Apple’s business and scholastic device management service, the Device Enrollment Program (DEP), suffers from a significant security hole that could impact organizations yet has remained unpatched for months after its discovery. Duo Security published its findings today after reporting the issue to Apple on May 16, and believes it affects every customer using the DEP service.
Duo’s report claims that DEP’s weak authentication enables attackers to use nothing more than an Apple serial number to link a device to an organization’s mobile device management server, which could then share existing DEP profile information — including phone numbers and email addresses — with the attacker. According to Duo, DEP thereby exposes organizations to the potential of both “rogue devices” and social engineering attacks leveraging acquired details to gain further access to a network.
Apple’s DEP is used by enterprises, educational institutions, and other organizations to offer zero-touch setup for users, linking multiple devices to a central server for configuration and content sharing. In the name of simplicity, DEP can give new devices full access with nothing more than the serial number — a non-private detail that can be copied from a device or artificially generated quite easily — rather than requiring a second factor for authentication.
The simple solution is to add mandatory two-factor authentication to DEP, but Duo also suggests that Apple add rate limits for device authentication requests and reduce information conveyed back by DEP to registrants’ devices. For the time being, the firm suggests that organizations using DEP require additional authentication on their mobile device management servers and assume a “zero-trust” strategy for sharing information with enrolled devices.
As over four months have elapsed since the initial Duo report to Apple was acknowledged by the company, it’s unclear when the security hole will be patched. Duo will be presenting its findings publicly at the Ekoparty Security Conference tomorrow.