Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

Thursday 27th September 2018 16:25 GMT Norman Nescio

Serial number story

If you want a nice story linking serial numbers and security, the 'German tank problem' makes a nice aside. For those unwilling to follow the link, the tl;dr summary is that statistical analysis of serial numbers on captured German tank equipment allowed the Allies to estimate the production rate of the tanks surprisingly accurately. Allotting identification numbers from a large (compared to the number of items manufactured) set of random numbers is advisable if you wish to keep your production rate secret.

5 0 Reply
1. Thursday 27th September 2018 18:37 GMT GnuTzu
  
  Re: Serial number story -- Make 'em Really Big
  
  Yes Large, but monotonically increasing, so it will actually look like massive inventories are being built up.
  
  Reminds me of a joke in which the Russian asked America to manufacture prophylactics for Russians, a foot long and three inches in diameter. When the American manufacturers balked, the American leaders said make them but print on them a label that reads "size: small".
  
  4 0 Reply
  1. Thursday 27th September 2018 23:59 GMT Anonymous Coward
    
    Re: Serial number story -- Make 'em Really Big
    
    Heard the same story only it was Churchill - insisting that they had Made in England printed on them as well as size small.
    
    Story goes that they were used to prevent Sten Guns jamming in Norway during WW2.
    
    0 0 Reply
Thursday 27th September 2018 16:48 GMT CelineDion69

Feature not a bug

Really not a vulnerability.

0 1 Reply
1. Thursday 27th September 2018 18:03 GMT K
  
  Re: Feature not a bug
  
  Nope... Just poor judgement in choosing a method for identification!
  
  1 0 Reply
  1. Thursday 27th September 2018 22:32 GMT CelineDion69
    
    Re: Feature not a bug
    
    Even if you've managed to generate a serial that exists in both Apple and the target's ABM/DEP database, you're surely going to be hit with compliance policies and further directory authentication for anything sensitive. That is of course assuming the MDM engies and admins aren't complete morons.
    
    0 0 Reply
Thursday 27th September 2018 17:48 GMT Anon Ymous 42

This is easy to fix.

While the recommendation to move away from predictable serial numbers is still a good one, the MDM enrollment need only incorporate the device identity certificate that is burned into each device. Any device after a 5S has the private key protected by the secure element. Use of signing and chain checking can very effectively secure the existing protocol. Do searches on Apple’s over the air support of the SCEP protocol to get more info about this embedded cert.

2 0 Reply
1. Thursday 27th September 2018 22:28 GMT Anonymous Coward
  
  Re: This is easy to fix.
  
  > Hackers can ... sneak their own rogue devices onto corporate fleets of mobile iThings.
  
  I'm struggling to see how this works. I'm a hacker and I have my own iThing, bought from the store with its own serial number. I know that Megacorp is buying lots of iThings and I guess the serial number of one of their new devices. I then allow my device to go through DEP (i.e. reset it) and I man-in-the-middle the data traffic and substitute the guessed serial for the real one in the data stream. Apple's DEP is then fooled and I have a device that builds with the megacorp build.
  
  And then what? Any corp that deploys a sensitive app onto a mobile device will require the user to authenticate with corporate credentials in case a genuine corp device is stolen. So as a hacker I can't get any further without stolen credentials.
  
  0 0 Reply
  1. Friday 28th September 2018 10:37 GMT phuzz
    
    Re: This is easy to fix.
    
    "Any corp that deploys a sensitive app onto a mobile device will require the user to authenticate with corporate credentials"
    
    Unless, and bear with me here, unless they're not very good at security.
    
    You might as well say that Wordpress sites are secure because anyone that uses them will keep up to date with security patches. They should, but a large number organisations won't.
    
    0 0 Reply
  2. Friday 28th September 2018 17:17 GMT CelineDion69
    
    Re: This is easy to fix.
    
    Right, this was my point as well. Not to mention that having a device in DEP doesn't just magically allow you to enroll into all MDM configurations - many configs do not accept enrollments from unknown devices and users. Some require tokens to even be able to complete enrollment. And forcing authentication for DEP would break a lot of processes for a lot of enterprises. The only vulnerability here is having flunkie UEM/MDM engies and admins. If I was DUO, I'd be fairly embarrassed about "disclosing" a feature as a "critical security vulnerability".
    
    0 0 Reply
  3. Friday 28th September 2018 19:16 GMT Anon Ymous 42
    
    Re: This is easy to fix.
    
    The protection is two-fold. The identity cert contains the signed identifier of the device that is trying to be added, this identifier can’t be changed without being noticed because the root private key that signed the identity cert is kept securely at Apple. The second protection is that Man in the Middle is mitigated, while normal TLS can be more easily MiTM, when using mutual TLS where a client cert is used (the burned in device identity cert), by simply validating the chain (the same root controlled by Apple mentioned above) a MiTM situation can be very easily detected. Again search ”Apple SCEP over the air" to get in depth info, I’m only suggesting that MDM use the same mechanism that secures this SCEP protocol. Using Mutual authentication with this "burned in" identity cert (with proper signature verification and chain checking) is all that is needed.
    
    2 0 Reply