Researchers find vulnerability in Apple's MDM DEP process

Vulnerability could lead to attackers enrolling malicious devices in enterprise networks, researchers say.
Written by Catalin Cimpanu, Contributor

Security researchers from Duo Labs have found a vulnerability in an Apple-specific mechanism used to control devices as part of closed enterprise networks.

The mechanism is quite widespread and is known as Mobile Device Management (MDM). It is used by small to large companies to enroll Apple devices under one management server from where system administrators can deliver common certificates, applications, WiFi passwords, VPN configurations, and so on --all specific to that company's network.

In a research paper published today and shared with ZDNet in advance, the Duo Labs team has revealed a vulnerability in DEP, or the Device Enrollment Program, the protocol through which new Apple devices are added to an MDM server.

More specifically, Duo Labs researchers say that the "device authentication" process of the DEP scheme can be exploited by an attacker --step #4 in the image below.


Duo researchers say that flaws in the way DEP was designed allow an attacker to trick the authentication step and enroll a device of the attacker's choosing in an organization's MDM server.

Furthermore, researchers also say the DEP pre-enrollment authentication process can also be abused to leak information about the organization that owns a specific device, information that can be abused for planning future attacks.

Also: The best way to buy a new iPhone, Galaxy, OnePlus phone right now

The main reason why these attacks on the MDM DEP authentication process are possible is because Apple only relies on a device's serial number to uniquely identify an iPhone, iPad, or Mac device that is being added to an MDM server.

"The weaknesses in Apple's Device Enrollment Program authentication outlined in [our] paper can be remediated in several ways," said Duo Labs researchers.

"Some of the recommended remediation steps will require re-architecting how DEP and MDM enrollment work, and could require hardware changes, while others are more straightforward and can be implemented directly by customers using DEP."

These remediation steps are described in a 32-page report released today. They include the use of cryptographic signatures generated by modern chips embedded in Apple's latest devices, adding a rate-limit to DEP API requests to prevent mass device data harvesting, or the use of modern authentication support via SAML or Auth 2.0 as part of the DEP enrollment process.

"Regardless of the authentication weaknesses in the current implementation of Apple's Device Enrollment Program, there's no question that it still provides value for organizations with large fleets of Apple devices," researchers said, also suggesting the issue they found could be mitigated via various security best practices applied to internal networks and user devices.

Duo said it notified Apple of the MDM DEP vulnerability in May this year. Apple has not deployed any countermeasures as of yet. Researchers will be presenting their findings tomorrow, September 28, at the ekoparty security conference, held in Buenos Aires, Argentina.

iPhone XS: Here's what it needed, and what we got

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories:

Editorial standards