Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258677	KNOX-14-210160	SV-258677r931231_rule		Medium

Description
If no authentication is required to establish personal hotspot connections (Wi-Fi and Bluetooth), an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application note: If hotspot functionality is permitted, it must be authenticated via a preshared key. There is no requirement to enable hotspot functionality, and it is recommended this functionality be disabled by default. SFR ID: FMT_SMF_EXT.1.1 #41

Description

If no authentication is required to establish personal hotspot connections (Wi-Fi and Bluetooth), an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application note: If hotspot functionality is permitted, it must be authenticated via a preshared key. There is no requirement to enable hotspot functionality, and it is recommended this functionality be disabled by default. SFR ID: FMT_SMF_EXT.1.1 #41

STIG	Date
Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide	2023-10-18

Details

Check Text ( C-62417r931229_chk )
Review the configuration to determine if the Samsung Android devices are enabling authentication of personal hotspot connections to the device using a preshared key. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device restrictions, verify "Configure tethering" is set to "Disallow". On the Samsung Android device: 1. Open Settings >> Connections. 2. Verify "Mobile Hotspot and Tethering" is grayed out. If on the management tool "Configure tethering" is not set to "Disallow", or on the Samsung Android device "Mobile Hotspot and Tethering" is not grayed out, this is a finding.

Check Text ( C-62417r931229_chk )

Review the configuration to determine if the Samsung Android devices are enabling authentication of personal hotspot connections to the device using a preshared key.

This validation procedure is performed on both the management tool and the Samsung Android device.

On the management tool, in the device restrictions, verify "Configure tethering" is set to "Disallow".

On the Samsung Android device:
1. Open Settings >> Connections.
2. Verify "Mobile Hotspot and Tethering" is grayed out.

If on the management tool "Configure tethering" is not set to "Disallow", or on the Samsung Android device "Mobile Hotspot and Tethering" is not grayed out, this is a finding.

Fix Text (F-62326r931230_fix)
Configure the Samsung Android devices to enable authentication of personal hotspot connections to the device using a preshared key. On the management tool in the device restrictions, set "Configure tethering" to "Disallow". If the deployment requires the use of Mobile Hotspot and Tethering, Knox Platform for Enterprise (KPE) policy can be used to allow them in a STIG-approved configuration. In this case, do not configure this policy and instead replace with KPE policy (innately by the management tool or via Knox Service Plugin [KSP]) "Allow open Wi-Fi connection" with value "Disable" and add Training Topic "Don't use Wi-Fi Sharing" (refer to Supplemental document for additional information).

Fix Text (F-62326r931230_fix)

Configure the Samsung Android devices to enable authentication of personal hotspot connections to the device using a preshared key.

On the management tool in the device restrictions, set "Configure tethering" to "Disallow".

If the deployment requires the use of Mobile Hotspot and Tethering, Knox Platform for Enterprise (KPE) policy can be used to allow them in a STIG-approved configuration. In this case, do not configure this policy and instead replace with KPE policy (innately by the management tool or via Knox Service Plugin [KSP]) "Allow open Wi-Fi connection" with value "Disable" and add Training Topic "Don't use Wi-Fi Sharing" (refer to Supplemental document for additional information).