A new report alleged that Apple s business and scholastic device management service the Device Enrollment Program DEP has a significant security hole that could impact the organizations that utilize it DEP offers zero-touch setup for businesses educational institutions and other organizations linking multiple devices to a central server for configuration and content sharing Duo Security revealed that more than four months ago it discovered an authentication weakness in DEP which could give an attacker the ability to enroll any device into an organizations mobile device management MDM server potentially enabling them to obtain privileged access used to further pivot within the network In addition an attacker could use serial numbers obtained through open-source intelligence OSINT social engineering or generating them via brute force to query the DEP API for device profiles The DEP profiles contain information about the organization such as phone numbers and email addresses which could be used to launch a social engineering attack against the organizations help desk or IT team according to a blog post To protect users mandatory two-factor authentication can be added to the service to protect themselves but Duo noted that Apple should also include rate limits for device authentication requests as well as decrease the information conveyed back by DEP to registrants devices In the meantime Apple customers using DEP can protect themselves by requiring user authentication prior to MDM enrollment or by not trusting devices simply because theyre enrolled in MDM wrote James Barclay Senior R D Engineer at Duo Labs Duo decided to go public with its findings after reporting the security issue to Apple as soon as it was discovered However while the company has acknowledged the informations receipt so far it has not released a patch Duo will also be presenting its findings publicly at the ekoparty Security Conference on Friday Sept 28 YOU MIGHT ALSO LIKE Related Items Apple authentication data Device Enrollment Program Duo Security hacker hardware mobile mobile device management News Security Whats Hot