Apple's Device Enrollment Program Can Leak Sensitive Data About Devices, Owners (betanews.com)

← Back to Stories (view on slashdot.org)

Apple's Device Enrollment Program Can Leak Sensitive Data About Devices, Owners (betanews.com)

Posted by BeauHD on Thursday September 27, 2018 @10:20AM from the too-easy-to-access dept.

Mark Wilson shares a report from BetaNews: Security researchers have discovered an issue with the Device Enrollment Program used by Apple to allow organizations to manage their MacBooks and iPhones. Duo Security says that using nothing more than a serial number, it is possible to gain access to sensitive data about enrolled devices and their owners. It is even possible to enroll new devices that can then access Wi-Fi passwords, VPN configurations and more. Apple was alerted to the issue way back in May, but has not done anything about it as the company does not regard it as a vulnerability. James Barclay from Duo Security, and Rich Smith from Duo Labs share their findings in a paper entitled MDM Me Maybe: Device Enrollment Program Security. They point out that while there are various easy ways to obtain devices' serial numbers, the researchers have been able to create a simple serial generator that can be used to search for information. In regard to the serial generator, Smith told CNET: "While we aren't releasing the code, I'm not going to pretend to be under the impression that this is something that can't be reproduced. It would not be difficult for someone to replicate the code that we've developed."

24 comments

Min score:

Reason:

Sort:

I wish I'd known about this sooner by drinkypoo · 2018-09-27 10:56 · Score: 4, Informative

Some jerkoff signed up for an apple account with my email address. Apple let them do it without confirming it, too. It was for an iPad, probably stolen if they were activating it with a stolen identity.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. Re:I wish I'd known about this sooner by Anonymous Coward · 2018-09-27 11:26 · Score: 0
  
  Some jerkoff signed up for an apple account with my email address. Apple let them do it without confirming it, too. It was for an iPad, probably stolen if they were activating it with a stolen identity.
  So, report it stolen ... apparently you're the rightful owner. :-P
2. Re:I wish I'd known about this sooner by alvinrod · 2018-09-27 11:51 · Score: 2
  
  That's even more creepy than people might think. Imagine all of the terrible and illegal things a person could do on that device, that traces back to you. I'm sure it would eventually get cleared up, but I don't think anyone wants law enforcement knocking down their door and tearing through their belongings until they figure out that mistakes were made.
  
  If you haven't already gotten this sorted out with Apple, I'd really try to get in contact with them. Sure, it's unlikely that something comes of it, but it's one of those things that could really bite you in the ass.
3. Re:I wish I'd known about this sooner by drinkypoo · 2018-09-27 12:11 · Score: 1
  
  If you haven't already gotten this sorted out with Apple, I'd really try to get in contact with them. Sure, it's unlikely that something comes of it, but it's one of those things that could really bite you in the ass.
  I did, and surprise! Apple told me there was nothing they could do because it wasn't my Apple account, even though it had my email address on it. Including, mind you, take my email address off of it.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:I wish I'd known about this sooner by Anonymous Coward · 2018-09-27 12:41 · Score: 0
  
  I'm sure it would eventually get cleared up
  
  If you haven't already gotten this sorted out with Apple, I'd really try to get in contact with them. Sure, it's unlikely that something comes of it, but it's one of those things that could really bite you in the ass.
  You're quite the naive optimist, aren't you?
5. Re: I wish I'd known about this sooner by Anonymous Coward · 2018-09-27 13:12 · Score: 0
  
  Just reset the password then, should come right to your email. Next, use the "find my ipad" icloud feature to find out where they are.
6. Re:I wish I'd known about this sooner by scdeimos · 2018-09-27 14:38 · Score: 1
  
  You should to a password reset on the account via https://iforgot.apple.com/pass..., which will be processed via your email address after all, and lock out all the connected devices.
7. Re:I wish I'd known about this sooner by Mr_Silver · 2018-09-27 20:43 · Score: 1
  
  Some jerkoff signed up for an apple account with my email address.
  
  Did they sign up using your Gmail address? I find that, of all the webmail services, Gmail seems to be the only one that has a problem with people signing up for things using an email address that they don't own. Interestingly enough, Gmail is the only service where the dots don't matter in an email address.
  I suspect, but cannot prove, that there is a correlation between the two. From discussions with people who have this issue, the other people invariably use a variant of their email address with dots either added, removed or put in difference places.
  
  --
  Avantslash - View Slashdot cleanly on your mobile phone.
8. Re:I wish I'd known about this sooner by Plumpaquatsch · 2018-09-27 23:09 · Score: 1
  
  You should to a password reset on the account via https://iforgot.apple.com/pass..., which will be processed via your email address after all, and lock out all the connected devices.
  It will be processed with the email address given by the owner of the account, which probably isn't his email address. The AppleID may for historical reasons look like an email address, but it isn't really.
  
