It was found to be possible to bypass the host-pairing (allow pairing with non-configurator hosts) restriction applied to a supervised iOS device that is enrolled in the Apple Device Enrolment Program (DEP).
On iOS, device supervision allows an organisation to apply additional device security settings that are not configurable via a traditional MDM configuration profile or via device settings. One such setting is the ability to prevent the iOS device from connecting to hosts, other than the supervising device.
Under normal circumstances, when host-pairing is restricted it is not possible to pair the iOS device with a host other than the supervising device. When attempting to do so, the user is presented with the message “This device is being supervised by another device”.
It was possible to bypass this restriction using the Download Firmware Update (DFU) mode to update to the latest iOS version, where it appears that a host “keypair” is automatically added to pair_records of the iOS device.
This issue allows an attacker to pair a host machine, other than the supervising host, with an iOS device that has host-pairing restricted. During testing a macOS Sierra 10.12.1 (Macbook) device was used, as well as an iOS 10.1 (iPhone 7) device. The following actions were found to be possible even though the device supervision of the iOS device should prevent them:
Due to configuration restrictions applied by a configuration profile installed on the device, the following actions were not possible from a host-paired device, but would be possible if additional security settings had not been applied to the device:
The root cause of this issue is currently unclear. It is suspected that during the DFU update process, the iOS device creates a pairing record for the connected Mac OS device (pairing records on iOS are stored within /var/root/Library/pair_records), and that this record is not subsequently removed after the DFU update.
Currently, host-pair restrictions should not be relied upon to restrict iOS features. A defence-in-depth approach should be taken with additional security controls applied the iOS device via the device supervision profile. In particular, it is recommended that the following restrictions are applied in order to mitigate this issue:
Update to the latest stable and secure iOS version (iOS 11 and above).
Please refer to the attached advisory.
|02/02/2017||Issue reported to vendor|
|19/09/2017||Vendor releases patch|