Business Apple devices have a major security flaw
Apple‘s Device Enrollment Programme (DEP) has a major security hole ripe for hackers to exploit. The news comes from Duo Security who uncovered a major vulnerability in Apple devices that can expose Wi-Fi passwords, business logins and more to hackers.
The problem lies with the authentication of devices, and the lack of understanding of how Apple’s DEP systems work. Because Apple simply uses serial numbers to add devices to a business’ DEP, a hacker can go online and grab device serial numbers and sign themselves up with a device. Because serial numbers are believed to be harmless information, it’s not hashed, meaning anyone can get at it.
Now, armed with serial numbers, hackers can enrol any device into an organisation’s mobile device management (MDM) server, gaining access to privileged information. The access is granted because not all organisations have user authentication enabled and Apple’s documentation doesn’t mention that it’s needed. This leads many firms to believe that MDM automatically does this. It doesn’t.
Another problem identified by the researchers revealed that an attacker could find serial numbers of devices using open source intelligence, brute force attacks or social engineering. Because the DEP provides data such as phone numbers and email addresses, a criminal could attack the company’s help desk or IT team.
Because Apple doesn’t use anything but the devices serial number to identify the user as a necessity, it’s quite easy for criminals to break in. If Apple made it a requirement for businesses to also insist upon user authentication as a security method, businesses would be better protected against these attacks.
“Or in configurations where an associated MDM server does not enforce additional authentication, a malicious actor can potentially enrol an arbitrary device into an organization’s MDM server,” James Barclay senior R&D engineer at Duo Security said.
“The ability to enrol a chosen device to an organization’s MDM server can have a significant consequence, subsequently allowing access to the private resources of an organization, or even full VPN access to internal systems.”