Apple's Device Enrollment Program vulnerable to attack over device serial authentication

in General Discussion
Apple's Device Enrollment Program, used by businesses to provision iPhones and iPads with an internal device management server, is claimed to have a weakness in its authentication that could allow an attacker to learn internal information about an organization.

The Device Enrollment Program (DEP) is a service offered by Apple to allow companies to manage and configure a user's device for use on a network, including installing specific applications and configuration settings the user will require in their work. Once set up, devices can then be managed by a company's Mobile Device Management (MDM) server.

According to a paper from Duo Security, analysis of undocumented DEP APIs led to the discovery that an attacker could potentially acquire vital details about an organization's structure, including phone numbers and email addresses, which could be used to perform a social engineering attack against employees or the firm's IT support team.

DEP was found to only use a device's serial number to authenticate to the service prior to its enrollment, and while the MDM protocol does support user authentication before MDM enrollment, it isn't required. Due to user authentication being optional, this has apparently led to many organizations deciding against implementing it in their process, with the device enrollment protected only by serial numbers.

As serial numbers are not a secret item, unlike username and password combinations, the numbers for registered devices could potentially be found online from other breaches. An attacker could also use established rules to make up what seems to be a valid serial number, which could then be tested against the DEP API to check if they are registered to the server.

"An attacker armed with only a valid DEP-registered serial number can use it to query the DEP API to glean organizational information," writes Duo's James Barclay. "Or in configurations where an associated MDM server does not enforce additional authentication, a malicious actor can potentially enroll an arbitrary device into an organization's MDM server."

Barclay goes on to suggest the enrollment can have significant consequences, including allowing access to a company's private resources, or even full VPN access to internal systems.

The full size or scope of the issue is unknown, but does affect every customer using Apple's DEP service. It is noted that not every Apple enterprise customer that deploys Apple services for their corporate networks uses Apple's DEP service.

The report was disclosed in the typical way security issues are advised to firms, with Apple informed on May 16 and an acknowledgement from Apple the following day. The research was published on September 27, and is intended to be publicly disclosed at the ekoparty Security Conference on Friday.

Duo Security recommended to Apple to ensure strong authentication of devices, and not to rely on using serial numbers as a sole authentication factor. It is also advised Apple implement rate limits on requests, limiting data returned by API endpoints, and changing the DEP process by authenticating users using protocols such as SAML or OIDC.

Organizations are advised to enforce authentication on MDM servers used with DEP, to prevent serial number-only authentications. An embracing of a "zero-trust approach" is also suggested, to ensure privileges afforded to devices enrolled in DEP are not excessive.


  • Reply 1 of 5
    Whilst the general nature of the comments from Duo are valid (ie the serial number isn’t a strong secret), its pretty rare to see organisations doing MDM without the user authenticating.

    The only places I’ve seen it are for:

    - shared devices where there’s no personalisation, and little data access at all - e.g. Kiosks
    - Microsoft inTune was the MDM - this may have changed but it used to require 2FA to log in to Azure AD, which means you could not authenticate a user in the setup assistant, so they’d do a generic setup without authentication. 

    In theory MDM vendors  can set up authentication to however they want, e.g. the MDM could implement  one time passwords for device setup of shared devices (although most are just expecting the user to present AD credentials)

  • Reply 2 of 5
    Breaking news: Not using a password on your device allows anyone to access your data.
    edited September 2018 SpamSandwich
  • Reply 3 of 5
    Wait a second. So they need to find your device serial number first? How are they going to acquire this?

    Oh, I see....

    "the numbers for registered devices could potentially be found online from other breaches"

    So IF there happens to be a breach of serial numbers for a batch of iPhones AND IF you manage to test that batch of serial numbers to see if any have been registered, THEN you can get access to the company resources?
  • Reply 4 of 5
    TomETomE Posts: 168member
    There are always people who like to steal.  

    Consider Phone Employees , as said, Device Enrollment Employees, etc. 
    I just looked and the IMEI and Serial Number are on a label on the outside of the box of a new Apple Product.  I suppose it could be scanned as it passes thru customs, FEdEX, etc.  

    Who Knows.  I sure don't.

  • Reply 5 of 5

    Futile attempt to create FUD by a stupid “paper” trying to exploit the obscure meanings of acronyms.

    First of all, Apple is not a MDM (Mobile Device Management) solution seller nor does MDM for companies. Security, authentication etc. are to be configured at the device level and MDM level and this is totally the company’s job, Apple has no business with that. All Apple does is the acknowledgement “we recognize those said devices as managed by your MDM servers” nothing more. The only information DEP stores about a company’s “organizational structure” is the email address and location (if any) of the personnel added as “DEP administrator” by that company. And if an intrusion can utilize the DEP API using a valid serial number, as claimed by the “paper”, the only data it can get is that “DEP Administrator” email adress (provided that the DEP API allows that, again no specifics given). Aren’t you the security guy? Then monitor that admin address against phishing emails, what are you paid for?

Sign In or Register to comment.