Researchers find that Apple MDM may be forced to register malicious devices



[ad_1]

Article intro image

Getty Images

Mobile Device Management (MDM) systems are often used by organizations to manage the security of employees' devices. But security researchers have discovered that the interface provided by Apple to enroll Apple devices in a MDM system can also be used to introduce malicious devices into these systems and gain secure access to enterprise systems . .

In an article published today, James Barclay, senior research and development engineer at Duo, and researchers Pepijn Bruienne and Todd Manning, demonstrated the use of Apple's Mobile Device Management (MDM) registration interface, the Device Enrollment Protocol (DEP). By spoofing the serial numbers of registered devices, attackers could connect malicious devices to the company's MDM systems and obtain trusted status on their networks or extract valuable information about organizations using MDM and the devices they own. connected.

Although MDM systems are often used to lock devices with organization-imposed policies and distribute certificates to access virtual private networks, they do not always guarantee the security of devices and have also been used for other purposes. malicious. And, as Duo researchers have found, they can backfire against a company by giving them undue reliance because many of them depend solely on the serial number to make sure that the Device is allowed to join a company network.

"By exploiting this weak authentication, an attacker can potentially enroll any device on an organization's MDM server, which could allow the attacker to gain privileged access to further pivot on the network," Barclay wrote. "A malicious actor can potentially enroll an arbitrary device on a company's MDM server." The ability to register a selected device on a company's MDM server can have significant consequences, allowing the device to be unmatched. Access to private resources of an organization, or even full VPN access to internal systems. "

According to Barclay, an attacker could also use the DEP interface to retrieve information about an organization, including phone numbers and e-mail addresses, by obtaining the serial number of a registered device or by "forced forcing" DEP API (use of software to send to the API programmatically generated serial numbers in order to obtain device registration data). This information could be used in social engineering attacks against an organization's help desk to potentially gain access to company data.

Choose a number, any number

The problem with DEP is that while Apple's MDM protocol supports user authentication before registration, require this authentication. As a result, many companies are using MDM without requiring user authentication, Barclay said, requiring only a serial number. And the serial numbers may be unique to a device, but they are not necessarily secret – they are often available online and the format of the Apple serial numbers is so well known that it's pretty easy to reproduce them with a API software to see if the device is registered.

As part of their research, Barclay, Bruienne and Manning created a VMware virtual machine running MacOS and assigned it the serial number of a known registered device. They also found that they could send serial numbers for iOS devices from a MacOS system and developed a tool allowing them to inject specific serial numbers into the configuration payload sent to the DEP interface. Duo & # 39; s Olabode Anis and Rich Smith contributed to the research on the generation of Apple serial numbers for the DEP by brutal forcing.

The easiest way to prevent this type of attack is to enable user authentication for MDM enrollment or to explicitly not trust registered devices via MDM systems as long as you do not. They have not been authenticated. "There are a number of steps that Apple can take to establish strong authentication and trust while ensuring a simplified, frictionless user experience and device deployment process," Barclay wrote. "However, some of these mitigation measures (such as device attestation) have become possible only recently thanks to new hardware capabilities."

It may take some time for these capabilities to become widely available to make a difference.

[ad_2]
Source link