Stefan Mileschin

The finest security you can buy

A flaw has been found in Apple's Device Enrolment Program (DEP) which is used by enterprises and other organizations to manage fleets of iOS and macOS devices.

DEP can be used to streamline the mobile device management (MDM) process, deploy specific apps to devices, and provision configuration settings to help simplify setup and minimize manual user intervention.

Duo Security senior research and design engineer, James Barclay, discovered that all that was required to acquire potentially sensitive information from DEP-enrolled iOS hardware was the serial number.

According to the firm's research paper on the matter, information disclosure includes the address, email address, and support contact phone numbers of the managing organisation. While an attacker may wish to target a device with a specific serial number,

Duo Labs director Rich Smith indicated that coding a solution to brute-force serial number combinations was a doddle and while he was not going to release the code it is not difficult for a smart person to work it out.

The retrieved data could potentially give rise to attacks via IT help desks by requesting password resets or having foreign iOS devices enrolled into an organidation's DEP.

Apple has said that it does not consider this to be a vulnerability and has taken no steps to fix it – nor will it do so. Instead DEP administrators should implement hardening measures, such as user authentication, to help minimise the possible attack vector. Of course they could roll out some more secure systems which do not have an Apple logo on it.

The paper also recommended that rate-limiting be implemented in DEP API requests, as its current implementation allowed the researchers to issue requests as quickly as their session could physically manage. Unfortunately, such an approach could come at the cost of initial device setups being successful.

https://fudzilla.com/news/47277-appl...ramme-security