At the Black Hat security conference this week, David Schuetz, senior consultant at Intrepidus Group, provided a detailed overview of Apple's MDM and its potential security implications. As an added bonus, Schuetz also released a proof of concept to tool to help other examine Apple's approach to MDM.
"MDM provides enterprises a way to exert some control over the configuration and management of mobile devices within their enterprise," Schuetz said.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iHe added that MDM has options for enforcing password policies, pushing out configuration changes and it can do it for all mobile devices within an organization simultaneously.
"The problem that we've had is that Apple's MDM protocol has not been publicly documented," Schuetz said. "That presents a problem for people like us that want to evaluate the security of the system and whether it introduces any new risks to an enterprise."
So what Schuetz was able to do was to go in and figure out how MDM works and what the potential risks might be. In general, he noted that Apple's MDM protocol is pretty good. He didn't find anything obviously wrong with the way the system works. That said, there might be some potential risk vectors in the system.
"The MDM system works over HTTPS so anytime you've got a man in the middle vulnerability you introduce a risk," Schuetz said.
In an effort to help aid further research into Apple MDM, Schuetz is releasing code that will be a research MDM tool.
"The point of releasing code is not to release a product to manage people's devices," Schuetz said. "The point of the tool is to give people a very simple tool that they can use to experiment with MDM."
The way it works is you enroll a mobile device and then you send commands to the iOS device from the MDM tool and the researcher gets to see what the response is.
Schuetz noted that without a publicly available MDM server for iOS, it has been difficult -- if not impossible -- to see how users could be exploited via social engineering or other means via MDM.
"Now there is the possibility where you could demonstrate a man in the middle attack on the server, so we want to explore to see if that is possible, Schuetz said.
While Apple's MDM is now going to be more available for security researcher thanks to Schuetz, he noted that there isn't too much for users to worry about at this point.
"There are some obscure attacks that I believe we can apply but nothing that makes me tells customers today to stop using MDM because it's dangerous," Schuetz said.