B2B Payments

Apple Security Loophole Exposes Corporate Passwords, Experts Say

Cybersecurity researchers are warning of a loophole in Apple device security that allows hackers to obtain corporate customers’ passwords to Wi-Fi and applications. Reports in Forbes said researchers at Duo Security revealed Thursday (Sept. 27) that Apple’s Device Enrollment Program (DEP)  a solution for corporate customers that enables the management of multiple Apple devices used by employees of the same company  exposes company passwords and other sensitive information if a “rogue” device is enrolled in the DEP.

While Apple‘s DEP provides user authentication when a new device, like an iPhone, is added, reports noted that companies are responsible for verifying the identity of the user of any added devices. Businesses are also responsible for registering an enrolled Apple device onto their own mobile device management (MDM) servers.

If a business does not require such identity verification, analysts warned that hackers are able to access the serial number of a DEP device if it has not also been added to the company’s mobile device management server. Hackers can deploy employee social engineering to obtain that serial number. Mobile device management product forums also often include product serial numbers, according to Duo Security, which added that “brute forcing” is another strategy in which a computer automatically sifts through all possible numbers on the DEP until it matches a real device.

Once a serial number is obtained, the hacker can enroll that device on a company’s mobile device management server, if the legitimate employee who is actually using that device has not so done yet. The hacker then passes as the legitimate user of that company device and, once on the server, the hacker can obtain application and Wi-Fi passwords.

Researchers noted that the mobile device management server will only accept a device’s serial number once. Still, experts warn that this is a relatively easy process.

“It’s definitely feasible that you’ll find devices that haven’t enrolled yet,” said James Barclay, senior R&D engineer at Duo Security, in an interview with Forbes. “Overall, this doesn’t mean you shouldn’t use DEP or MDM. The benefits outweigh the inherent risks here, but there are steps Apple and customers could take to mitigate.”



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.