Apple MDM tool weakness allows access to sensitive information

Share this…

Lack of authentication in Apple’s device enrollment program would allow attackers to get WiFi and VPN configuration passwords

According to specialists in ethical hacking, companies that use Apple’s Device Enrollment program (DEP) for Mobile Device Management (MDM) without adding additional authentication are in danger of information leaking and other computer attacks.

MDM is a common-use enterprise technology used by organizations to control the use of mobile devices of employees. This includes applying security policies, standardizing upgrades, controlling expense management, and more, all centralized on a platform. It is meant to avoid the inconvenience of having multiple types of phones and tablets, all with access to corporate resources, spread between hundreds or even thousands of geographically dispersed workers.

Meanwhile, DEP is an Apple service designed to facilitate the registration of iOS, macOS and TvOS devices in MDM. Unlike traditional deployment methods, which require the end user or administrator to take steps to configure a device and manually enroll it in an MDM server, DEP allows administrators to automate the process.

This investigation of specialists in ethical hacking found that DEP only requires a serial number to enroll a device in an organization’s MDM server, which means an attacker could register an unauthorized device on the system. That device would be treated as a privileged endpoint, which would allow the attacker to collect important information about the organization.

“If the serial number is registered in DEP and the MDM server does not require additional authentication during enrollment, an attacker could enroll a device of its choice on the MDM server of an organization by falsifying a legitimate serial number registered in DEP”, explained James Barclay, one of the research managers.

Once a device is registered, it is treated as a “trusted” device for the organization, and can be used to access sensitive information such as device and user certificates, VPN configuration data, and many other data considered as sensitive information.

“The ability to enroll a device in an organization’s MDM server can bring significant consequences, allowing access to an organization’s private resources or even full VPN access to internal systems”, said the research in a publication.

There is only one impediment to potential attackers; they must start enrollment in DEP before the legitimate user does, as DEP only accepts the serial number once for each device. This reduces the time range for the attack, as a malicious agent would have to register a device before the organization enrolled it.

For its part, Apple mentioned that they do not consider this as a vulnerability, and that in its documentation they already recommend that companies apply user authentication or limit access in the preliminary configuration.

According to specialists in ethical hacking from the International Institute of Cyber Security, the solution for this weakness is to implement additional requirements for authentication on the MDM server, so that device enrollment is not based only in the serial numbers.