Researchers at security company Duo Labs discovered a vulnerability in the mechanism of managing Apple devices in closed corporate networks.
We are talking about the mechanism of Mobile Device Management (MDM), widely used by both small and large companies. MDM allows you to deploy all the enterprise Apple devices under one command and control server from which system administrators can use digital certificates, applications, Wi-Fi passwords, VPN configuration, etc.
The researchers discovered vulnerability affects a Device Enrollment Program (DEP) is a Protocol for adding to the new MDM server with Apple devices. More specifically, the problem associated with the process of device authentication and allows an attacker to add the corporate server MDM Apple device to your liking.
Moreover, prior to deployment, the authentication process can be used by an attacker to steal information about the companies who use certain Apple devices. Such information can serve as a tool for further attacks.
The above attack is possible because to identify the iPhone, iPad or Mac that is appended to the MDM server, Apple only uses the serial number of the device. Researchers have notified the manufacturer about the problem in may of this year, however, Apple still has not fixed it.
Read more •••