Easy to prevent Apple flaw may threaten enterprise security

Credit to Author: Jonny Evans| Date: Thu, 27 Sep 2018 06:46:00 -0700

An obscure flaw in Apple’s Device Enrollment Program (DEP) may make it possible for determined hackers to access enterprise networks, though the solution is quite straightforward.

Duo Security researchers say they’ve figured out how to enrol a rogue device onto an enterprise’s MDM system, if the business has failed to enable authentication on devices enrolled on the system.

To make this work, attackers need to get hold of the valid serial number for an Apple device that is registered to Apple’s Device Enrolment Program (DEP), but not yet set-up on the company’s MDM server, they said.

The researchers say that a determined attacker may prowl online forms, may use sophisticated phishing attacks to access such information, or may even use brute force attacks in which random serial numbers are generated. (They claim to have created a program that does this.)

When a valid serial is identified the attacker can spoof the system into letting them register their own rogue device onto the MDM network, and then use this device as a means to penetrate enterprise security.

They can use the hack to retrieve details such as an organization’s address, phone number and email addresses,

My big take away here is that if you are in the job of managing MDM devices on a secure network you should immediately put a stop to publishing valid serial numbers online.

I’ve simplified the Duo Security report but you can read it for yourself here.

Apple has been informed of this chink in its armor, but hasn’t acted yet, the researchers claim.

Subsequent reports point out that Apple itself warns organizations to apply strong security measures to limit such attacks, including use of user authentication during set up.

It is important to recognize that enterprise IT doesn’t just face random attacks from independent hackers such as the young teenager who broke into Apple’s systems, it also faces highly organized attacks from well-resourced groups – some of which are state-sponsored.

We live in an environment in which small flaws in security protection such as that described by Duo Security must be identified.

This is because the most highly-organized attackers are incredibly sophisticated, and this kind of complex invasion of a company’s network seems a useful route for anyone engineering an advanced persistent threat (APT) scenario.

(Though undermining less-secured devices on the edge is much easier to achieve than using Apple systems as a portal.)

Advanced persistent threats are those in which attackers stealthily get inside enterprise networks and remains in those networks for a long period to steal data, create fake identities, and otherwise subvert computer systems.

Security is an infinite war.

That exploits against Apple systems that are identified tend to be quite challenging or obscure reflects well on how secure those systems are, but complacency is no excuse for enterprise users.

They already know that almost half of all international enterprises have been targeted by cybercrime, and the attack vectors used in these attacks are becoming increasingly complex.

The recent surge in attacks against Office 365 reflects a recent trend in which criminals attempt to use cloud service API’s to create complex routes to subvert enterprise security.

The relatively recently disclosed ‘Dark Caracal’ threat attacks Mac, Linux and Windows systems in different ways all from within one small piece of multi-platform malware.

We’ve all heard stories of how criminals target small suppliers to large enterprises in order to leapfrog into enterprise networks or infect manufactured devices.

In the case of Duo Security’s newly identified challenge, the solutions are relatively straightforward:

It is also worth adopting a zero-trust approach to newly enrolled devices, assigning privileges in a separate operation to the initial set-up. Use of more sophisticated MDM solutions, such as those from Jamf, may also help.

However, in an environment characterized by multiple attack vectors and highly sophisticated bad actors, good security practise demands supplementing the world’s best platform security with informed security awareness and constant vigilance.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me on Twitter so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss