apple-store-chicago-9717

A flaw with Apple’s device enrollment program used by schools and businesses could have been used to exploit information on those devices, researchers who discovered the issue said on Thursday.

Apple products, like iPhones, MacBooks and iPads, are often registered and authenticated using their serial numbers through Apple’s Device Enrollment Program. Organizations use the program to manage devices they hand out. It’s how teachers monitor school-issued iPads and how the New York Police Department rolls out its custom apps for officers on its iPhones.

James Barclay, a senior research and design engineer with Duo Security, and Rich Smith, director of Duo Labs, found vulnerabilities with the program after discovering the serial number was all a potential attacker needed to get sensitive information from enrolled devices.

By entering an enrolled device’s serial number to request activation records, Duo Security’s researchers were able to retrieve details such as an organization’s address, phone number and email addresses, according to a research paper the pair wrote. Smith and Barclay detailed the research on Thursday at the Ekoparty security conference in Buenos Aires.

There are a number of ways to get a serial number, but Smith said the 12-character code was simple enough for Duo Security to create a program that generated every conceivable serial number. Because the request for activation records doesn’t have rate limits, a potential attacker could run searches without any obstacles, he said.

“While we aren’t releasing the code, I’m not going to pretend to be under the impression that this is something that can’t be reproduced,” Smith said. “It would not be difficult for someone to replicate the code that we’ve developed.”

If attackers obtained a serial number that hadn’t been enrolled yet, the researchers said, it would be possible for them to enroll their own device with that number and gather even more information, such as Wi-Fi passwords and customized apps.

Apple said it doesn’t consider the serial number issue to be a vulnerability with its products, citing its existing recommendation that organizations apply security measures to limit such attacks. People enrolled in Apple’s program can require user authentication, which would call for a username and a password along with the serial number.

Duo Security disclosed the vulnerability to Apple on May 16, and the company acknowledged Duo’s disclosure on May 17. Duo Security’s researchers said Apple hasn’t addressed the issue.