There is a flaw being seen at Apple’s Device Enrollment Program (DEP) which allows an attacker having been exploitation under private information on iPhone, iPad and Mac devices which was used by schools and businesses also which obtains private details such as an organization’s address, phone number and email addresses.
Apple products have issued work and school-issued products having a serial number flaws, with researchers from Duo Security (via Forbes), recently acquired by Cisco for $2.35 billion.
Hence each Apple device got registered and authenticated with the DEP system has been using its serial number. Enterprises and education customers are where the use of DEP easily deploys and configures organization-owned iPad and iPhone devices, Mac computers and Apple TV set-top boxes.
James Barclay, who is a senior research and design engineer with Duo Security, and Rich Smith, director of Duo Labs, thus have been discovered an attacker who could use a 12-character serial number of a real device which hasn’t been set up on a company’s Mobile Device Management (MDM) server yet to request activation records and retrieve sensitive information.
The request for activation which then records does not have rate limits, which permits an attacker using a brute-force method which attempts enrolling every conceivable serial number. Hence it is noted that after a rogue with authentication being successful with devices of a company’s MDM server not only used with a chosen serial number but also appears on their network as a legitimate user.
Hence these issues were notified by Apple, telling CNET which does not consider this a real threat because MDM servers have been managed by organizations and it is within their domain of responsibility which is secured with their own servers and which also applies security measures to limit such attacks.
Hence as a matter of fact being the Truth, the DEP system permits organizations which optionally seeks user authentication, but as a known fact, Apple does not enforce with this stronger authentication. With businesses yet to decide whether or not is what is required by users to prove with whom they are to enrol their own devices.