Connect with us

Hi, what are you looking for?


Identity & Access

Researchers Find ‘Authentication Weakness’ in Apple’s Device Enrollment Program

Researchers from Duo Security have discovered a vulnerability (they call it an ‘authentication weakness’) in Apple’s Device Enrollment Program (DEP). The flaw was reported to Apple in May 2018. It is not considered to be a major flaw, but could potentially have serious consequences. SecurityWeek has asked Apple if it has or plans to patch or fix the issue.

Researchers from Duo Security have discovered a vulnerability (they call it an ‘authentication weakness’) in Apple’s Device Enrollment Program (DEP). The flaw was reported to Apple in May 2018. It is not considered to be a major flaw, but could potentially have serious consequences. SecurityWeek has asked Apple if it has or plans to patch or fix the issue.

DEP is used to automatically enroll Apple devices into a company’s mobile device management (MDM) server. The MDM is used to manage and configure user devices. DEP makes this enrollment process quick, simple and efficient — and is a boon to any organization with a large number of mobile devices. “Users,” comments Duo, “can unbox their new device and be ready to go on day one. If they purchase devices directly from Apple or an authorized reseller, they can have a zero-touch configuration of the endpoint as it is booted up for the first time.”

The issue discovered by Duo resides in an undocumented private DEP API used by Apple devices to request their DEP profile. In order to retrieve the DEP profile — which contains information about the organization that owns the device (email address, phone number. postal address and the MDM enrollment number) — It only requires a valid serial number from the device as authentication — the process assumes that the device sending the serial number is the device that owns the serial number.

“This is problematic,” write the researchers in a report published today by Duo Labs, “because an attacker armed with only a valid, DEP-registered serial number can potentially enroll a rogue device into an organizationís MDM server, or use the DEP API to glean information from enrolled devices.”

The serial numbers are predictable and constructed using a well-known schema. They were never meant to be secret — just unique. It means that attackers do not have to find inadvertently leaked serial numbers but can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP.

“The main problem here,” James Barclay, senior R&D engineer at Duo Security, told SecurityWeek, “is that serial numbers were never meant to be secret. But it’s not the end of the world. We don’t see this as so much of a problem that people should stop using DEP. The benefits of having devices managed through Apple’s MDM and using DEP to make enrollment a smooth process for end users, outweigh the risks.”

This flaw doesn’t lead directly to a breach situation, but still has its dangers. Those dangers, he continued, depend on how the organization has set up its MDM server. “If the MDM-provided configuration data includes a support desk help number, then the attacker could call support, identify himself with the serial number he already knows, and attempt to socially engineer a more useful position. Potentially more serious, if the MDM is set up to deliver wifi configuration including the wifi password, or perhaps the corporate VPN password, then this will fall into the hands of the attacker.”

Advertisement. Scroll to continue reading.

But there are remediation steps an organization can take regardless of whether Apple does anything. “Primarily,” said Barclay, “organizations should implement a requirement for user authentication prior to enrollment with the MDM. If this is not possible, the MDM could simply install a single app at the beginning of the process. The app could require out-of-band user authentication prior to delivering any further configuration. This would minimize any possibility of an attacker enrolling a rogue device.”

The problem at the moment is that in many cases customers don’t require user authentication prior to MDM enrollment, and they’re also deploying things like wifi passwords and VPN configuration data directly through MDM. 

The problem might simply go away on future Apple devices. Newer devices include T1 or T2 cryptographic chips, and it would be possible to cryptographically identify individual devices within their Secure Enclave. “This could provide cryptographic assurance of the identity of a given device,” write the researchers, “before enrolling it into an organization’s MDM server via DEP.”

Duo is not aware of any remedial steps being taken or planned by Apple. “We don’t know and haven’t been told whether Apple has any plans to solve the issue themselves,” said Barclay. “We don’t know of any direct fixes that have been put in place yet. It’s possible that some of the mitigations could be implemented server-side without actually requiring a patch to the endpoint.” 

This is not the first DEP/MDM flaw to be disclosed. Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Belanger, staff engineer at Dropbox, showed at Black Hat in August 2018 that an MitM could intercept applications being sent from the MDM to the device.

Although SecurityWeek asked Apple for a comment on the latest issue, no response has been received at the time of writing. If we do get a statement, it will be appended to this article. Two days ago, Patrick Wardle (co-founder and chief research officer of enterprise macOS security company Digita Security) disclosed without details a vulnerability in the new Mojave iOS version allowing a malicious app to obtain data from the user’s address book without having the necessary permissions.

Cloud-based identity and access management solutions provider Duo Security was acquired by Cisco for $2.35 billion in August 2018. In the previous October, Duo raised $70 million in Series D funding that valued the company at $1.17 billion at that time.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.