Apple's Device Enrollment Program can leak sensitive information about devices and their owners
Security researchers have discovered an issue with the Device Enrollment Program used by Apple to allow organizations to manage their MacBooks and iPhones. Duo Security says that using nothing more than a serial number, it is possible to gain access to sensitive data about enrolled devices and their owners.
It is even possible to enroll new devices that can then access Wi-Fi passwords, VPN configurations and more. Apple was alerted to the issue way back in May, but has not done anything about it as the company does not regard it as a vulnerability.
- Kids have already defeated the limitations of Screen Time in iOS 12
- Qualcomm accuses Apple of stealing trade secrets and giving them to Intel
- With its new iPhones, Apple drops not only the home button, but also the free headphone dongle
- Apple officially announces iPhone XR, iPhone XS and iPhone XS Max
James Barclay from Duo Security, and Rich Smith from Duo Labs share their findings in a paper entitled MDM Me Maybe: Device Enrollment Program Security. They point out that while there are various easy ways to obtain devices' serial numbers, the researchers have been able to create a simple serial generator that can be used to search for information.
While the serial generator has not been released, the researchers say that it is very easy to create. Speaking to CNET, Smith says: "While we aren't releasing the code, I'm not going to pretend to be under the impression that this is something that can't be reproduced. It would not be difficult for someone to replicate the code that we've developed".
The paper outlines the vulnerability that has been discovered:
The Device Enrollment Program (DEP) is a service provided by Apple for bootstrapping Mobile Device Management (MDM) enrollment of iOS, macOS, and tvOS devices. DEP hosts an internet-facing API at https://iprofiles.apple.com, which -- among other things -- is used by the cloudconfigurationd daemon on macOS systems to request DEP Activation Records and query whether a given device is registered in DEP.
In our research, we found that in order to retrieve the DEP profile for an Apple device, the DEP service only requires the device serial number to be supplied to an undocumented DEP API. Additionally, we developed a method to instrument the cloudconfigurationd daemon to inject Apple device serial numbers of our choosing into the request sent to the DEP API. This allowed us to retrieve data specific to the device associated with the supplied serial number.
Obtaining the DEP profile for a given Apple device discloses information about the organization that owns the device, and -- if the MDM server doesn't require additional user authentication during enrollment - could be used by an attacker to enroll a device of their choosing into an organization's MDM server. Once enrolled, the device may receive any number of certificates, applications, WiFi passwords, VPN configurations and so on.
It is this final paragraph that is perhaps the most concerning. If an attacker discovers a serial number that has not yet been enrolled, they could enroll their own device to gain access to even more sensitive data.
While Apple customers might be concerned about Duo Security's findings, Apple itself is not. The company says that it recommends that any organizations that make use of its Device Enrollment Program use additional security measures for protection.