makspogonii - Fotolia
How a flaw in Apple DEP misuses an MDM server
Hackers are able to enroll their devices in an organization's MDM server via a flaw in Apple DEP. Expert Michael Cobb explains how hackers conduct these attacks.
One of the many challenges network administrators face is controlling, securing and enforcing security policies on users' smartphones, tablets and other mobile devices.
To optimize both the functionality and the security of mobile devices while simultaneously protecting the corporate network, many organizations deploy a mobile device management (MDM) server to configure policies and applications and push them to their users' devices. This ability to remotely secure devices and ensure security controls are regularly updated is essential to safeguarding both users and network resources.
However, any device that is going to be allowed to connect to the corporate network has to first be enrolled in the MDM system, which can present another challenge.
While most MDMs offer user self-enrollment, they also usually require some user interaction -- often leading to calls to the IT help desk or users not bothering to complete the process. This creates gaps in the asset register and leaves administrators with no way to manage devices that need to connect to the network.
To overcome this situation, Apple offers the Device Enrollment Program (DEP) as a free service to organizations using MDM to manage and configure their users' devices. It provides a zero-touch setup experience for devices purchased directly from Apple or authorized resellers. This means that a device appears in MDM as soon as the setup process is complete.
How Apple DEP works
When a device starts the Apple setup assistant, it contacts Apple to see if there is a DEP registration that matches its serial number. If there is, it receives the details of the specified MDM service and enrolls itself into the MDM system.
However, researchers at Duo Security found that the DEP service only requires the device's 12-character serial number to authenticate itself during the enrollment process. This opens up the possibility of anyone being able to enroll any device in an organization's MDM server because these serial numbers are not a secured secret. It's not uncommon to find them online; many are listed in the Piker-Alpha/MacSerials repository and they are created using a well-known schema.
This means an attacker can obtain serial numbers using open source intelligence, social engineering, or by generating valid serial numbers and using the DEP API to test if they are registered. If a serial number is valid, attackers can potentially enroll their own devices into the organization's MDM server by claiming the identity of a valid device, as the DEP API only uses the device serial number and there are no strong guarantees in place to authenticate that claim of device identity.
This could give the attacker access to sensitive data, full VPN access to internal systems or privileged access within the network. Also, DEP profiles contain information about the organization, such as phone numbers and email addresses, and this information could be used in a social engineering attack.
Apple's MDM protocol does support user authentication prior to MDM enrollment, but it does not require it, so to avoid possible information disclosure and rogue DEP enrollments, it is essential for administrators to enforce authentication on any MDM server used with DEP. This will ensure that the knowledge of a serial number alone does not allow device enrollment. Although this requires a more complex configuration, as the MDM server has to access the internal authentication server to handle MDM enrollments, the process is recommended in Apple's Business Manager Help documentation.
It is also best practice to never completely trust mobile devices, restricting their privileges to the minimum possible access, at least until the user has been more robustly authenticated.