Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

Researchers check bootstrap enrolment tech, suck teeth, whistle


Hackers can blow holes in Apple's managed service technology and sneak their own rogue devices onto corporate fleets of mobile iThings.

Weaknesses in Apple's Device Enrollment Program (DEP) allow the ne'er-do-wells to run targeted attacks on both the networks of the corporate shiny-shiny and the backend systems that support them, researchers at Duo Security warned.

DEP, for those unfamiliar, is a free service provided by Apple that facilitates Mobile Device Management (MDM) enrolment of iOS (iPhones and iPad), macOS (MacBooks), and tvOS devices.

The root cause of the problem is authentication weakness in DEP. Apple's MDM protocol supports strong user authentication (PDF) prior to MDM enrolment without actually requiring it – and allows device serial numbers to be used instead of more secure alternatives. Device serial numbers can be used to register iThings through Apple's DEP service during initial onboarding.

This is bad practice because serial numbers are generated using a well-known schema that makes them predictable. These serial numbers were never designed to be kept secret. Repositories of some serial numbers have already leaked and, even if that were not the case, valid serial numbers can be generated before being tested to see whether they are registered through programming interfaces (APIs) with the DEP via a form of brute-force attack.

Duo Security further warned that the weakness creates an opportunity to spy on targeted networks. "The DEP profiles contain information about the organization such as phone numbers and email addresses, which could be used to launch a social engineering attack against the organisation's help desk or IT team."

The research was unveiled at the ekoparty conference in Buenos Aires, Argentina, today. Duo Security flagged up the issue to Apple three months ago before going public at the South American hacker powwow.

Lock it down

Duo is advising Apple to move towards strong authentication of devices and to stay well away from relying on serial numbers as a sole authentication factor. Until this core issue is addressed, Apple can make life harder for baddies by rate-limiting requests to its DEP APIs, a move that would throw a spanner in the works of those trying to guess numbers by trying every possible combination.

"Additionally, Apple could strongly authenticate users as part of the DEP enrollment process, using modern authentication protocols such as SAML or OIDC ," Duo Security added.

If an organisation uses DEP – a technology widely but not universally used even among all-Apple shops – authentication should be tightened up at corporate mobile device management servers so that "knowledge of a serial number alone does not allow device enrollment".

Duo Security said it was not calling on organisations to ditch Apple's tech, but rather to be careful about using it.

"The benefits of ensuring that devices are securely configured and managed via MDM and bootstrapping that process via DEP outweigh the risks associated with this authentication weakness," the firm concluded.

Professor Alan Woodward of Surrey University told The Register: "I've seen too many security problems caused by using only serial number to validate not to be suspicious. But, although there might be a chance if some info leakage, maybe a foothold from which to pivot, I'm not sure how much real damage you could do." ®


Other stories you might like

  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading
  • NASA's Psyche mission: 2022 launch is off after software arrives late
    Launch window slides into 2023 or 2024 for asteroid-probing project

    Sadly for NASA's mission to take samples from the asteroid Psyche, software problems mean the spacecraft is going to miss its 2022 launch window.

    The US space agency made the announcement on Friday: "Due to the late delivery of the spacecraft's flight software and testing equipment, NASA does not have sufficient time to complete the testing needed ahead of its remaining launch period this year, which ends on October 11."

    While it appears the software and testbeds are now working, there just isn't enough time to get everything done before a SpaceX Falcon Heavy sends the spacecraft to study a metallic-rich asteroid of the same name.

    Continue reading
  • Rise in Taiwanese energy prices may hit global chip production
    National provider considering cost increase of 8%, which could be passed on to tech customers

    Taiwan's state-owned energy company is looking to raise prices for industrial users, a move likely to impact chipmakers such as TSMC, which may well have a knock-on effect on the semiconductor supply chain.

    According to Bloomberg, the Taiwan Power Company, which produces electricity for the island nation, has proposed increasing electricity costs by at least 8 percent for industrial users, the first increase in four years.

    The power company has itself been hit by the rising costs of fuel, including the imported coal and natural gas it uses to generate electricity. At the same time, the country is experiencing record demand for power because of increasing industrial requirements and because of high temperatures driving the use of air conditioning, as reported by the local Taipei Times.

    Continue reading
  • Tech companies ready public stances on Roe v. Wade
    Some providing out-of-state medical expenses, others spout general pro-choice statements

    Several US tech companies have taken a stance or issued statements promising healthcare-related support for employees following the Supreme Court's ruling to overturn Roe v Wade last Friday.

    A Supreme Court draft opinion that was leaked in February provided advanced warning of the legal eventuality, giving companies plenty of time to prepare official positions and related policies for employees.

    Without proper policies in place, tech companies could put themselves at risk of "brain drain" as employees become tempted to relocate to states where abortion access is readily available or to companies that better support potential needs as healthcare in the US is more often tied to an employer than not.

    Continue reading

Biting the hand that feeds IT © 1998–2022