“Apple appeals to business, in part, because of its impressive track record on iPhone and Mac security,” Thomas Brewster reports for Forbes. “But Apple isn’t perfect. Researchers claimed on Thursday they’ve found a novel way to steal business Wi-Fi and application passwords via one of the Cupertino giant’s products. They subverted an Apple technology designed to help companies manage and secure fleets of iPhones and Macs.”
“The problem lies in the openness of Apple’s Device Enrolment Program (DEP), according to researchers from Duo Security,” Brewster reports. “They discovered it was possible to steal Wi-Fi passwords and more internal business secrets by enrolling a rogue device within the DEP system.”
“When a company chooses not to require authentication, it’s possible for a hacker to find a registered DEP serial number of a real device but one that’s not yet been set up on a company’s MDM server. This can either be retrieved via social engineering of an employee or checking MDM product forums where people frequently publish serial numbers, the researchers said. ‘Brute forcing,’ where a computer can rifle through all possible numbers on the DEP until it hits on a correct one, is another option,” Brewster reports. “Then the attacker can enrol their a rogue device on an MDM server using the chosen serial number and appear on the target company network as a legitimate user. From there, it’s possible to retrieve passwords for applications and Wi-Fi across the victim business, according to the researchers.”
Read more in the full article here.
MacDailyNews Take: Apple stated in an email to Forbes that the attacks did not exploit any vulnerability in Apple products but, Brewster reports, security researcher James Barclay expects Apple to make some changes regardless.
So if i’m reading this correct the target company has to have an open server on their network and have chosen to no have authentication on the MDM? Then with a brute force attack on the MDM to find a device that has been entered, but not yet registered, they can spoof the system and gain entry?
Yeah Right
It’s called having a stupid IT manager. IT manager sets up for a new computer to be added to the network on Friday afternoon, then goes home for he weekend without registering the new computer. Hacker gets on over the weekend and invades the network. Alterntate scenario, IT manager sets up for new computer then has massive heart attack and is hauled off the hospital before finishing registering the new computer. Both unlikely, but it could happen.
Still, it is refreshing that Apple has responded to an unlikely user/business network problem that they will address.
It also shows why businesses need to use proper 2 factor authorization that gets done “on the spot” when a user signs up.