| Thread Tools |
28th September 2018, 09:01 | #1 |
[M] Reviewer Join Date: May 2010 Location: Romania
Posts: 148,462
| Apple has a hole in its Device Enrolment Programme security The finest security you can buy A flaw has been found in Apple's Device Enrolment Program (DEP) which is used by enterprises and other organizations to manage fleets of iOS and macOS devices. DEP can be used to streamline the mobile device management (MDM) process, deploy specific apps to devices, and provision configuration settings to help simplify setup and minimize manual user intervention. Duo Security senior research and design engineer, James Barclay, discovered that all that was required to acquire potentially sensitive information from DEP-enrolled iOS hardware was the serial number. According to the firm's research paper on the matter, information disclosure includes the address, email address, and support contact phone numbers of the managing organisation. While an attacker may wish to target a device with a specific serial number, Duo Labs director Rich Smith indicated that coding a solution to brute-force serial number combinations was a doddle and while he was not going to release the code it is not difficult for a smart person to work it out. The retrieved data could potentially give rise to attacks via IT help desks by requesting password resets or having foreign iOS devices enrolled into an organidation's DEP. Apple has said that it does not consider this to be a vulnerability and has taken no steps to fix it – nor will it do so. Instead DEP administrators should implement hardening measures, such as user authentication, to help minimise the possible attack vector. Of course they could roll out some more secure systems which do not have an Apple logo on it. The paper also recommended that rate-limiting be implemented in DEP API requests, as its current implementation allowed the researchers to issue requests as quickly as their session could physically manage. Unfortunately, such an approach could come at the cost of initial device setups being successful. https://fudzilla.com/news/47277-appl...ramme-security |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Apple can’t write a calculator programme | Stefan Mileschin | WebNews | 0 | 28th October 2017 10:33 |
Apple’s bug bounty programme failing | Stefan Mileschin | WebNews | 0 | 12th July 2017 05:42 |
AVG's Chrome security add-on had a big security hole | Stefan Mileschin | WebNews | 0 | 31st December 2015 06:32 |
Firefox has a new security hole, but you can already patch it | Stefan Mileschin | WebNews | 0 | 8th August 2015 15:21 |
How could Lenovo miss its Superfish security hole? | Stefan Mileschin | WebNews | 0 | 22nd February 2015 14:47 |
Data Siphoned Through Huge Internet Security Hole | Stefan Mileschin | WebNews | 0 | 6th December 2013 08:13 |
Bluebox reveals Android security hole | Stefan Mileschin | WebNews | 0 | 4th July 2013 08:06 |
Hacks labelled hackers for finding security hole | Stefan Mileschin | WebNews | 0 | 22nd May 2013 08:01 |
Apple releases iOS 6.1.3 to patch lock screen security hole | Stefan Mileschin | WebNews | 0 | 20th March 2013 10:17 |
Mozilla Patches 'Critical' Firefox Security Hole | Stefan Mileschin | WebNews | 0 | 13th February 2012 09:07 |
Thread Tools | |
| |