Security researchers from Duo Labs have found a vulnerability in an Apple-specific mechanism used to control devices as part of closed enterprise networks.
The mechanism is quite widespread and is known as Mobile Device Management (MDM). It is used by small to large companies to enroll Apple devices under one management server from where system administrators can deliver common certificates, applications, WiFi passwords, VPN configurations, and so on –all specific to that company’s network.
In a research paper published today and shared with ZDNet in advance, the Duo Labs team has revealed a vulnerability in DEP, or the Device Enrollment Program, the protocol through which new Apple devices are added to an MDM server.
More specifically, Duo Labs researchers say that the “device authentication” process of the DEP scheme can be exploited by an attacker –step #4 in the image below.
Duo researchers say that flaws in the way DEP was designed allow an attacker to trick the authentication step and enroll a device of the attacker’s choosing in an organization’s MDM server.
Furthermore, researchers also say the DEP pre-enrollment authentication process can also be abused to leak information about the organization that owns a specific device, information that can be abused for planning future attacks.
The main reason why these attacks on the MDM DEP authentication process are possible is because Apple only relies on a device’s serial number to uniquely identify an iPhone, iPad, or Mac device that is being added to an MDM server.
“The weaknesses in Apple’s Device Enrollment Program authentication outlined in [our] paper can be remediated in several ways,” said Duo Labs researchers.
“Some of the recommended remediation steps will require re-architecting how DEP and MDM enrollment work, and could require hardware changes, while others are more straightforward and can be implemented directly by customers using DEP.”
These remediation steps are described in a 32-page report released today. They include the use of cryptographic signatures generated by modern chips embedded in Apple’s latest devices, adding a rate-limit to DEP API requests to prevent mass device data harvesting, or the use of modern authentication support via SAML or Auth 2.0 as part of the DEP enrollment process.
“Regardless of the authentication weaknesses in the current implementation of Apple’s Device Enrollment Program, there’s no question that it still provides value for organizations with large fleets of Apple devices,” researchers said, also suggesting the issue they found could be mitigated via various security best practices applied to internal networks and user devices.
Duo said it notified Apple of the MDM DEP vulnerability in May this year. Apple has not deployed any countermeasures as of yet. Researchers will be presenting their findings tomorrow, September 28, at the ekoparty security conference, held in Buenos Aires, Argentina.