A security vulnerability discovered in Apple’s Device Enrollment Program (DEP) could allow an attacker to gain full access to a corporate or school network.
The DEP is a free service offered by Apple to allow new devices to be automatically configured with everything from custom apps to VPN settings. All that is needed is the serial number of the device, and that’s the root of the problem, says the security researcher who discovered it …
A little background for those not familiar with how organizations configure new Apple devices …
Many companies, schools and other organizations who make bulk purchases of Apple kit use a Mobile Device Management (MDM) server. This allows them to completely configure a new device with all the apps and settings needed within the organization.
Apple’s Device Enrollment Program (DEP) is a zero-effort way to allow a new device access to the MDM. It simply asks for a serial number, and provided the number is a valid one for a device supplied by Apple or an authorized reseller, it will be granted access.
The MDM server can be configured to require a username and password, but some organizations don’t do so because they consider the serial number check sufficient.
The problem, says Duo Research, is two-fold. First, it’s not necessarily very difficult to obtain the serial number of a device belonging to an employee or student. Good old-fashioned social engineering – like a supposed phone call from IT asking for the serial number for auditing purposes, for example. That would then allow a bad actor to query the DEP API to obtain information about the organization which could be used to assist other forms of attack. And as the DEP API doesn’t rate-limit queries, even brute force attacks could be used to guess serial numbers.
Second, and more seriously, a valid serial number could be generated which would then allow them to enroll their own device on the MDM server.
Serial numbers are predictable and are constructed using a well-known schema. This means that an attacker does not have to find serial numbers that have been inadvertently leaked; they can instead generate valid serial numbers and use the DEP API to test if they are registered with the DEP […]
In configurations where an associated MDM server does not enforce additional authentication, a malicious actor can potentially enroll an arbitrary device into an organization’s MDM server. The ability to enroll a chosen device to an organization’s MDM server can have a significant consequence, subsequently allowing access to the private resources of an organization, or even full VPN access to internal systems.
Standard practice when security vulnerabilities are discovered is to notify the company responsible, and allow them 90 days to fix it before disclosing details publicly. Additional time will often be offered if the company requests it.
Duo notified Apple in May of this year and has only published its findings today. However, it says Apple has chosen not to fix the issue, instead simply advising organizations to switch on the authentication option in the MDM.
You can read the full paper here.
An unrelated vulnerability in the way Macs handle MDM enrollment was reported last month. This could allow an attacker to install unlimited malware on the machine prior to its owner even seeing the desktop for the first time.