Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software Wireless Networking Apple

Apple's Device Enrollment Program Can Leak Sensitive Data About Devices, Owners (betanews.com) 24

Mark Wilson shares a report from BetaNews: Security researchers have discovered an issue with the Device Enrollment Program used by Apple to allow organizations to manage their MacBooks and iPhones. Duo Security says that using nothing more than a serial number, it is possible to gain access to sensitive data about enrolled devices and their owners. It is even possible to enroll new devices that can then access Wi-Fi passwords, VPN configurations and more. Apple was alerted to the issue way back in May, but has not done anything about it as the company does not regard it as a vulnerability. James Barclay from Duo Security, and Rich Smith from Duo Labs share their findings in a paper entitled MDM Me Maybe: Device Enrollment Program Security. They point out that while there are various easy ways to obtain devices' serial numbers, the researchers have been able to create a simple serial generator that can be used to search for information. In regard to the serial generator, Smith told CNET: "While we aren't releasing the code, I'm not going to pretend to be under the impression that this is something that can't be reproduced. It would not be difficult for someone to replicate the code that we've developed."
This discussion has been archived. No new comments can be posted.

Apple's Device Enrollment Program Can Leak Sensitive Data About Devices, Owners

Comments Filter:
  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday September 27, 2018 @05:56PM (#57387374) Homepage Journal

    Some jerkoff signed up for an apple account with my email address. Apple let them do it without confirming it, too. It was for an iPad, probably stolen if they were activating it with a stolen identity.

    • That's even more creepy than people might think. Imagine all of the terrible and illegal things a person could do on that device, that traces back to you. I'm sure it would eventually get cleared up, but I don't think anyone wants law enforcement knocking down their door and tearing through their belongings until they figure out that mistakes were made.

      If you haven't already gotten this sorted out with Apple, I'd really try to get in contact with them. Sure, it's unlikely that something comes of it, but
      • If you haven't already gotten this sorted out with Apple, I'd really try to get in contact with them. Sure, it's unlikely that something comes of it, but it's one of those things that could really bite you in the ass.

        I did, and surprise! Apple told me there was nothing they could do because it wasn't my Apple account, even though it had my email address on it. Including, mind you, take my email address off of it.

        • You should to a password reset on the account via https://iforgot.apple.com/pass... [apple.com], which will be processed via your email address after all, and lock out all the connected devices.
          • You should to a password reset on the account via https://iforgot.apple.com/pass... [apple.com], which will be processed via your email address after all, and lock out all the connected devices.

            It will be processed with the email address given by the owner of the account, which probably isn't his email address. The AppleID may for historical reasons look like an email address, but it isn't really.

          • You should to a password reset on the account via https://iforgot.apple.com/pass... [apple.com], which will be processed via your email address after all, and lock out all the connected devices.

            It may or may not work depending on how the person sets up the Apple account. In other words, if the person has set a rescue email address different from what yours is in creating an Apple account, the method may not work. Besides, if the person has set up a 2-fac-Auth, then you would be out of luck because the phone number linked to the account is not going to be yours. See here [apple.com] for more information.

    • Some jerkoff signed up for an apple account with my email address.

      Did they sign up using your Gmail address? I find that, of all the webmail services, Gmail seems to be the only one that has a problem with people signing up for things using an email address that they don't own. Interestingly enough, Gmail is the only service where the dots don't matter in an email address.

      I suspect, but cannot prove, that there is a correlation between the two. From discussions with people who have this issue, the other pe

      • Yes, I get a ton of email for martinespinoza@gmail.com. Sometimes this comes in handy, though. Virtually no sites understand that martinespinoza and martin.espinoza@gmail.com are the same guy, so I can use this to generate myself a second login with the same destination email.

        Still, there is no excuse for not validating email addresses, ever. I get all kinds of personal information for other people because people/sites don't. Martin Espinoza isn't exactly the John Smith of the Hispanic world, but it's damne

  • The "vulnerability" they've exposed is really just an easier way to discover organizations using insecure configurations. Organizations already have the ability to lock this issue down, should they choose to do so.

    More or less, some organizations don't require authentication before a device can enroll in the organization, meaning that anyone at all can join their organization. If those organizations then foolishly configured things such that each enrollee is pushed a list of WiFi networks and VPNs belonging

    • Yeah two major points here:

      It can be used to find out which *company* is managing the device. If your company set up an iPad for you and registered into the company's security system that requires anti-virus and such, and the company used Apple's service, that information can be revealed. So "this iPad is managed by Toyota". It does not affect personally owned and managed devices, revealing the fact that a person owns an iPad.

      IF the company doesn't require authentication such as a user name and password, it

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...