Apple's Device Enrollment Program vulnerable to attack over device serial authentication

By Malcolm Owen

Apple's Device Enrollment Program, used by businesses to provision iPhones and iPads with an internal device management server, is claimed to have a weakness in its authentication that could allow an attacker to learn internal information about an organization.

The Device Enrollment Program (DEP) is a service offered by Apple to allow companies to manage and configure a user's device for use on a network, including installing specific applications and configuration settings the user will require in their work. Once set up, devices can then be managed by a company's Mobile Device Management (MDM) server.

According to a paper from Duo Security, analysis of undocumented DEP APIs led to the discovery that an attacker could potentially acquire vital details about an organization's structure, including phone numbers and email addresses, which could be used to perform a social engineering attack against employees or the firm's IT support team.

DEP was found to only use a device's serial number to authenticate to the service prior to its enrollment, and while the MDM protocol does support user authentication before MDM enrollment, it isn't required. Due to user authentication being optional, this has apparently led to many organizations deciding against implementing it in their process, with the device enrollment protected only by serial numbers.

As serial numbers are not a secret item, unlike username and password combinations, the numbers for registered devices could potentially be found online from other breaches. An attacker could also use established rules to make up what seems to be a valid serial number, which could then be tested against the DEP API to check if they are registered to the server.

"An attacker armed with only a valid DEP-registered serial number can use it to query the DEP API to glean organizational information," writes Duo's James Barclay. "Or in configurations where an associated MDM server does not enforce additional authentication, a malicious actor can potentially enroll an arbitrary device into an organization's MDM server."

Barclay goes on to suggest the enrollment can have significant consequences, including allowing access to a company's private resources, or even full VPN access to internal systems.

The full size or scope of the issue is unknown, but does affect every customer using Apple's DEP service. It is noted that not every Apple enterprise customer that deploys Apple services for their corporate networks uses Apple's DEP service.

The report was disclosed in the typical way security issues are advised to firms, with Apple informed on May 16 and an acknowledgement from Apple the following day. The research was published on September 27, and is intended to be publicly disclosed at the ekoparty Security Conference on Friday.

Duo Security recommended to Apple to ensure strong authentication of devices, and not to rely on using serial numbers as a sole authentication factor. It is also advised Apple implement rate limits on requests, limiting data returned by API endpoints, and changing the DEP process by authenticating users using protocols such as SAML or OIDC.

Organizations are advised to enforce authentication on MDM servers used with DEP, to prevent serial number-only authentications. An embracing of a "zero-trust approach" is also suggested, to ensure privileges afforded to devices enrolled in DEP are not excessive.