Apple iOS must disable voice-activated assistant functionality when the device is locked (Voice Dialing).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-43213	AIOS-02-000012	SV-55961r1_rule		Medium

Description
On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack.

Description

On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack.

STIG	Date
Apple iOS 7 STIG	2014-01-30

Details

Check Text ( C-49240r1_chk )
This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Allow voice dialing" is unchecked. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Configurations". 3. Click or tap the configuration name. 4. Expand "Details" under "App Setting Details". 5. Verify "Allow voice dialing" is set to "false". Alternatively, verify the text "allowVoiceDialing" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Hold down the home button on a locked iOS device for 5 seconds. 2. Verify that Voice Control does not activate. If "Allow voice dialing" is checked in the iOS Over-the-Air management tool, "allowVoiceDialing" appears in the configuration profile, or Voice Control activates on a locked iOS device, this is a finding.

Check Text ( C-49240r1_chk )

This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device.
Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review.

In the iOS Over-the-Air management tool, verify "Allow voice dialing" is unchecked.
For example, in Mobile Iron Admin Portal:
1. Ask the MDM administrator to display the "POLICIES & CONFIGS".
2. Click or tap on the word "Configurations".
3. Click or tap the configuration name.
4. Expand "Details" under "App Setting Details".
5. Verify "Allow voice dialing" is set to "false".

Alternatively, verify the text "allowVoiceDialing" appears in the configuration profile (.mobileconfig file).

On the iOS device:
1. Hold down the home button on a locked iOS device for 5 seconds.
2. Verify that Voice Control does not activate.

If "Allow voice dialing" is checked in the iOS Over-the-Air management tool, "allowVoiceDialing" appears in the configuration profile, or Voice Control activates on a locked iOS device, this is a finding.

Fix Text (F-48800r1_fix)
Configure Apple iOS to disable access to the device's contact database when the device is locked. In the iOS Over-the-Air management tool, uncheck "Allow voice dialing". For example, in Mobile Iron Admin Portal, edit the configuration and deselect the "Allow voice dialing".