Apple iOS must wipe all storage media after 10 consecutive, unsuccessful attempts to unlock the mobile device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-43209	AIOS-01-000005	SV-55957r1_rule		Medium

Description
Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen, or misplaced, attempts can be made to unlock the device by guessing the password. Once unlocked, an adversary may be able to obtain sensitive data on the device. Wiping storage media renders all such data permanently inaccessible. There are two acceptable methods to wipe the device. The first is to overwrite the data on the media several times, so it is not longer recoverable. In this case, the device should implement DoD 5220.22-M (E) (3pass), in which the media is overwritten three times. The second is to delete the locally stored encryption key on a device that encrypts all data stored on the device. In this case, the key must be wiped using a method complying with DoD 5220.22-M (ECE) (7 pass), in which all storage sectors containing the key are overwritten seven times. Alternative methods consistent with those described in NIST SP 800-88 (as revised) are acceptable.

Description

Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen, or misplaced, attempts can be made to unlock the device by guessing the password. Once unlocked, an adversary may be able to obtain sensitive data on the device. Wiping storage media renders all such data permanently inaccessible. There are two acceptable methods to wipe the device. The first is to overwrite the data on the media several times, so it is not longer recoverable. In this case, the device should implement DoD 5220.22-M (E) (3pass), in which the media is overwritten three times. The second is to delete the locally stored encryption key on a device that encrypts all data stored on the device. In this case, the key must be wiped using a method complying with DoD 5220.22-M (ECE) (7 pass), in which all storage sectors containing the key are overwritten seven times. Alternative methods consistent with those described in NIST SP 800-88 (as revised) are acceptable.

STIG	Date
Apple iOS 7 STIG	2014-01-30

Details

Check Text ( C-49236r1_chk )
This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Maximum number of failed attempts" value is set to 10 or less. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Policies". 3. Click or tap the policy name. 4. Expand "Details" under "Policy Details". 5. Verify "Maximum number of Failed Attempts" value is set to 10 or less. Note: A value less than 10 is acceptable but not recommended. Alternatively, verify the text "maxFailedAttempts 10" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Passcode Lock". 4. Enter Passcode. 5. Scroll to the bottom of the screen and verify the "Erase Data" control is toggled to the right and appears green. 6. Verify the phrase "Erase all data on this iPhone after 10 failed passcode attempts" appears under "Erase Data". If the "Maximum number of failed attempts" is a value more than 10 in the iOS Over-the-Air management tool, or "maxFailedAttempts" has an integer value of more than 10 in the configuration profile, or if "Erase Data" is toggled to the left and does not appear green on the iOS device, this is a finding.

Check Text ( C-49236r1_chk )

This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device.
Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS Over-the-Air management tool, verify "Maximum number of failed attempts" value is set to 10 or less.
For example, in Mobile Iron Admin Portal:
1. Ask the MDM administrator to display the "POLICIES & CONFIGS".
2. Click or tap on the word "Policies".
3. Click or tap the policy name.
4. Expand "Details" under "Policy Details".
5. Verify "Maximum number of Failed Attempts" value is set to 10 or less.
Note: A value less than 10 is acceptable but not recommended.

Alternatively, verify the text "maxFailedAttempts 10" appears in the configuration profile (.mobileconfig file).

On the iOS device:
1. Open the Settings app.
2. Tap "General".
3. Tap "Passcode Lock".
4. Enter Passcode.
5. Scroll to the bottom of the screen and verify the "Erase Data" control is toggled to the right and appears green.
6. Verify the phrase "Erase all data on this iPhone after 10 failed passcode attempts" appears under "Erase Data".

If the "Maximum number of failed attempts" is a value more than 10 in the iOS Over-the-Air management tool, or "maxFailedAttempts" has an integer value of more than 10 in the configuration profile, or if "Erase Data" is toggled to the left and does not appear green on the iOS device, this is a finding.

Fix Text (F-48796r1_fix)
Configure Apple iOS to wipe the iOS device after 10 consecutive, unsuccessful attempts to unlock it. In the iOS Over-the-Air management tool, configure the "Maximum number of failed attempts" to a value of 10 or less. For example, in Mobile Iron Admin Portal, edit the policy and set "Maximum number of Failed Attempts" to 10 or less.