Researchers have found a security flaw in Apple’s Device Enrollment Program (DEP) that can allow an attacker to gain complete access to a corporate or school network.
For the uninitiated, DEP is an Apple service that allows companies to configure and manage a user’s device on a network. It includes the installation of specific applications and configuring user settings that are required at work.
Once the set up is completed, those devices can be managed by an organization’s Mobile Device Management (MDM) server. The Device Enrollment Program seeks only a valid serial number to get access from the MDM.
The security flaw
Even though MDM server can be configured to ask username and password, some organizations don’t find it necessary and rely on serial numbers only.
According to Duo Research, there are a number of ways of obtaining a valid serial number like social engineering of unsuspecting users. Even “brute force” can be used to guess the serial numbers as the DEP API doesn’t put a limit on the number of queries.
Once a bad actor gets a device enrolled on an MDM server, they can easily retrieve passwords for applications and Wi-Fi networks that are used by the company members.
According to standard security practices, vulnerabilities are reported to the company in question with a 90 days time to patch it up before the details are disclosed in public.
Duo Research did the same and reported this security flaw back in May but it claims that Apple hasn’t fixed the issue yet. Instead, Apple has advised organizations to adopt the authentication method in the MDM.