UCF STIG Viewer Logo

The ability to wipe a DoD iOS device via an iCloud account must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34322 WIR-MOS-iOS-70-05 SV-44851r2_rule ECWN-1 Medium
Description
If a DoD iOS device is associated with an iCloud account, a user of that iCloud account, or anyone who gains access to that iCloud account, can send a device wipe command to the iOS device and the device will wipe itself. This will cause a Denial-Of-Service (DOS) attack on the device. There are two possible mitigations for this vulnerability: 1. Disable all personal email on the iOS device via an iOS Restriction. This is the recommended method. The use of personal email on iOS devices could cause sensitive DoD data to be saved on the device outside the security container if a DoD email message with sensitive data is forwarded to a personal email account and that email message is viewed on the device. Disabling all personal email also disables "Find My iPhone" which, if functional, would have the capability of wiping a DoD iOS device from an iCloud account, which is configured to a personal email address. 2. Disable "Find My iPhone" via an iOS Restriction. This method should only be used if there is a mission need for a user to have personal email accounts set up on their DoD iOS device and use of personal email has been approved by the DAA.
STIG Date
Apple iOS 6 Security Technical Implementation Guide (STIG) 2013-05-23

Details

Check Text ( C-42312r7_chk )
Interview the site IAO and iOS device system administrator. Also, perform the following actions on a random sample of site-managed iOS devices (3-4 devices, iPhone and iPad).

-Verify an iOS restriction has been placed on the iOS devices and the system administrator has assigned a four character passcode, so the user cannot remove it. The iOS Restriction passcode must meet the same complexity requirements as the device unlock passcode: no sequential numbers and no repeating numbers.

*Have the site iOS system administrator show that a Restriction policy is on the device. Go to Settings > General > Restrictions. Mark as a finding if no Restriction exists.

*Have the site iOS system administrator log into the Restriction policy. Mark as a finding if the restriction passcode is not 4 characters and does not meet the complexity requirements.

*Interview several users and determine if they have been given the Restriction passcode by the system administrator. If yes, mark as a finding.

-After the system administrator opens the Restriction, verify the following configuration setting has been set in the Restriction policy to disable the capability for a device wipe command to be initiated on the device when received from an iCloud account:

----Allow Changes > Accounts > Don't Allow Changes (If the DAA has not approved the use of personal email, this setting must be checked. If not checked, ask to see documentation showing DAA approval of personal email on site-managed iOS devices.)

-If personal email is allowed, verify the following configuration setting has been set in the Restriction policy:

----Privacy > Location Services > Find My iPhone set to Off.

Mark as a finding if any of these settings is not set as required.
Fix Text (F-38284r2_fix)
Set up the required Restriction policy on each site-managed iOS device.