Apple products – like iPhones, MacBooks and iPads, are most often registered and verified using their unique device serial numbers through Apple’s Device Enrollment Program.
Organizations use the program to manage devices they hand out. It’s how teachers monitor school-issued iPads and iPhones and how the New York Police Department rolls out its custom apps for officers on its iPhones.
Senior research and design engineer with Duo Security – James Barclay, and Director of Duo Labs – Rich Smith, found several weaknesses or vulnerable points with the program after discovering that the device serial number was all a potential attacker needed to get sensitive information from enrolled devices.
By entering an enrolled apple device’s serial number to request activation records, Duo Security’s researchers were able to retrieve details such as the organisation’s address, phone number and email addresses. There are a number of different ways to get a serial number, but Smith said the 12-character code was simple enough for Duo Security to create a program that generated every conceivable serial number available for all other devices that are registered. Because the request for activation records doesn’t have rate limits, a potential attacker could run searches without any obstacles, he said.
“While we aren’t releasing the code, I’m not going to pretend to be under the impression that this is something that can’t be reproduced,” Smith said. “It would not be difficult for someone to replicate the code that we’ve developed.” If attackers obtained a serial number that hadn’t been enrolled yet, the researchers said, it would be possible for them to enrol their own device with that number and gather even more information, such as Wi-Fi passwords and customised apps. It may not sound as a real world threat but it’s a gateway to something even bigger.
Apple said in a statement that it doesn’t consider the serial number issue to be a vulnerability with its products, citing its existing recommendation that organisations are advised to apply additional security measures to limit such attacks. People enrolled in Apple’s program can require user authentication, which would call for a username and a password along with the serial number.
Duo Security disclosed the vulnerability to Apple on May 16, and the company acknowledged Duo’s disclosure on May 17. Duo Security’s researchers said Apple hasn’t addressed the issue.