Serial numbers of Apple products issued by organizations can reveal sensitive information, according to a security firm
Apple products are preferred by many organizations, from businesses equipping their employees with MacBooks and iPhones, to schools and universities providing iPads for educational purposes. Apple offers a solution to manage and configure large amounts of devices with its Device Enrollment Program. The way the program keeps track of each Apple product that is enrolled is through its serial number.
A company called Duo Security came out with information about potential misuse of the Device Enrollment Program. The program allows participants to request activation records for each device by entering its serial number. The records also include e-mail addresses, phone numbers and addresses. The idea is that if you have the serial number, the additional information is already known to you anyway. However, what Duo Security discovered is that the serial numbers can be generated by a program, allowing them to fill in a generated one and see who’s the owner of the device that matches the number, along with any other information contained in the record.
If the generated serial number is part of the Device Enrollment Program, but unassigned to a specific organization, it can be used to enroll a new device as part of one and get access to additional information like Wi-Fi passwords, apps and VPN configurations.
The company said it won’t be releasing the code for the generator but made it clear that it wasn’t a complex one and potential wrongdoers can easily replicate it.
Apple was informed about the issue in May this year, but said it’s not considering it a vulnerability, since participants in the program are advised to use additional measures to prevent it. The program allows organization to require a username and password as an addition to the serial number, when an activation record is requested. Knowing how lightly some organizations handle their software security, we can imagine that many aren’t using the added security measure.
The company said it won’t be releasing the code for the generator but made it clear that it wasn’t a complex one and potential wrongdoers can easily replicate it.
Apple was informed about the issue in May this year, but said it’s not considering it a vulnerability, since participants in the program are advised to use additional measures to prevent it. The program allows organization to require a username and password as an addition to the serial number, when an activation record is requested. Knowing how lightly some organizations handle their software security, we can imagine that many aren’t using the added security measure.
Popular stories
Latest News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: