An authentication weakness in Apple’s Device Enrollment Program (DEP) may allow attackers to enroll any device into an organization’s Mobile Device Management server and, consequently, to obtain privileged access to the private resources of an organization or even full VPN access to internal systems.
In addition to this, the provided DEP profile may contain information about the organization (email addresses, phone numbers) that could be used to mount successful social engineering attacks against company employees.
The vulnerability was discovered by Duo Security researchers while probing Apple DEP’s security.
“Our research focused on the details of how some of the undocumented DEP APIs work, specifically those that are used by Apple devices to communicate and enroll with the DEP service. Through this research, we found that because of the way DEP is implemented, it only uses a device’s serial number to authenticate to the service prior to enrolment,” James Barclay, Senior R&D Engineer at Duo Labs, explained.
“Also, while Apple’s MDM protocol supports user authentication prior to MDM enrollment, it does not require it – meaning many organizations are currently protecting device enrollment with the serial number alone.”
Unfortunately, serial numbers of Apple devices are predictable and also often found online, and this info can be exploited to query the DEP APIs.
For those interested in an in-depth report about the vulnerability and the actual research that resulted in the discovery, Duo Security has released an extensive technical report.
“It’s impossible for us to know the full size or scope of devices that this DEP issue impacts, but every customer using Apple’s DEP service is affected. However, it’s worth remembering, not every Apple enterprise customer that deploys Apple devices in their corporate IT environment uses Apple’s DEP service,” Barclay noted.
Apple has, of course, been notified of the find earlier this year, but has yet to do something about it.
The researchers recommended that Apple add strong authentication of devices going throug the DEP enrolment process, rate-limit requests to the DEP APIs and limit the information returned by the API endpoints. Not relying on serial numbers as a sole authentication factor has also been put forward as a solution.
“In the meantime, Apple customers using DEP can protect themselves by requiring user authentication prior to MDM enrollment, or by not trusting devices simply because they’re enrolled in MDM,” Barclay concluded.