  --
  Of course news about a fake are Fake News.
9. Re:I wish I'd known about this sooner by drinkypoo · 2018-09-28 00:22 · Score: 1
  
  Yes, I get a ton of email for martinespinoza@gmail.com. Sometimes this comes in handy, though. Virtually no sites understand that martinespinoza and martin.espinoza@gmail.com are the same guy, so I can use this to generate myself a second login with the same destination email.
  Still, there is no excuse for not validating email addresses, ever. I get all kinds of personal information for other people because people/sites don't. Martin Espinoza isn't exactly the John Smith of the Hispanic world, but it's damned close. There are multitudes of us.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
10. Re:I wish I'd known about this sooner by parkinglot777 · 2018-09-28 01:35 · Score: 1
  
  You should to a password reset on the account via https://iforgot.apple.com/pass..., which will be processed via your email address after all, and lock out all the connected devices.
  It may or may not work depending on how the person sets up the Apple account. In other words, if the person has set a rescue email address different from what yours is in creating an Apple account, the method may not work. Besides, if the person has set up a 2-fac-Auth, then you would be out of luck because the phone number linked to the account is not going to be yours. See here for more information.
At apple we care about your security by Anonymous Coward · 2018-09-27 11:01 · Score: 0

Lol HAHA
No they don't.
English explanation by Anubis+IV · 2018-09-27 11:04 · Score: 1

The "vulnerability" they've exposed is really just an easier way to discover organizations using insecure configurations. Organizations already have the ability to lock this issue down, should they choose to do so.
More or less, some organizations don't require authentication before a device can enroll in the organization, meaning that anyone at all can join their organization. If those organizations then foolishly configured things such that each enrollee is pushed a list of WiFi networks and VPNs belonging to the organization, guess what happens? Anyone at all can join their organization and receive that information, exactly like they configured it to work.
What these researchers discovered was an easier way to identify those organizations. Using a device's serial number, they can now query to find out whether the device is enrolled in an organization, and if it is, whether that organization requires authentication. Randomly generating serial numbers lets them scan through organizations in a rapid fashion. It's really not that much different than using a port scanner: it isn't an attack in and of itself, but it can reveal an avenue for attack.
I got my battery replaced for $29... by Anonymous Coward · 2018-09-27 11:08 · Score: 0

last Saturday. Did they sign me up for this without telling me? My phone works much better especially my GPS that hasn't worked in almost two years, but they killed my headphone jack so I'm annoyed.
1. Re:I got my battery replaced for $29... by Cmdln+Daco · 2018-09-27 11:20 · Score: 1
  
  Apple needs to come out with a barbed headphone jack plug, for the True Believers who cannot yet afford a new Applephone without a headphone jack. It could be an inexpensive 'upgrade' item and I am sure there are Applephone owners who would be brave enough to push it into the hold and seal it off forever.
2. Re:I got my battery replaced for $29... by Anonymous Coward · 2018-09-27 13:02 · Score: 0
  
  Apple needs to come out with a barbed headphone jack plug, for the True Believers who cannot yet afford a new Applephone without a headphone jack. It could be an inexpensive 'upgrade' item and I am sure there are Applephone owners who would be brave enough to push it into the hold and seal it off forever.
  I need to get a barbed penis so when I fuck your mother's sweet sweet pussy it won't dislodge so I can keep creampieing her again and again.
Yes. Company name, not secret Information by raymorris · 2018-09-27 11:30 · Score: 1

Yeah two major points here:
It can be used to find out which *company* is managing the device. If your company set up an iPad for you and registered into the company's security system that requires anti-virus and such, and the company used Apple's service, that information can be revealed. So "this iPad is managed by Toyota". It does not affect personally owned and managed devices, revealing the fact that a person owns an iPad.
IF the company doesn't require authentication such as a user name and password, it can also reveal some other non-secret information that all employees of the company have. Specifically non-secret information about the name of the VPN server. Just like a https web server has a public certificate which you can view by clicking on the green lock icon in your browser, some VPN servers have a certificate. This is not a secret.
If an attacker wanted to attack your VPN server, having it's name might come in handy, but it's not secret.
Mandatory too by Anonymous Coward · 2018-09-27 12:04 · Score: 0

Our Apple rep told us that DEP will be *mandatory* if you want to have any meaningful management of devices your company owns. So, all your Apple devices tied back to Apple. Yeah, that's going to go well.
R A Y M O R R I S = LYING PUNKASS NAZI CAUGHT DEAD by Anonymous Coward · 2018-09-27 12:45 · Score: 0

https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660 - Nazi white supremacist RAY (PUNK ASS) MORRIS caught lying and gets force-fed loads of BBC. RAPE THIS LYING TRAITOR AND HIS NAZI HEROES IN PRISON!