Security researchers have found significant security holes in Apple’s mobile device management software that could enable hackers to launch attacks on enterprises.
According to a blog post by researchers at Duo Security, it was found that an authentication weakness in Device Enrollment Program (DEP) would allow a hacker to enrol any device into an organisation’s mobile device management (MDM) server, potentially enabling them to obtain privileged access used to further pivot within the network.
The flaw could also enable an attacker to use serial numbers obtained through open-source intelligence (OSINT), social engineering or generating them via brute force to query the DEP API for device profiles. "The DEP profiles contain information about the organisation, such as phone numbers and email addresses, which could be used to launch a social engineering attack against the organisation’s help desk or IT team," according to researchers.
Senior R&D Engineer at Duo Labs James Barclay said that the key issue is that serial numbers are used to authenticate devices to the DEP service "but are not data that should be considered secret. Additionally, because serial numbers aren’t meant to be secret, it’s not uncommon to find them online."
He added that serial numbers are predictable and are created using well-known schema.
"This means that an attacker does not have to find serial numbers that have been inadvertently leaked; they can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP," he said.
Researchers said that an attacker armed with only a valid DEP-registered serial number can use it to query the DEP API to glean organisational information. Or, in configurations where an associated MDM server does not enforce additional authentication, a malicious actor can potentially enrol an arbitrary device into an organisation’s MDM server.
"The ability to enrol a chosen device to an organisation’s MDM server can have a significant consequence, subsequently allowing access to the private resources of an organisation, or even full VPN access to internal systems," said Barclay.
Duo Security researchers said that despite the authentication weaknesses in the current implementation of Apple’s Device Enrolment Program, "there’s no question that it still provides value for organisations with large fleets of Apple devices."
He said that there were some ways that Apple could establish strong authentication and trust "while still ensuring a relatively frictionless, streamlined user experience and device deployment process".
"However, some of these mitigations (such as device attestation) only recently became feasible due to new hardware capabilities. It will take time for these changes to be fully realised and for Apple's customers that are leveraging DEP to benefit from them, but the future looks bright."
"In the meantime, Apple customers using DEP can protect themselves by requiring user authentication prior to MDM enrolment, or by not trusting devices simply because they're enrolled in MDM," added Barclay.
Ed Williams, director EMEA of SpiderLabs at Trustwave, told SC Media UK that the ability to enroll ‘rogue’ devices is very serious to an organisation and should be treated as such.
"With this ability you can potentially gain access to the internal infrastructure and from there do anything that a device internally can do. Phones are extremely powerful devices and can have ‘hacking’ tools installed, these tools can then be abused. The ability to browse internal resources like SharePoint and Git is going to be attractive for the malicious user and they house huge amounts of sensitive information from process documentation to passwords / keys," he said.
A full report of the issue can be found here.