output from your CPRNG and use it to reconstruct part of the CPRNG's internal state; then brute-force the rest.

      The security of the CPRNG rests on raising the work factor of those two steps (reconstructing and brute-forcing internal state) by 1) gathering additional entropy often enough, 2) not leaking entropy too quickly in the output,1 and 3) using a trapdoor function to convert internal state to output.

      1Of course, it has to put some entropy in the output; that's what keeps it from being trivially predictable. A generator that always outputs "1" leaks no entropy but doesn't do any good either. (ObXKCD ... oh, look it up yourselves.)

  4. Fluffy Bunny
    Joke

    The best assumption is congenital stupidity. They work for Apple, after all.

  5. Anonymous Coward
    Anonymous Coward

    After being caught out recently for failing to validate certificates (which allowed secure connections to be eavesdropped), I wouldn't be surprised if this was deliberate. The NSA has meddled with random number generation before and given Apple is a "cooperating company", there's a good chance it was deliberately coded this way.

  6. OliverJ
    Thumb Up

    Thumbs up!

    I like the ironic use of the phrase "inadvertently".

  7. Adam 1

    Obligatory

    http://xkcd.com/221/

    1. Michael Habel

      Obligatory http://xkcd.com/221/

      Hummm now where have I seen that exact same line of Code before?

      http://www.engadget.com/2010/12/29/hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm/

      Needless to say as an Owner of a vintage 2010 21xx PS3 Slim I'm very grateful to that little piece of Code!

      1. Peter Rathlev

        XKCD was first

        http://xkcd.com/221/

        http://www.engadget.com/2010/12/29/hackers-obtain-ps3-private-cryptography-key-due-to-epic-programm/

        Judging from both the "Last-Modified:" header of the XKCD image and the Wayback Machine it seems Engadget borrowed it from Randall, not the other way around. Which may have been your point, but I just wanted to make sure we're all on the same page. :-)

        XKCD uses a CC BY-NC license so Engadget should have mentioned from where they borrowed the image.

  8. Anonymous Coward
    Anonymous Coward

    Apple are to computers as

    Fisher Price are to scientific kit.

    ...running away..........

    1. hplasm
      Devil

      Re: Apple are to computers as

      Fisher Price? I thought that was MS?

    2. Anonymous Coward
      Anonymous Coward

      Re: Apple are to computers as

      So computers should be made to be as complex and difficult to use as possible?

      I hope you're writing that from a Lynx browser on the command line, if you're using a GUI and mouse then you're using a dumbed down computer interface yourself.

    3. Robert Grant

      Re: Apple are to computers as

      I like it when one of the faithful points in amazement at a toddler using an iPad, as though it were a device not age-appropriate for them.

      1. oolor

        Re: age-appropriate

        My 2 1/3 year old nephew is already trying to type the password into the computer. Tablets are more of an infant or senile device. That is, entry level. Thus, the faithful are correct, but for the wrong reason. As per usual.

  9. Tim 11

    Is this random number generator actually used in security applications?

    There's an inference in the tone of the article that this "early_random" PRNG is used for cypto/security purposes but it isn't actually stated anywhere.

    From my understanding, cryptographically secure random numbers in IOS are generated using SecRandomCopyBytes which is a different mechanism and uses entropy from the microphone, wi fi, accelerometer etc.

    if all you can do by cracking early_random is cheat in some games, this isn't really all that newsworthy

    1. Oh_bollocks

      Re: Is this random number generator actually used in security applications?

      I used another method: arc4random()

      Never heard of earlyrandom....

  10. Anonymous Coward
    Anonymous Coward

    Poor PRNG but should not be used in cryptography anyway

    OK it sounds a pretty poor PRNG even for an LCG it sound like the values chosen were very poor. I sometimes write simple PRNG for emebdded applications using LCGs and properly chosen values give much better reccurrence periods than this but no one should be using a PRNG generator for cryptographic purposes anyway except perhaps short sequences initialised from a real random number generator and even then with extreme caution perhaps just as padding before encryption or something similarilly innocuous.

  11. Spoonsinger

    1011111011110010100101001010011011110001010011001010110...

    101000101101001101010101010101010010110100011111111100100100011000000101000011111110000011110000100010001010100100101111110001010101010101011100101001001010100101111111111100000111111100101010101010010011100101000100110001001010101010101011111110001010101001010111100010101000111100101001010101011111110000011001010#

    That's all I have to say on the matter.

    1. oolor

      Re: 1011111011110010100101001010011011110001010011001010110...

      You missed a 1.

  12. Don Mitchell

    Never use RAND()

    There is a long history of bad random number generators in operating systems. At Bell Labs, Jim Reeds and I implemented a series of statistical randomness tests (Knuth's plus others) to explore this problem. BSD 4.something was out then, and my lab was using it. The random generator was a linear feedback type, and it failed the tests badly. Jim and I discovered that there was an off-by-one mistake in the position of the feedback tap, but when we contacted the student at UCB who wrote it, he told us to fuck off. Even today, you can find both the fixed and the broken version of this generator in UNIX distributions. Of course the random generator in windows was always terrible (16 bits, like this apple subroutine).

