An obscure flaw in Apple’s Device Enrollment Program (DEP) may make it possible for determined hackers to access enterprise networks, though the solution is quite straightforward.
Serial number spoofing
Duo Security researchers say they’ve figured out how to enroll a rogue device onto an enterprise’s mobile device management (MDM) system if the business has failed to enable authentication on devices enrolled on the system.
To make this work, attackers need to get hold of the valid serial number for an Apple device that is registered to Apple’s Device Enrollment Program (DEP) but not yet set up on the company’s MDM server, they said.
[ Further reading: What is EMM? Enterprise Mobility Management explained ]
The researchers say a determined attacker may prowl online forms, use sophisticated phishing attacks to access such information, or even use brute force attacks in which random serial numbers are generated. (They claim to have created a program that does this.)
When a valid serial is identified, the attacker can spoof the system into letting them register their own rogue device onto the MDM network and then use this device as a means to penetrate enterprise security.
They can use the hack to retrieve details such as an organization’s address, phone number, and email addresses.
My big takeaway here is that if you are in the job of managing MDM devices on a secure network, you should immediately put a stop to publishing valid serial numbers online.
[ Get certified as an Apple Technical Coordinator with this seven-part online course from PluralSight. ]
Secret (bad) agents
I’ve simplified the Duo Security report, but you can read it for yourself here.
Apple has been informed of this chink in its armor, but hasn’t acted yet, the researchers claim.
Subsequent reports point out that Apple itself warns organizations to apply strong security measures to limit such attacks, including use of user authentication during set up.
It is important to recognize that enterprise IT doesn’t just face random attacks from independent hackers, such as the young teenager who broke into Apple’s systems; it also faces highly organized attacks from well-resourced groups — some of which are state-sponsored.
We live in an environment in which small flaws in security protection such as that described by Duo Security must be identified.
This is because the most highly organized attackers are incredibly sophisticated, and this kind of complex invasion of a company’s network seems a useful route for anyone engineering an advanced persistent threat (APT) scenario.
(Though undermining less-secured devices on the edge is much easier to achieve than using Apple systems as a portal.)
Advanced persistent threats are those in which attackers stealthily get inside enterprise networks and remain in those networks for a long period to steal data, create fake identities, and otherwise subvert computer systems.
Security is an infinite war.
That exploits against Apple systems are identified tend to be quite challenging or obscure reflects well on how secure those systems are, but complacency is no excuse for enterprise users.
They already know that almost half of all international enterprises have been targeted by cyber crime, and the attack vectors used in these attacks are becoming increasingly complex.
The recent surge in attacks against Office 365 reflects a recent trend in which criminals attempt to use cloud service APIs to create complex routes to subvert enterprise security.
The relatively recently disclosed “Dark Caracal” threat attacks Mac, Linux and Windows systems in different ways all from within one small piece of multi-platform malware.
We’ve all heard stories of how criminals target small suppliers to large enterprises in order to leapfrog into enterprise networks or infect manufactured devices.
How to prevent attacks via Apple’s Device Enrollment Program flaw
In the case of the Apple Device Enrollment flaw identified by Duo Security, the solutions are relatively straightforward:
- Keep serial numbers private.
- Monitor networks for unusual activity such as the signs of brute force attacks.
- Enforce authentication on any MDM server used with DEP.
It is also worth adopting a zero-trust approach to newly enrolled devices, assigning privileges in a separate operation to the initial set-up. Use of more sophisticated MDM solutions, such as those from Jamf, may also help.
However, in an environment characterized by multiple attack vectors and highly sophisticated bad actors, good security practice demands supplementing the world’s best platform security with informed security awareness and constant vigilance.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?
Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.