Researchers discovered a vulnerability in the Apple’s Device Enrollment Program (DEP). This Apple DEP authentication flaw could allow potential attackers to automatically enroll devices in closed Enterprise networks. Not only this, but the DEP vulnerability also makes hacking business WiFi passwords easier.
Apple DEP Authentication Flaw Makes Devices Vulnerable
Researchers from Duo Labs have published a comprehensive report about an Apple DEP authentication flaw. Reportedly, the DEP vulnerability allows potential attackers to automatically enroll devices to any MDM servers. As you may know, MDM is frequently used by Enterprise Networks for close monitoring of the devices.
“Once a device is enrolled, in many cases it is treated as a “trusted” device owned by the organization, and could receive any number of certificates, applications, WiFi passwords, VPN configurations and so on.”
The weakness discovered herewith, makes it feasible for the hackers to snoop into an organizations network by enrolling their devices.
According to the researchers, the problem lies with the way DEP works. As stated, DEP only requires device serial number for authentication; and this serial number, despite being unique for a device, cannot be deemed secret. Thus, any bad actor can get valid DEP serial numbers to exploit.
“Serial numbers are predictable and are constructed using a well-known schema. This means that an attacker does not have to find serial numbers that have been inadvertently leaked; they can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP.”
Possible Remediation
According to the disclosure timeline shared in the report, the researchers reported the vulnerability to Apple in May 2018. After completing the agreed 90-day disclosure deadline, Duo Labs published the report.
Currently, Apple has not released any patches to mitigate the flaw. However, the researchers have shared some possible remediation in their report. For the customers, they recommend employing user authentication to avoid unauthorized MDM enrolls. Moreover, they can also restrict the roles of MDM enrolled devices (Zero-Trust MDM).
As for Apple, enhancing device attestation procedure, such as by replacing the use of serial numbers with the unique ID created on T1 and T2 chips may help in robust device identification. At least, they may consider using this approach for the newer devices with T1 and T2 chips. Whereas, some other recommendations include rate-limiting requests to the DEP API, and restricting the information returned from the API. Apple can also employ advanced user authentication via OIDC and SAML “as part of the DEP enrollment process”
The researchers have planned to reveal more details about the vulnerability in the ekoparty Security Conference.
Last month, some researchers disclosed in the Black Hat USA 2018 event an MDM vulnerability that allowed hacking devices right after their unboxing. Moreover, before that, a malware campaign infected several iPhones simply by exploiting MDM enrollment. Hence, restricting the way how devices connect with an MDM server appears inevitable.
Let us know what you think in the comments section.