A flaw in Apple’s Device Enrollment Program lets hackers get sensitive data

Schoolwork app

A flaw in Apple’s Device Enrollment Program (DEP) allows an attacker to exploit private information on iPhone, iPad and Mac devices used by schools and businesses and obtain private details such as an organization’s address, phone number and email addresses.

Work and school-issued Apple products have a serial number flaw, according to researchers from Duo Security (via Forbes), which was recently acquired by Cisco for $2.35 billion.

Each Apple device is registered and authenticated with the DEP system using its serial number. Enterprise and education customers use DEP to easily deploy and configure organization-owned iPad and iPhone devices, Mac computers and Apple TV set-top boxes.

James Barclay, a senior research and design engineer with Duo Security, and Rich Smith, director of Duo Labs, have discovered that an attacker could use a 12-character serial number of a real device that hasn’t been set up on a company’s Mobile Device Management (MDM) server yet to request activation records and retrieve sensitive information.

The request for activation records doesn’t have rate limits, permitting an attacker to use a brute-force method to attempt enrolling every conceivable serial number. After a rogue device has been successfully authenticated with a company’s MDM server using the chosen serial number, it appears on their network as a legitimate user.

“If attackers obtained a serial number that hadn’t been enrolled yet, the researchers said, it would be possible for them to enroll their own device with that number and gather even more information, such as Wi-Fi passwords and customized apps,” CNET reported Thursday.

Apple hasn’t addressed the issue, telling CNET it doesn’t consider this a real threat because MDM servers are managed by organizations and it is within their domain of responsibility to secure their own servers and apply security measures to limit such attacks.

Truth be told, the DEP system permits organizations to optionally seek user authentication (a user name and a password along with the device serial number), but Apple does not enforce this stronger authentication. In other words, it’s up to businesses to decide whether or not to require users to prove who they are when enrolling their own devices.

The attack method was reported to Apple in May.