Researchers Find 'Authentication Weakness' in Apple's Device Enrollment Program
28.9.2018 securityweek Apple
Researchers from Duo Security have discovered a vulnerability (they call it an 'authentication weakness') in Apple's Device Enrollment Program (DEP). The flaw was reported to Apple in May 2018. It is not considered to be a major flaw, but could potentially have serious consequences. SecurityWeek has asked Apple if it has or plans to patch or fix the issue.
DEP is used to automatically enroll Apple devices into a company's mobile device management (MDM) server. The MDM is used to manage and configure user devices. DEP makes this enrollment process quick, simple and efficient -- and is a boon to any organization with a large number of mobile devices. "Users," comments Duo, "can unbox their new device and be ready to go on day one. If they purchase devices directly from Apple or an authorized reseller, they can have a zero-touch configuration of the endpoint as it is booted up for the first time."
The issue discovered by Duo resides in an undocumented private DEP API used by Apple devices to request their DEP profile. In order to retrieve the DEP profile -- which contains information about the organization that owns the device (email address, phone number. postal address and the MDM enrollment number) -- It only requires a valid serial number from the device as authentication -- the process assumes that the device sending the serial number is the device that owns the serial number.
"This is problematic," write the researchers in a report published today by Duo Labs, "because an attacker armed with only a valid, DEP-registered serial number can potentially enroll a rogue device into an organizationís MDM server, or use the DEP API to glean information from enrolled devices."
The serial numbers are predictable and constructed using a well-known schema. They were never meant to be secret -- just unique. It means that attackers do not have to find inadvertently leaked serial numbers but can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP.
"The main problem here," James Barclay, senior R&D engineer at Duo Security, told SecurityWeek, "is that serial numbers were never meant to be secret. But it's not the end of the world. We don't see this as so much of a problem that people should stop using DEP. The benefits of having devices managed through Apple's MDM and using DEP to make enrollment a smooth process for end users, outweigh the risks."
This flaw doesn't lead directly to a breach situation, but still has its dangers. Those dangers, he continued, depend on how the organization has set up its MDM server. "If the MDM-provided configuration data includes a support desk help number, then the attacker could call support, identify himself with the serial number he already knows, and attempt to socially engineer a more useful position. Potentially more serious, if the MDM is set up to deliver wifi configuration including the wifi password, or perhaps the corporate VPN password, then this will fall into the hands of the attacker."
But there are remediation steps an organization can take regardless of whether Apple does anything. "Primarily," said Barclay, "organizations should implement a requirement for user authentication prior to enrollment with the MDM. If this is not possible, the MDM could simply install a single app at the beginning of the process. The app could require out-of-band user authentication prior to delivering any further configuration. This would minimize any possibility of an attacker enrolling a rogue device."
The problem at the moment is that in many cases customers don't require user authentication prior to MDM enrollment, and they're also deploying things like wifi passwords and VPN configuration data directly through MDM.
The problem might simply go away on future Apple devices. Newer devices include T1 or T2 cryptographic chips, and it would be possible to cryptographically identify individual devices within their Secure Enclave. "This could provide cryptographic assurance of the identity of a given device," write the researchers, "before enrolling it into an organization's MDM server via DEP."
Duo is not aware of any remedial steps being taken or planned by Apple. "We don't know and haven't been told whether Apple has any plans to solve the issue themselves," said Barclay. "We don't know of any direct fixes that have been put in place yet. It's possible that some of the mitigations could be implemented server-side without actually requiring a patch to the endpoint."
This is not the first DEP/MDM flaw to be disclosed. Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Belanger, staff engineer at Dropbox, showed at Black Hat in August 2018 that an MitM could intercept applications being sent from the MDM to the device.
Although SecurityWeek asked Apple for a comment on the latest issue, no response has been received at the time of writing. If we do get a statement, it will be appended to this article. Two days ago, Patrick Wardle (co-founder and chief research officer of enterprise macOS security company Digita Security) disclosed without details a vulnerability in the new Mojave iOS version allowing a malicious app to obtain data from the user's address book without having the necessary permissions.
Cloud-based identity and access management solutions provider Duo Security was acquired by Cisco for $2.35 billion in August 2018. In the previous October, Duo raised $70 million in Series D funding that valued the company at $1.17 billion at that time.