Apple flaw lets hackers steal business passwords

By

The CIA has a team of more than 5,000 hackers.
Businesses beware.
Photo: Brian Klug/Flickr CC

Many businesses choose to spend more on Apple smartphones and computers because they’re supposed to be safer than more affordable alternatives running Android or Windows. But they’re not completely bulletproof.

Researchers have discovered a worrying flaw in one Apple service that allows hackers to steal business passwords from macOS and iOS devices.

Apple has made business customers a big focus in recent years as it looks to steal marketshare from its rivals. It has even entered into partnerships with the likes of IBM, Accenture, and Salesforce to build better business apps.

It seems, however, that you should be careful about using Apple devices in business right now.

Security flaw discovered in Apple Device Enrollment Program

Researchers with Duo Security have discovered a flaw in Apple’s Device Enrollment Program (DEP) — which helps companies manage and secure their Mac and iOS devices — that makes it possible to steal Wi-Fi and application passwords.

The hack involves enrolling a rogue device in the DEP system, then registering it with a company’s mobile device management (MDM) server. There are a number of methods that can be used to do this.

Hacking into an MDM server

One method would be for hackers to find a serial number already registered in the DEP system, but not yet set up on the company’s server, using social engineering. We all know how easy it can be for hackers to convince unsuspecting users to give up information.

Alternatively, hackers could search MDM product forums where employees frequently post serial numbers for support, Duo Security says. Another method would be to use “brute force” software to cycle through countless serial numbers until a match is found.

Once they have a device enrolled on an MDM server, it’s possible to retrieve passwords for applications and Wi-Fi networks used throughout the company.

There are caveats

You might think that it’s near impossible for this kind of attack to take place. And there are caveats.

“The attacker has to enrol their device on the company’s MDM server before the legitimate employee does,” explains Forbes. “It will only accept that required serial number once.”

According to Duo researchers, however, it’s not as difficult as it sounds. All hackers have to do is search for serial numbers of products manufactured in the last 90 days. “It’s definitely feasible that you’ll find devices that haven’t enrolled yet,” says researcher James Barclay.

This doesn’t mean you should avoid Apple’s DEP system or MDM, Barclay says. “The benefits outweigh the inherent risks here. But there are steps Apple and customers could take to mitigate.”

Duo recommends that companies use encryption technology on device chips to uniquely identify them when they’re enrolled on DEP. Apple could also implement stronger, enforced authentication, they add.

Apple is aware of the problem

Duo has reported this issue to Apple — it did so back in May — but Apple hasn’t confirmed whether or not anything would be done about it.

Apple told Forbes that the possible attacks don’t exploit a vulnerability in its own products, and the company does recommend that businesses use authentication. Nevertheless, Barclay is “confident some changes will be made.”

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.