Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple's Device Enrollment Program Can Leak Sensitive Data About Devices, Owners (betanews.com)

Posted by BeauHD on from the too-easy-to-access dept.

Mark Wilson shares a report from BetaNews: Security researchers have discovered an issue with the Device Enrollment Program used by Apple to allow organizations to manage their MacBooks and iPhones. Duo Security says that using nothing more than a serial number, it is possible to gain access to sensitive data about enrolled devices and their owners. It is even possible to enroll new devices that can then access Wi-Fi passwords, VPN configurations and more. Apple was alerted to the issue way back in May, but has not done anything about it as the company does not regard it as a vulnerability. James Barclay from Duo Security, and Rich Smith from Duo Labs share their findings in a paper entitled MDM Me Maybe: Device Enrollment Program Security. They point out that while there are various easy ways to obtain devices' serial numbers, the researchers have been able to create a simple serial generator that can be used to search for information. In regard to the serial generator, Smith told CNET: "While we aren't releasing the code, I'm not going to pretend to be under the impression that this is something that can't be reproduced. It would not be difficult for someone to replicate the code that we've developed."

2 of 24 comments (clear)

  1. I wish I'd known about this sooner by drinkypoo · · Score: 4, Informative

    Some jerkoff signed up for an apple account with my email address. Apple let them do it without confirming it, too. It was for an iPad, probably stolen if they were activating it with a stolen identity.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I wish I'd known about this sooner by alvinrod · · Score: 2

      That's even more creepy than people might think. Imagine all of the terrible and illegal things a person could do on that device, that traces back to you. I'm sure it would eventually get cleared up, but I don't think anyone wants law enforcement knocking down their door and tearing through their belongings until they figure out that mistakes were made.

      If you haven't already gotten this sorted out with Apple, I'd really try to get in contact with them. Sure, it's unlikely that something comes of it, but it's one of those things that could really bite you in the ass.