Cybersecurity researchers are warning of a loophole in Apple device security that allows hackers to obtain corporate customers’ passwords to Wi-Fi and applications. Reports in Forbes said researchers at Duo Security revealed Thursday (Sept. 27) that Apple’s Device Enrollment Program (DEP) — a solution for corporate customers that enables the management of multiple Apple devices used by employees of the same company — exposes company passwords and other sensitive information if a “rogue” device is enrolled in the DEP.
While Apple‘s DEP provides user authentication when a new device, like an iPhone, is added, reports noted that companies are responsible for verifying the identity of the user of any added devices. Businesses are also responsible for registering an enrolled Apple device onto their own mobile device management (MDM) servers.
If a business does not require such identity verification, analysts warned that hackers are able to access the serial number of a DEP device if it has not also been added to the company’s mobile device management server. Hackers can deploy employee social engineering to obtain that serial number. Mobile device management product forums also often include product serial numbers, according to Duo Security, which added that “brute forcing” is another strategy in which a computer automatically sifts through all possible numbers on the DEP until it matches a real device.
Once a serial number is obtained, the hacker can enroll that device on a company’s mobile device management server, if the legitimate employee who is actually using that device has not so done yet. The hacker then passes as the legitimate user of that company device and, once on the server, the hacker can obtain application and Wi-Fi passwords.
Researchers noted that the mobile device management server will only accept a device’s serial number once. Still, experts warn that this is a relatively easy process.
“It’s definitely feasible that you’ll find devices that haven’t enrolled yet,” said James Barclay, senior R&D engineer at Duo Security, in an interview with Forbes. “Overall, this doesn’t mean you shouldn’t use DEP or MDM. The benefits outweigh the inherent risks here, but there are steps Apple and customers could take to mitigate.”