A Glitch in Apple’s DEP Authentication Induces Illicit MDM Enrolling.
A shortcoming of the Apple’s Device Enrolment Program (DEP) was unveiled quite recently which, potentially lets cyber-criminals enroll devices in closed enterprise networks and a further ease of Wi-Fi password hacking.
In a report published by researchers on the same DEP weakness, it was mentioned that it makes it easy for the plausible attackers to automatically enroll devices onto MDM servers, which is habitually in use by the enterprise networks to ensure regular monitoring of devices. This enrolment mania assists the cyber-goons in hacking and prying into organization networks.
As it turns out after a device is enrolled it comes under the category of “trusted” devices which are owned by the very organization. This results in acquiring certificates, VPN configurations, applications, and not to mention Wi-Fi passwords.
In line with what the sources say, the main issue is with the DEP working procedure.
The only pre-requisite for barging into the DEP authentication process is a serial number which regardless of being unique for every device can’t stay hidden, making it pretty manipulative.
These serial numbers could be easily self-generated by understanding the schema that is used to create the original ones in the first place. These self-designed numbers could be then checked over the DEP API test to confirm if they’re registered on DEP. This saves the attackers, the trouble of looking out for leaked numbers.
Reportedly, Duo Labs had promulgated this research after the disclosure deadline had been crossed and had responsibly informed Apple about the glitch earlier in May this year.
No patches have been rendered as of yet but some possible mitigation techniques have been cited by the researchers and have advised the customers to shun MDM enrolled devices or at the least to employ user authentication to dodge automatic MDM enrolments.
Unique IDs on T1 and T2 chips rather than the serial numbers could really help Apple to further strengthen its game. Researchers have also expressed that rate-limiting requests should be made to the DEP API. OIDC and SAML which are used in advanced user authentication could also be made use of.
The history of Apple and MDM enrolment has never been a happy one. There have been quite a number of cases that comprise of malware campaigns and hacking due to vulnerabilities. Inhibiting MDM servers and their connection with Apple emerges as a fair and square path to take.
Ultimately, the decision is Apple’s to take. Further particulars will be cited in the Ekoparty Security Conference.