Apple’s MDM (Mobile Device Management) protocol will be put under the microscope at the upcoming “Black Hat USA 2011″ conference to be held in Las Vegas August 3-4. It’s clear that the Apple MDM protocol will be available to the public, and raises the issue as to whether Apple should officially make it public and allow security professionals to review it. In the long run, this will the Apple MDM protocol stronger and increase confidence in Apple by IT and Security professionals. Security through obscurity won’t cut it anymore.
The Apple MDM protocol is now “worthy” now of this type of attention, and should raise a concern with enterprises that the Apple approach of keeping MDM “proprietary and secret” via their iOS Enterprise Developer Agreement (IDEP), and agreements with MDM and MAM developers may not be sustainable.
The recent IOS 4.3.5 update (See “Important Security Update for IOS 4.3.5 http://blog.apperian.com/2011/07/important-security-update-for-ios-435.html) reminds us that iPhones, iPads, Android and other “smart devices” are increasingly targets of more sophisticated attacks.
Here is the “Full Text” of the session abstract (available at http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html).
Inside Apple’s MDM Black Box
Mobile Device Management (MDM) has become a hot topic as organizations are pressured to bring iStuff into their organization. Mobile devices are invading every level of corporate society, making the need to remotely manage and control them increasingly urgent. Apple has provided some enterprise management features, first via over-the-air configuration profiles, and beginning in 2010, full MDM support. Unfortunately, the exact features available through MDM, as well as details of the protocol itself, are tightly controlled by Apple.
This talk dissects how Apple MDM works. Starting with basic iOS configuration principles, the talk explores mobile config profiles generated by the iPhone Configuration Utility, over-the-air profile delivery, and eventually describes the key features and mechanisms behind MDM, including remote device locking and wiping. Finally, we explore how to implement your own MDM server, which allows you to manage iOS devices using official device management APIs. We also explore the security and social engineering impacts of freely available MDM servers with these capabilities.
Apple, you’re in the big time now. The Black Hats are coming.