A group of researchers at Duo Security has discovered a major security flaw in Apple’s Device Enrollment Program (DEP), that essentially allows hackers to steal business passwords from macOS and iOS devices, The Register is reporting.
The research was unveiled at the Ekoparty conference in Buenos Aires, Argentina, today. Duo Security flagged up the issue to Apple three months ago before going public at the South American hacker powwow.
According to the security experts, the main cause of the problem is authentication weakness in DEP, which is a free service from Apple to facilitate Mobile Device Management (MDM) enrolment of iOS, macOS, and tvOS devices.
The hackers use the flaw to enroll a rogue device in the DEP system and register it with a company’s mobile device management (MDM) server.
“Apple’s MDM protocol supports strong user authentication (PDF) prior to MDM enrolment without actually requiring it – and allows device serial numbers to be used instead of more secure alternatives. Device serial numbers can be used to register iThings through Apple’s DEP service during initial onboarding.
This is bad practice because serial numbers are generated using a well-known schema that makes them predictable. These serial numbers were never designed to be kept secret.”
Duo has advised Apple to move towards strong authentication of devices and to stay well away from relying on serial numbers as a sole authentication factor.