Apple’s Device Enrollment Program Has A Security Flaw; Allows Hackers To Steal Company Passwords

Share on twitter
Tweet
Share on whatsapp
WhatsApp
Share on facebook
Share
Apple Original Content

Researchers have found a security flaw in Apple’s Device Enrollment Program (DEP) that can allow an attacker to gain complete access to a corporate or school network.

The background

For the uninitiated, DEP is an Apple service that allows companies to configure and manage a user’s device on a network. It includes the installation of specific applications and configuring user settings that are required at work.

Once the set up is completed, those devices can be managed by an organization’s Mobile Device Management (MDM) server. The Device Enrollment Program seeks only a valid serial number to get access from the MDM.

The security flaw

Even though MDM server can be configured to ask username and password, some organizations don’t find it necessary and rely on serial numbers only.

According to Duo Research, there are a number of ways of obtaining a valid serial number like social engineering of unsuspecting users. Even “brute force” can be used to guess the serial numbers as the DEP API doesn’t put a limit on the number of queries.

The implications

Once a bad actor gets a device enrolled on an MDM server, they can easily retrieve passwords for applications and Wi-Fi networks that are used by the company members.

Apple’s response

According to standard security practices, vulnerabilities are reported to the company in question with a 90 days time to patch it up before the details are disclosed in public.

Duo Research did the same and reported this security flaw back in May but it claims that Apple hasn’t fixed the issue yet. Instead, Apple has advised organizations to adopt the authentication method in the MDM.

Also Read: This Siri Shortcut Automatically Triggers Camera Every Time Cops Pull You Over
Manisha Priyadarshini

Manisha Priyadarshini

An Editor and a Tech Journalist with a software development background. I am a big fan of technology and memes. At Fossbytes, I cover all aspects of tech but my specific area of interest is Programming and Development.

New on Fossbytes

Scroll to Top