DEP is a free service created by apple for enterprises that automatically registers apple devices, including iOS, macOS or tvOS devices, on enterprise MobileDeviceManagement servers, simplifying the process of internal deployment and configuration of apple devices.
JamesBarclay, senior security researcher at Duo, points out that they found that all they needed to obtain a DEP profile for an apple device was the device’s serial number, which reveals information about the enterprise that owns the device. Therefore, assuming that an enterprise’s MDM server did not require additional user authentication during the registration process, Hackers could also register their own devices and receive corporate credentials, applications, Wi-Fi passwords or VPN configurations.
This is because when importing a DEP, services can be authenticated using only the device number prior to registration. Although Apple’s MDM protocol supports user authentication, it is not mandatory, meaning that some enterprises may only use the number to protect device registration.
Given that device numbers are not considered confidential information, they are easy to find on the Internet, and they are often structured in a way that is not hard to guess, allowing a hacker to use brute force to find a registered device in a business.
Duo reported the flaw to Apple in May, and it appears apple has not fixed it. Barclay emphasized that DEP is still a valuable tool for companies that need to deploy a large number of Apple devices, even with validation flaws. He suggested that Apple should strengthen the validation of its devices to limit the number of input errors and the enterprise information it responds to, and that any enterprise that adopts DEP should enforce authentication on the MDM server.