The mobile operating system's Bluetooth stack must use 128-bit Bluetooth encryption when performing data communications with other Bluetooth devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-04-001600	KNOX-04-001600	KNOX-04-001600_rule		Medium

Description
If data traffic is sent unencrypted, an adversary may be able to read it to obtain sensitive information. 128-bit Bluetooth encryption for data communications mitigates the risk of unauthorized eavesdropping. DoD has determined that FIPS 140-2 validated encryption is not required for voice communications.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-04-001600_chk )
This check procedure is identical to check procedure for KNOX-04-001500 (SRG-OS-000114-MOS-000068). It need not be repeated if results have been acquired from that check procedure. This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" group. 2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59"). On the Samsung Knox Android device: 1. Open device settings and select "Bluetooth". 2. Review existing Bluetooth devices and verify that only the BAI smart card reader and headset are paired and/or are able to pair. If there are any unauthorized devices on the whitelist, this is a finding.

Check Text ( C-KNOX-04-001600_chk )

This check procedure is identical to check procedure for KNOX-04-001500 (SRG-OS-000114-MOS-000068). It need not be repeated if results have been acquired from that check procedure.

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" group.
2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59").

On the Samsung Knox Android device:
1. Open device settings and select "Bluetooth".
2. Review existing Bluetooth devices and verify that only the BAI smart card reader and headset are paired and/or are able to pair.

If there are any unauthorized devices on the whitelist, this is a finding.

Fix Text (F-KNOX-04-001600_fix)
Limit Bluetooth devices to those known to employ 128-bit Bluetooth encryption. For example, on the Fixmo Sentinel Administration Console, enter the manufacturer ID of the Bluetooth MAC Address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule. Note: To whitelist the Biometric Associates, LP Bluetooth Smart Card Reader enter: 401D59

Fix Text (F-KNOX-04-001600_fix)

Limit Bluetooth devices to those known to employ 128-bit Bluetooth encryption.

For example, on the Fixmo Sentinel Administration Console, enter the manufacturer ID of the Bluetooth MAC Address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule.

Note: To whitelist the Biometric Associates, LP Bluetooth Smart Card Reader enter: 401D59