Researchers have discovered a vulnerability in an Apple mechanism that is used to control devices as part of closed enterprise networks. The vulnerability resides in DEP (Device Enrollment Program), which is the protocol through which new Apple devices that are added to an MDM server. Device authentication of DEP can be exploited by an attacker allowing them to trick the authentication step and enroll a device of their choosing in an organization’s MDM server. The DEP pre-enrollment authentication process can be exploited to show information regarding the organization that owns specific devices. These attacks are possible because Apple relies on the device’s serial number to identify an Apple device that is being added to an MDM server. A researcher said, “The weaknesses in Apple’s Device Enrollment Program authentication outlined in [our] paper can be remediated in several ways.” Some remediation steps include using cryptographic signatures that are generated by modern chips embedded in Apple’s newest devices, the use of modern authentication support via Auth 2.0 or SAML for the DEP enrollment process and adding a rate limit to DEP API requests. These would require rearchitecting how MDM enrollment works and may require some hardware changes. Apple was notified in May, however there has been no fix made available yet.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased