By Analysts from Duo Security have identified a flaw which is called an Authentication Weakness in Device Enrollment Program of Apple. The vulnerability was stated to Apple this May 2018. It is not believed to be a main bug, however, it could possibly have severe results. It has asked from Apple company if it has or ideas to fix or patch the problem.
Device Enrollment Program of is employed to automatically inscribe Apple devices into a firm’s Mobile Device Management server. The Mobile Device Management is utilized to handle and arrange user devices. Device Enrollment Program creates the enrollment procedure fast, easy and well planned and is a benefit to any company along with a great number of mobile devices.
“Users,” comments Duo, “can unbox their new device and be ready to go on day one. If they purchase devices directly from Apple or an authorized reseller, they can have a zero-touch configuration of the endpoint as it is booted up for the first time.”
The problem detected by Duo dwells in an referenced private Device Enrollment Program API employed by Apple devices to demand their Device Enrollment Program profile. So as to acquire the Device Enrollment Program profile which comprises of details about the company that possesses the device. It simply necessitates a proper serial number from the device as verification. The process anticipates that the device transmitting the serial number is the device that possesses the serial number.
“This is problematic,” write the researchers in a report published today by Duo Labs, “because an attacker armed with only a valid, DEP-registered serial number can potentially enroll a rogue device into an organizationís MDM server, or use the DEP API to glean information from enrolled devices.”
The serial numbers are certain and built utilizing a well-recognized schema. They meant on no occasion to be confidential or simply unique. It also means that hackers never have to discover accidentally exposed serial numbers however can alternatively create effectual serial numbers and employ the Device Enrollment Program API to trial if they are certified with Device Enrollment Program.
“The main problem here,” James Barclay, senior R&D engineer at Duo Security, told SecurityWeek, “is that serial numbers were never meant to be secret. But it’s not the end of the world. We don’t see this as so much of a problem that people should stop using DEP. The benefits of having devices managed through Apple’s MDM and using DEP to make enrollment a smooth process for end users, outweigh the risks.”
This vulnerability never lead straight to a violate position, however yet has its hazards. Those threats, he proceeded, rely on how the company has established its MDM server.
“If the MDM-provided configuration data includes a support desk help number, then the attacker could call support, identify himself with the serial number he already knows, and attempt to socially engineer a more useful position. Potentially more serious, if the MDM is set up to deliver wifi configuration including the wifi password, or perhaps the corporate VPN password, then this will fall into the hands of the attacker.”
However there are remediation measures which a company can take anyhow of whether Apple does anything.
“Primarily,” said Barclay, “organizations should implement a requirement for user authentication prior to enrollment with the MDM. If this is not possible, the MDM could simply install a single app at the beginning of the process. The app could require out-of-band user authentication prior to delivering any further configuration. This would minimize any possibility of an attacker enrolling a rogue device.”
The issue at the situation is that in quite many circumstances users never demand user verification previous to MDM registration, and they are merely positioning things such as VPN configuration data and wifi passwords straight through MDM.
The issue might merely depart on future devices of Apple. The latest devices comprise T1 or T2 cryptographic chips, and it would be probable to cryptographically recognize separate devices within their Secure Enclave.
“This could provide cryptographic assurance of the identity of a given device,” write the researchers, “before enrolling it into an organization’s MDM server via DEP.”
Duo is not conscious of any remedial procedures being acquired or arranged by Apple.
“We don’t know and haven’t been told whether Apple has any plans to solve the issue themselves,” said Barclay. “We don’t know of any direct fixes that have been put in place yet. It’s possible that some of the mitigations could be implemented server-side without actually requiring a patch to the endpoint.”
It is not proved to be the first Device Enrollment Program / MDM vulnerability to be revealed. At macOS management firm Fleetsmith, Jesse Endahl, CSO and CPO, and at Dropbox, Max Belanger, staff engineer, presented at Black Hat this August 2018 that an MitM could stop applications being delivered from the MDM to the device.
However, the media discovered from Apple for a comment on the current problem, no reply has been given from the company. If any statement is received, it will be added. Previous two days ago, the chief research officer and co-founder of the company macOS security company, Patrick Wardle, (Digita Security) revealed without information a flaw in the latest Mojave iOS version permitting a harmful app to gain data from the address book of the users without gaining the essential permissions.
