Apple Security Vulnerability Could Leave Corporate Networks Exposed


A new report alleged that Apple’s business and scholastic device management service, the Device Enrollment Program (DEP), has a significant security hole that could impact the organizations that utilize it. DEP offers zero-touch setup for businesses, educational institutions and other organizations, linking multiple devices to a central server for configuration and content sharing.

Duo Security revealed that more than four months ago, it discovered an authentication weakness in DEP, which could give an attacker the ability to enroll any device into an organization’s mobile device management (MDM) server, potentially enabling them to obtain privileged access used to further pivot within the network.

In addition, “an attacker could use serial numbers obtained through open-source intelligence (OSINT), social engineering or generating them via brute force to query the DEP API for device profiles. The DEP profiles contain information about the organization, such as phone numbers and email addresses, which could be used to launch a social engineering attack against the organization’s help desk or IT team,” according to a blog post.

To protect users, mandatory two-factor authentication can be added to the service to protect themselves, but Duo noted that Apple should also include rate limits for device authentication requests, as well as decrease the information conveyed back by DEP to registrants’ devices.

“In the meantime, Apple customers using DEP can protect themselves by requiring user authentication prior to MDM enrollment, or by not trusting devices simply because they’re enrolled in MDM,” wrote James Barclay, Senior R&D Engineer at Duo Labs.

Duo decided to go public with its findings after reporting the security issue to Apple as soon as it was discovered. However, while the company has acknowledged the information’s receipt, so far, it has not released a patch. Duo will also be presenting its findings publicly at the ekoparty Security Conference on Friday (Sept. 28).