Researchers have noted a lack of authentication in the Apple Device Enrollment Program that could allow a malicious actor to steal Wi-Fi passwords and VPN configurations.
The vulnerability was dug out by Duo Labs who found Apple’s device enrollment program (DEP) has an authentication weakness that can be exploited when organizations use Apple’s mobile device management (MDM) server. The problem centers on how some undocumented DEP APIs communicate when being enrolled with the DEP service.
“Through this research, we found that because of the way DEP is implemented, it only uses a device's serial number to authenticate to the service prior to enrollment,” Duo said, adding that there are several problems surrounding these numbers.
First, not every company attempts to keep the serial numbers of its mobile devices secret they can often be found online. Secondly, many serial numbers can be deciphered as they often follow a set pattern or are issued in sequence making them somewhat easy to decipher.
Once a valid serial number is derived, possibly through a brute force method of feeding multiple numbers into an MDM, a malicious actor can enroll an arbitrary device into an MDM potentially giving the attacker access to internal information.