While some of that information may not be considered sensitive, it is valuable for the attacker interested in collecting as much information as possible while planning an attack. When the DEP service receives a request with the serial number, it returns the device’s activation record, which contains information such as the organization’s address, phone number, and email address. “An attacker armed with only a valid DEP-registered serial number can use it to query the DEP API to glean organizational information,” said James Barclay, a senior R&D engineer at Duo Labs. That information can be used by the attacker to plan future attacks. A potential attacker with a device’s serial number- which can be found in any number of ways because serial numbers aren’t intended to be secret-can query the DEP API to discover information about the enrolled devices. Knowing that device X is enrolled is useful information.ĭuo Labs researchers found that DEP relied on the device’s serial number to authenticate to the server.
DEP, the service provided by Apple to help organizations use MDM for Apple devices, makes that automatic recognition possible. The employee would be able to step through the self-service process to enroll the device through the organization’s MDM server and receive configuration settings, passwords, and certificates necessary for the network.
In such an organization, employees would power on their Apple device-such as iPhones, MacBooks, and iPads-and it would be automatically recognized. That rogue device would make it easier for the attacker to move around within the organization’s network.Īn administrator would want to automate the process of issuing new devices to employees and getting them set up with organization-specific settings and applications as much as possible. Researchers have identified a weakness in Apple’s Device Enrollment Program (DEP) which attackers can potentially abuse to enroll any device into an organization’s mobile device management (MDM) server.
0 kommentar(er)
