Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'
Researchers check bootstrap enrolment tech, suck teeth, whistle
Hackers can blow holes in Apple's managed service technology and sneak their own rogue devices onto corporate fleets of mobile iThings.
Weaknesses in Apple's Device Enrollment Program (DEP) allow the ne'er-do-wells to run targeted attacks on both the networks of the corporate shiny-shiny and the backend systems that support them, researchers at Duo Security warned.
DEP, for those unfamiliar, is a free service provided by Apple that facilitates Mobile Device Management (MDM) enrolment of iOS (iPhones and iPad), macOS (MacBooks), and tvOS devices.
The root cause of the problem is authentication weakness in DEP. Apple's MDM protocol supports strong user authentication (PDF) prior to MDM enrolment without actually requiring it – and allows device serial numbers to be used instead of more secure alternatives. Device serial numbers can be used to register iThings through Apple's DEP service during initial onboarding.
This is bad practice because serial numbers are generated using a well-known schema that makes them predictable. These serial numbers were never designed to be kept secret. Repositories of some serial numbers have already leaked and, even if that were not the case, valid serial numbers can be generated before being tested to see whether they are registered through programming interfaces (APIs) with the DEP via a form of brute-force attack.
Duo Security further warned that the weakness creates an opportunity to spy on targeted networks. "The DEP profiles contain information about the organization such as phone numbers and email addresses, which could be used to launch a social engineering attack against the organisation's help desk or IT team."
The research was unveiled at the ekoparty conference in Buenos Aires, Argentina, today. Duo Security flagged up the issue to Apple three months ago before going public at the South American hacker powwow.
Lock it down
Duo is advising Apple to move towards strong authentication of devices and to stay well away from relying on serial numbers as a sole authentication factor. Until this core issue is addressed, Apple can make life harder for baddies by rate-limiting requests to its DEP APIs, a move that would throw a spanner in the works of those trying to guess numbers by trying every possible combination.
"Additionally, Apple could strongly authenticate users as part of the DEP enrollment process, using modern authentication protocols such as SAML or OIDC ," Duo Security added.
If an organisation uses DEP – a technology widely but not universally used even among all-Apple shops – authentication should be tightened up at corporate mobile device management servers so that "knowledge of a serial number alone does not allow device enrollment".
Duo Security said it was not calling on organisations to ditch Apple's tech, but rather to be careful about using it.
"The benefits of ensuring that devices are securely configured and managed via MDM and bootstrapping that process via DEP outweigh the risks associated with this authentication weakness," the firm concluded.
Professor Alan Woodward of Surrey University told The Register: "I've seen too many security problems caused by using only serial number to validate not to be suspicious. But, although there might be a chance if some info leakage, maybe a foothold from which to pivot, I'm not sure how much real damage you could do." ®