“The key issue is that serial numbers are used to authenticate devices to the DEP service”
Weak security in Apple’s Device Enrolment Program (DEP) meant an attacker could use just an Apple device serial number to potentially enrol a rogue device onto a mobile device manager server, a new report by Duo Security has found.
Duo Security published its findings today after reporting the issue to Apple on May 16, they received an acknowledgment of the report from Apple the next day.
The issue lies within Apple’s DEP which companies use to easily deploy and configure Apple devices into their network. It allows enterprises to enrol and supervise their company devices with a simplified, automated mobile device management program.
If a threat actor was able to get a device enrolled on the DEP, that device would then be included in your company’s trusted devices list and potentially be exploited to gain access to further information pertinent to your organisation.
The key factor with this vulnerability is that Apple uses the device serial number password in the authentication process for the DEP by default. It is up to each enterprise using the software to set up stronger security measures.
While email address and phone might not seem like important information to protect, they could easily be used in a spear phishing campaign where malicious entities use them to target your employees in attempts to obtained critical information.
Senior R&D Engineer at Duo Labs James Barclay commented in a blog post that: “The key issue is that serial numbers are used to authenticate devices to the DEP service, but are not data that should be considered secret. Additionally, because serial numbers aren’t meant to be secret, it’s not uncommon to find them online.”
He goes on to point out that serial numbers are predictable and are created using well-known schema. So threat actors do not have to find serial numbers through a cyber-attack on a company, but can instead: “Generate valid serial numbers and use the DEP API to test if they are registered with the DEP.”
This isn’t to say that a company shouldn’t worry about an attacker obtaining the serial number through brute force.
How Hard Would it Be to Execute
Computer Business Review asked Duo Security how difficult this attack would be for a hacker and James Barclay, Senior R&D Engineer at Duo Labs told us that: “The difficulty of the attack is relative to the specific organisation being targeted and we can’t make any absolute claim in this regard. The attacker needs access to a Mac that they can use to send arbitrary serial numbers to the DEP API.
“Furthermore, if the attacker wrote a script or otherwise automated this process they could submit serial numbers in bulk to check if they’re registered with DEP. If no other protections are put in place on a given MDM server, and the device hasn’t previously enrolled, it would be trivial to enroll a device of the attacker’s choosing into the customer’s MDM server.”
The Apple Mobile Device Manager
Since the device enrolment has been simplified for businesses to use this has also resulted in it been an accessible target for hackers. The researchers found that hackers could: “Enroll a device of their choosing in the organization’s MDM server, assuming the “identity” of a corporate device.”
“The Apple MDM protocol supports – but does not require – user authentication prior to MDM enrollment via HTTP Basic Authentication. Without authentication, all that’s required to enroll a device in an MDM server via DEP is a valid, DEP-registered serial number,” the researchers note
To do this the serial number needs to be register to the company, but not yet enrolled in the DEP.
With regards to how easily a hacker could enrol a device before an enterprise does Duo Security told us that: “The attacker could limit the search space of the serial numbers to devices that were manufactured recently, which would increase the likelihood of encountering a serial number that is registered with DEP but hasn’t enrolled yet.”
“Once the attacker has this – and if no other protections have been put forth by the customer to protect their MDM server – the attacker would be able to enroll a device of their choosing into the customer’s MDM server.”
Despite the detection of the vulnerability Duo Security in the summary of their findings still believer that: “Regardless of the authentication weaknesses in the current implementation of Apple’s Device Enrolment Program, there’s no question that it still provides value for organizations with large fleets of Apple devices.”
“In the meantime, Apple customers using DEP can protect themselves by requiring user authentication prior to MDM enrolment, or by not trusting devices simply because they’re enrolled in MDM.”
Computer Business Review contacted Apple for comment regarding this vulnerability, at the time of writing we have received no response.