Apple#039;s Device Enrollment Program vulnerable to attack over device serial authentication

The Device Registration Program (DEP) is a service provided by Apple so that companies can manage and configure users' devices for use on the network, including device installation. Application and specific configuration parameters. Once configured, the device can be managed by the company's Mobile Device Management (MDM) server.

According to the document of Duo Security, the analysis of undocumented DEP API found that an attacker could acquire important information about the structure of the organization such as telephone number and e-mail address. Company's IT support team.

Prior to registration, DEP uses only the serial number of the device to authenticate the service, while the MDM protocol supports user authentication before registration MDM registration, but it is not mandatory. Because user authentication is optional, in many organizations, device registration is only protected by serial number, so we decided not to implement it in the process.

Unlike a combination of user name and password, the serial number is not confidential information, so the registered device number may be found online from other violations. An attacker can also use an established rule to create a valid serial number and test against the DEP API to see if it is registered on the server.

"An attacker with only a valid DEP registration serial number can use this ID to query the DEP API for organization information," James Barclay wrote. , Duo. Or, in configurations where the associated MDM server does not apply additional authentication, a malicious actor could potentially register any device to the organization's MDM server.

Barclay suggests that registration may have important consequences, such as allowing access to corporate private resources and full VPN access to internal systems.

The overall size or scope of the problem is unknown, but it affects each customer using Apple's DEP service. It should be noted that it is not …

Hope you like the news Apple#039;s Device Enrollment Program vulnerable to attack over device serial authentication. Stay Tuned For More Updates 🙂

Compsmag