Serial numbers of Apple products issued by organizations can reveal sensitive information, according to a security firm
A company called Duo Security came out with information about potential misuse of the Device Enrollment Program. The program allows participants to request activation records for each device by entering its serial number. The records also include e-mail addresses, phone numbers and addresses. The idea is that if you have the serial number, the additional information is already known to you anyway. However, what Duo Security discovered is that the serial numbers can be generated by a program, allowing them to fill in a generated one and see who’s the owner of the device that matches the number, along with any other information contained in the record.
If the generated serial number is part of the Device Enrollment Program, but unassigned to a specific organization, it can be used to enroll a new device as part of one and get access to additional information like Wi-Fi passwords, apps and VPN configurations.
The company said it won’t be releasing the code for the generator but made it clear that it wasn’t a complex one and potential wrongdoers can easily replicate it.
Apple was informed about the issue in May this year, but said it’s not considering it a vulnerability, since participants in the program are advised to use additional measures to prevent it. The program allows organization to require a username and password as an addition to the serial number, when an activation record is requested. Knowing how lightly some organizations handle their software security, we can imagine that many aren’t using the added security measure.