This is the conclusion from researchers at Azimuth Security who spoke about the issue at CanSecWest last week, and have since published a blog and white paper on the topic.
Many security functions – such as encryption, for example – rely on an unpredictable number. To achieve this unpredictability in encryption, each key is generated with the help of a random number – but generating a truly random number is notoriously difficult. The attempt is made via a pseudo random number generator (PRNG), and it follows that the actual strength of the encryption is highly dependent on the quality of the PRNG. The same principle applies to any process that requires a random number.
iOS 6 introduced several security mitigations to make it more difficult for hackers to leverage well-known attacks against operating systems – such as buffer overflows and the zone free list pointer overwrite. Such mitigations, including memory layout randomization, depend on the generation of a random number at boot. So with their introduction in iOS 6, Apple included a new PRNG called early_random() that, explains Azimuth researcher Tarjei Mandt, "leveraged a fairly simple generator that derived values directly from the CPU tick count and a seed (provided by iBoot)."
But this PRNG had weaknesses, including well-correlated outputs and a seed that didn't have any practical effect. In an apparent attempt to improve the PRNG, Apple switched to a new one based on a linear congruential generator in iOS 7. But, claims Mandt, the new PRNG "is alarmingly weak in practice." The problem is that it cannot generate a sufficient quantity of unique numbers to make it safe against a brute-force attack.
The research demonstrates that an unprivileged attacker can recover arbitrary PRNG outputs. But the nature of the linear congruential generator then "allows an attacker to trivially brute-force the relevant portion of the PRNG's internal state by observing a very small set of outputs," explains Mandt's research paper.
"An attacker," he says, "can recover arbitrary outputs generated by the early random PRNG in iOS 7 without being assisted by additional vulnerabilities or having any prior knowledge about the kernel address space. Recovering these outputs essentially allows an attacker to bypass a variety of exploit mitigations, such as those designed to mitigate specific exploitation techniques or whole classes of vulnerabilities. In turn, this may allow trivial exploitation of vulnerabilities previously deemed non-exploitable."
In short, the mitigations that have been thought to make iOS one of the more secure operating systems are not as effective in iOS 7 as they were in iOS 6, and generally not as effective as previously thought.