The Device Enrollment Program (DEP) is an Apple-based service that allows companies to manage and configure a user's device for use on a network, including installing specific applications and configuration settings that the user needs in his work. After installation, devices can then be managed by a company's MDM (Mobile Device Management) server.
According to a Duo Security paper, the analysis of DEP APIs without papers led to the discovery that an attacker might obtain vital details about the structure of an organization, including telephone numbers and email addresses, which could be used to Social engineering attack against employees or the IT support team of the company.
DEP only used the serial number of a device to identify itself to the service before it was registered, and while the MDM protocol supports user authentication before MDM registration, it is not required. Because user authentication is optional, this has apparently led many organizations to decide not to implement it in their process, where device registration is only protected by serial numbers.
Because serial numbers are not a secret item, unlike username and password combinations, the numbers for registered devices may be found online for other infringements. An attacker can also use established rules to create a valid serial number that can then be checked against the DEP API to verify that they are registered with the server.
"An attacker armed with only a valid DEP registered serial number can use it to search the DEP API to collect organizational information," writes Duo & # 39; s James Barclay. "Or in configurations where an associated MDM server does not enforce additional authentication, a malicious actor may be able to enroll any device into an organization's MDM server."
Barclay further states that enrollment can have significant consequences, including access to a company's private resources, or even full VPN access to internal systems.
The full extent or size of the problem is unknown, but it affects every customer using the DEP service from Apple. It should be noted that not every Apple enterprise customer using Apple services for their corporate networks uses the DEP service from Apple.
The report was published in the usual way, security issues are advised to companies, with Apple on May 16 and confirmation from Apple the next day. The research was published on September 27 and is intended to be made public on Friday at the Eekoparty Security Conference.
Duo Security to Apple to ensure strong authentication of devices, and not to rely on the use of serial numbers as the sole authentication factor. It is also recommended that Apple implement rate limits for requests, limit data returned by API endpoints, and change the DEP process by verifying users with protocols such as SAML or OIDC.
Organizations are advised to enforce authentication on MDM servers used with DEP to avoid serial number authentications. An embrace of a zero-trust approach is also proposed to ensure that privileges granted to devices registered in DEP are not excessive.