The mobile operating system's Bluetooth module must not permit any data transfer between devices prior to Bluetooth mutual authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-04-001500	KNOX-04-001500	KNOX-04-001500_rule		Medium

Description
Bluetooth mutual authentication provides assurance that both the mobile device and Bluetooth peripheral are legitimate. If the authentication does not occur immediately before permitting a network connection, there is the potential for a man-in-the-middle attack in which a third device intercepts the traffic between the two legitimate devices. Mutual authentication prevents this from occurring.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-04-001500_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" rule. 2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59"). On the Samsung Knox Android device: 1. Open device settings and select "Bluetooth". 2. Review existing Bluetooth devices and verify that only the BAI smart card reader and headset are paired and/or are able to pair. If there are any unauthorized Bluetooth devices on the whitelist, this is a finding.

Check Text ( C-KNOX-04-001500_chk )

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" rule.
2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59").

On the Samsung Knox Android device:
1. Open device settings and select "Bluetooth".
2. Review existing Bluetooth devices and verify that only the BAI smart card reader and headset are paired and/or are able to pair.

If there are any unauthorized Bluetooth devices on the whitelist, this is a finding.

Fix Text (F-KNOX-04-001500_fix)
Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication. For example, on the Fixmo Sentinel Administration Console, enter the manufacturer ID of the Bluetooth MAC address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule. Note: To whitelist the Biometric Associates, LP Bluetooth Smart Card Reader enter: "401D59".

Fix Text (F-KNOX-04-001500_fix)

Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication.

For example, on the Fixmo Sentinel Administration Console, enter the manufacturer ID of the Bluetooth MAC address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule.

Note: To whitelist the Biometric Associates, LP Bluetooth Smart Card Reader enter: "401D59".