Mobile device management (MDM) systems are often used by organizations to manage the security of employees' devices. But security researchers have found that the interface provided by Apple to enroll Apple devices in an MDM system can also be used to potentially introduce rogue devices into those systems and gain trusted access to enterprise systems—just by spoofing the serial number of an already enrolled device.
In a paper released today, Duo Senior Research and Development Engineer James Barclay, along with researchers Pepijn Bruienne and Todd Manning, have demonstrated an exploit of Apple's mobile device management (MDM) enrollment interface, the Device Enrollment Protocol (DEP). By spoofing serial numbers of enrolled devices, attackers could connect malicious devices to corporate MDM systems and gain trusted status on their networks or mine valuable information about organizations using MDM and the devices that are connected to them. While MDM systems are often used to lock down devices with organizationally mandated policies and distribute certificates to gain access to virtual private networks, they're not always a guarantee of device security and have also been used for malicious purposes. And as the Duo researchers found, they can be turned against an organization if too much trust is put into them—because many rely solely on the serial number to ensure that the device is allowed to join a corporate network.
"Leveraging this authentication weakness, an attacker can potentially enroll any device into an organization's MDM server—which could allow them to obtain privileged access used to further pivot within the network." Barclay wrote in a blog post on the research posted today, "A malicious actor can potentially enroll an arbitrary device into an organizations MDM server. The ability to enroll a chosen device to an organizations MDM server can have a significant consequence, subsequently allowing access to the private resources of an organization, or even full VPN access to internal systems."
Alternatively, Barclay said, an attacker could use the DEP interface to mine information about an organization, including phone numbers and email addresses—by obtaining the serial number of a registered device through open source intelligence, by fooling the device's user into giving it up, or by "brute-forcing" the DEP API (using software to send programmatically generated serial numbers to the API to obtain device registration data). That information could be used in social-engineering attacks against an organization's help desk to potentially gain access to enterprise data.
Pick a number, any number
The problem in DEP is that, while Apple's MDM protocol supports the use of user authentication prior to enrollment, it does not require that authentication. As a result, many organizations are using MDM without requiring user authentication, Barclay said, requiring only a device serial number. And serial numbers may be unique to a device, but they aren't necessarily secret—they can often be found online, and the format of Apple serial numbers is so well known that it's fairly easy to reproduce them with software and simply probe the DEP API to see if the device is registered.
As part of their research, Barclay, Bruienne, and Manning created a VMware virtual machine running MacOS and gave it the serial number of a known registered device. They also found that they could send serial numbers for iOS devices from a MacOS system and developed a tool that allowed them to inject specific serial numbers into the configuration payload sent to the DEP interface. Duo's Olabode Anise and Rich Smith contributed to research into generating Apple serial numbers for brute-forcing DEP.
The easiest way to prevent this sort of attack is to turn on user authentication for MDM enrollment or by explicitly not trusting devices enrolled through MDM systems until they have otherwise been authenticated. "There are a number of steps that can be taken by Apple to establish strong authentication and trust while still ensuring a relatively frictionless, streamlined user experience and device deployment process," Barclay wrote. "However, some of these mitigations (such as device attestation) only recently became feasible due to new hardware capabilities."
It may take some time for those capabilities to become broadly available enough to make a difference.