    A very good generator is Marsaglia's multiply-with-carry. Fast, simple, and it passes every test I've ever tried.

    unsigned ML_nMarsagliaX = 886459;

    unsigned ML_nMarsagliaC = 361290869;

    unsigned

    ML_RandomUnsigned()

    {

    unsigned __int64 n;

    n = __emulu(1965537969, ML_nMarsagliaX);

    n = n + ML_nMarsagliaC;

    ML_nMarsagliaX = unsigned(n & 0xFFFFFFFF);

    ML_nMarsagliaC = unsigned(n >> 32);

    return ML_nMarsagliaX;

    }

    These are not cryptographically strong generators, and I'm not sure what iOS is doing with them. They are appropriate for things like monte carlo calculations and simulations, but not for cryptography.

    1. Alan Johnson

      Re: Never use RAND()

      From the code Marsaglia's is just an LCG - nothing wrong with that of course as long as the values are well chosen. Efficency wise I do not see the benefit of the 64 bit multiply all the upper bits get dropped later anyway. I like having more state than the output so if you have a 32 bit output you have 64 bits of state and a period (with well chosen constants) of 2^64-1.

      Teh real point is use a PRNG for test data, simulation, monter carlo methods, padding etc but not cryptographic key generation etc.

    2. Michael Wojcik Silver badge

      Re: Never use RAND()

      "Never" is a bit strong. There's nothing wrong with the typical rand1 implementation for trivial applications, such as some games, some pseudo-random testing, etc. Of course the applicable standards impose few requirements on rand, but they do in effect constrain the amount of internal state (because it has to be set in its entirety by srand).

      The classic example of a terrible LCRNG implementation is IBM's RANDU, roundly excoriated by pretty much everyone in the biz, including Knuth and Marsaglia.

      1In hosted environments with case-sensitive linkage, the C, C++, and Single UNIX Specification standards require lower case for this function's name.

  13. Anonymous Coward
    Anonymous Coward

    iOS 7

    One day at Apple World HQ...

    "We need a random seed number!"

    "Hmmm..."

    "Hey: it's iOS7. So let's just use '7' as our random number."

    "Okay."

    1. Ian 55

      Re: iOS 7

      One of the classic exam questions: "Is '7' a random number?"

      1. Adam 1

        Re: iOS 7

        No. It is a string.

  14. Adam 1

    Question for the cryptographers here. If I have two RNGs, one "good" and one compromised and I XOR them, does this result in another "good" RNG or is it slightly or wholly compromised by the input that is compromised? To me on the surface it would seem to still be "good" but I don't know why I think that.

    Assuming for a minute that I am right here, surely the best available RNG would be basically an XOR across as many RNG streams as you can access?

    1. Anonymous Coward
      Anonymous Coward

      You show a fair bit of insight by asking that question

      If one of the RNGs is cryptographically secure and the rest are crap then you can think of it as securely encrypting the crap ones (all XORred together) so no-one will be able to tell they're crap. So I believe you're right.

    2. Michael Wojcik Silver badge

      Treating the process as a black box, you're no better off by most metrics than you were before you started combining - it doesn't add any entropy or improve scheduling, for example. It can increase cycle length but that's a very minor benefit at best.

      And it can worsen the output. Try XORing two generators that produce exactly the same output.

      Because it's a symmetric bitwise operation, it shouldn't leak any additional information through most side channels (power, timing), though it's conceivable there might be a detectable effect in, say, EMF. That's not a concern for most devices but that sort of attack has been used successfully against tamper-proof hardware, at least in the lab, where you can get probes quite close to circuits.

      There's no need to mix up a witch's brew of PRNGs. We have well-known, widely-implemented PRNGs, and while there's still plenty of room for research into CPRNGs, there are well-known ones that are believed strong enough for pretty much everyone's purposes. (Just don't use Dual_EC_DRBG.)

  15. JaitcH
    WTF?

    The fix is simple ...

    all Apple has to do is declare that it is a design feature not understood by Techie Plebs. Or that it is an undocumented feature

    Worked for Antennagate, why not now?

    We all know that Apple never screws up. Ask an iPhan.

  16. heenow

    Jerktastic (Yeah That's You Mandt)

    I guess that the fact this has never been an issue or exploited means you should expose it worldwide. Have any of you ever heard of ethics?

    Apparently not.

  17. Michael Wojcik Silver badge

    Oh for the love of...

    uses what's called a linear congruential generator (LCG) to provide entropy for the PRNG

    No, no, no. An LCG, or any other deterministic algorithm,1 cannot provide entropy. A deterministic algorithm can discard information entropy; it cannot produce it.

    In a CPRNG, the PRNG schedules and whitens entropy - it doles it out, mixing it in with a bunch of internal state and a (hopefully) trapdoor function2 so that it's infeasible for an observer to distill enough of the entropy to accurately simulate the CPRNG.

    Apple's mistake (assuming the article is otherwise accurate) is in using an LCRNG rather than a trapdoor function, and probably in exposing too much internal state, which in effect means exposing too much entropy. Whether they're gathering enough (or indeed any) entropy in the first place, and whether they're adding entropy to the pool as required, are other questions.

    On the other hand, the post from Tim 11 above suggests this is an application error - this generator perhaps is not intended for CPRNG use.

    1That is, any computable function (if the C-T thesis is correct), or at least any function computable by a Turing Machine or equivalent (Post Machine, 2PDA, etc). "Algorithm" can reasonably be used for some non-computable processes which may or may not be deterministic.

    2That is, a function which is much easier to compute than its inverse is, assuming P ≠ NP.

This topic is closed for new posts.

Other stories you might like