Apple DEP Authentication Flaw Leaves Devices Vulnerable To Malicious MDM Enrolling

  • 94
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    94
    Shares

Researchers discovered a vulnerability in the Apple’s Device Enrollment Program (DEP). This Apple DEP authentication flaw could allow potential attackers to automatically enroll devices in closed Enterprise networks. Not only this, but the DEP vulnerability also makes hacking business WiFi passwords easier.

Apple DEP Authentication Flaw Makes Devices Vulnerable

Researchers from Duo Labs have published a comprehensive report about an Apple DEP authentication flaw. Reportedly, the DEP vulnerability allows potential attackers to automatically enroll devices to any MDM servers. As you may know, MDM is frequently used by Enterprise Networks for close monitoring of the devices.

“Once a device is enrolled, in many cases it is treated as a “trusted” device owned by the organization, and could receive any number of certificates, applications, WiFi passwords, VPN configurations and so on.”

The weakness discovered herewith, makes it feasible for the hackers to snoop into an organizations network by enrolling their devices.

According to the researchers, the problem lies with the way DEP works. As stated, DEP only requires device serial number for authentication; and this serial number, despite being unique for a device, cannot be deemed secret. Thus, any bad actor can get valid DEP serial numbers to exploit.

“Serial numbers are predictable and are constructed using a well-known schema. This means that an attacker does not have to find serial numbers that have been inadvertently leaked; they can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP.”

Possible Remediation

According to the disclosure timeline shared in the report, the researchers reported the vulnerability to Apple in May 2018. After completing the agreed 90-day disclosure deadline, Duo Labs published the report.

Currently, Apple has not released any patches to mitigate the flaw. However, the researchers have shared some possible remediation in their report. For the customers, they recommend employing user authentication to avoid unauthorized MDM enrolls. Moreover, they can also restrict the roles of MDM enrolled devices (Zero-Trust MDM).

As for Apple, enhancing device attestation procedure, such as by replacing the use of serial numbers with the unique ID created on T1 and T2 chips may help in robust device identification. At least, they may consider using this approach for the newer devices with T1 and T2 chips. Whereas, some other recommendations include rate-limiting requests to the DEP API, and restricting the information returned from the API. Apple can also employ advanced user authentication via OIDC and SAML “as part of the DEP enrollment process”

The researchers have planned to reveal more details about the vulnerability in the ekoparty Security Conference.

Last month, some researchers disclosed in the Black Hat USA 2018 event an MDM vulnerability that allowed hacking devices right after their unboxing. Moreover, before that, a malware campaign infected several iPhones simply by exploiting MDM enrollment. Hence, restricting the way how devices connect with an MDM server appears inevitable.

Let us know what you think in the comments section.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Leave a Reply

Do NOT follow this link or you will be banned from the site!