A security issue discovered in Apple's Device Enrollment Program (DEP) could allow an attacker to gain full access to a corporate or school network.
The DEP is a free service offered by Apple to automatically configure new devices with everything from custom apps to VPN settings. All that is needed is the serial number of the device, and that is the cause of the problem, says the security researcher who discovered it …
A bit of background for people who are not familiar with how organizations configure new Apple devices …
Many companies, schools, and other organizations that purchase large quantities of Apple packages use an MDM (Mobile Device Management) server. This allows them to fully configure a new device with all the apps and settings needed within the organization.
Apple & # 39; s Device Enrollment Program (DEP) is a way to make no effort to give a new device access to the MDM. A serial number is requested only and provided that the number is valid for a device supplied by Apple or an authorized reseller, it will be granted access.
The MDM server can be configured to require a user name and password, but some organizations do not do this because they consider the serial number check to be sufficient.
The problem, says Duo Research, is twofold. Firstly, it is not necessarily very difficult to trace the serial number of an employee or student's device. Good old-fashioned social engineering – like a supposed phone call from IT asking for serial number for audit purposes, for exe. That would then allow a bad actor to interrogate the DEP API to obtain information about the organization that can be used to help other forms of attack. And because the DEP API query does not limit, even brute force attacks can be used to guess serial numbers.
Second, and more seriously, a valid serial number could be generated that allows them to enroll their own device on the MDM server.
Serial numbers are predictable and have been constructed using a known scheme. This means that an attacker does not have to find serial numbers that have been accidentally leaked, but can instead generate valid serial numbers and use the DEP API to test whether they are registered with DEP […]
In configurations where an associated MDM server does not enforce additional authentication, a malicious actor may be able to enroll any device into an organization's MDM server. The ability to enroll a chosen device from an organization's MDM server can have a significant consequence, allowing access to an organization's private resources or even full VPN access to internal systems.
Standard practices in discovering security breaches are to notify the responsible company and allow them 90 days to resolve the problem before publicly disclosing data. Extra time will often be offered if the company requests it.
Duo informed Apple in May of this year and today only published its findings. However, it says that Apple has chosen not to solve the problem, instead of advising organizations to enable the authentication option in the MDM.
You can read the entire paper here.
An unrelated vulnerability in the way Macs handle MDM enrollment was reported last month. This allows an attacker to install unlimited malware on the machine before the owner sees the desktop for the first time.