Recently we (together with Roi Saltzman) discovered a very interesting vulnerability in Android’s DNS resolver, a weakness in its pseudo-random number generator (PRNG), which makes DNS poisoning attacks feasible.

The PRNG that the DNS resolver uses is
It can be seen that it returns a value that directly depends on the current time.

Both the TXID and source port values are generated by this PRNG.  Since both calls to the PRNG function occur successively, the returned values are very much correlated to each other. This yields a feasible attack expected time as shown in our whitepaper.

Important links:
  1. Original blog post:
  2. Whitepaper with full details:

Video demo of the PoC: