Security vulnerability in Apple’s DEP could allow full access to corporate networks

A security vulnerability discovered in Apple’s Device Enrollment Program (DEP) could allow an attacker to gain full access to a corporate or school network.

The DEP is a free service offered by Apple to allow new devices to be automatically configured with everything from custom apps to VPN settings.

The vulnerability may allow attackers to enroll any device into an organization’s Mobile Device Management server and, consequently, to obtain privileged access to the private resources of an organization or even full VPN access to internal systems.

The vulnerability was discovered by Duo Security researchers while probing Apple DEP’s security.

“Our research focused on the details of how some of the undocumented DEP APIs work, specifically those that are used by Apple devices to communicate and enroll with the DEP service. Through this research, we found that because of the way DEP is implemented, it only uses a device’s serial number to authenticate to the service prior to enrolment,” James Barclay, Senior R&D Engineer at Duo Labs, explained.

“Also, while Apple’s MDM protocol supports user authentication prior to MDM enrollment, it does not require it – meaning many organizations are currently protecting device enrollment with the serial number alone.”

Unfortunately, serial numbers of Apple devices are predictable and also often found online, and this info can be exploited to query the DEP APIs.

Apple has, of course, been notified of the find earlier this year, but has yet to do something about it.
The researchers recommended that Apple add strong authentication of devices going throug the DEP enrolment process, rate-limit requests to the DEP APIs and limit the information returned by the API endpoints. Not relying on serial numbers as a sole authentication factor has also been put forward as a solution.