“Apple appeals to business, in part, because of its impressive track record on iPhone and Mac security,” Thomas Brewster reports for Forbes. “But Apple isn’t perfect. Researchers claimed on Thursday they’ve found a novel way to steal business Wi-Fi and application passwords via one of the Cupertino giant’s products. They subverted an Apple technology designed to help companies manage and secure fleets of iPhones and Macs.”
“The problem lies in the openness of Apple’s Device Enrolment Program (DEP), according to researchers from Duo Security,” Brewster reports. “They discovered it was possible to steal Wi-Fi passwords and more internal business secrets by enrolling a rogue device within the DEP system.”
“When a company chooses not to require authentication, it’s possible for a hacker to find a registered DEP serial number of a real device but one that’s not yet been set up on a company’s MDM server. This can either be retrieved via social engineering of an employee or checking MDM product forums where people frequently publish serial numbers, the researchers said. ‘Brute forcing,’ where a computer can rifle through all possible numbers on the DEP until it hits on a correct one, is another option,” Brewster reports. “Then the attacker can enrol their a rogue device on an MDM server using the chosen serial number and appear on the target company network as a legitimate user. From there, it’s possible to retrieve passwords for applications and Wi-Fi across the victim business, according to the researchers.”
Read more in the full article here.
MacDailyNews Take: Apple stated in an email to Forbes that the attacks did not exploit any vulnerability in Apple products but, Brewster reports, security researcher James Barclay expects Apple to make some changes regardless.