Fleet Device Management Predictable PIN Generation Vulnerability

A vulnerability exists in Fleet device management software in versions prior to 4.80.1, where the application generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. This lack of a secret key or additional entropy means that the resulting PIN could potentially be derived if the approximate time the device was locked is known. In affected versions, the 6-digit PIN used for unlocking devices was deterministically created from the timestamp. An attacker with physical access to a locked device and knowledge of the approximate lock time could theoretically predict the correct PIN within a limited timeframe. However, several factors limit the likelihood of successful exploitation: physical access to the device is required, the approximate lock time must be known, the operating system imposes rate limits on PIN entry attempts, attempts would need to be spread over multiple days, and device wipe operations would typically conclude before enough attempts could be made.

Impact

The vulnerability allows for the prediction of device lock and wipe PINs, which could be exploited by an attacker with physical access to a locked device and knowledge of the approximate time the lock command was issued. This could lead to unauthorized unlocking of the device. However, the issue does not permit remote exploitation, fleet-wide compromise, or bypass of Fleet authentication controls.

Remediation

Users are advised to upgrade to Fleet version 4.80.1 or later, where this vulnerability has been patched. No known workarounds are available.