acceptedBlackBerry Handheld Device Security Technical Implementation GuideBlackBerry handheld STIG in XCCDF formatDISA, Field Security OperationsSTIG.DOD.MILRelease: 2 Benchmark Date: 26 Oct 20122I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>Password Keeper configuration<GroupDescription></GroupDescription>WIR1030-01 When the Password Keeper is enabled on the BlackBerry device, the DAA must review and approve its use, and the application must be configured as required.<VulnDiscussion>Password Keeper is a default BlackBerry application provided by RIM that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local DAA. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854When the Password Keeper is enabled on the BlackBerry device, the DAA has reviewed and approved its use, and the application is configured as required.Detailed Policy Requirements:
When the Password Keeper is enabled on the BlackBerry device, the DAA must have reviewed and approved its use, and the application must be configured to enforce the following password rules.
- Require use of eight or more characters. The Password Keeper must be configured to enforce this policy.
- Set the number of incorrect passwords entered before a device wipe occurs to 10 or less. The Password Keeper must be configured to enforce this policy.
- Set local policy to require a change of password at least every 90 days.
Check Requirements:
Interview the IAO.
Ask if users are allowed to use Password Keeper on their handheld devices.
If Password Keeper is used:
-Review the DAA approval documentation regarding this.
-Work with the IAO to view the Password Keeper configuration on a sampling of BlackBerry devices using this application. On each BlackBerry, go to Applications/Password Keeper. The Password Keeper icon may also be installed directly on the BlackBerry home screen. Verify the following Password Keeper setting (have user log into Password Keeper, then click menu and select Options).
- Verify Random Password Length is set to 8 or more.
- Verify Password Attempts is set to 10 or less.
-Verify users are trained on password change requirement (90 days or less) by reviewing user agreement or training materials.
If Password Keeper is not authorized:
-Review a sample of site BlackBerry devices (2-3 devices) to verify Password Keeper is not installed: Settings > Options > Advanced > Applications. Review the list of installed applications and confirm Password Keeper is not on the list.
Bluetooth SCR usage -02<GroupDescription></GroupDescription>WIR1040-02BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
<VulnDiscussion>Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements:
When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be
followed:
- The DAA must approve the use of a Bluetooth smart card reader with command/site PCs.
Check Procedures:
Interview the IAO and wireless email system administrator.
Determine if use of the BlackBerry SCR with site PCs has been approved. If Yes, verify the
following requirements are met:
- The DAA has approved the use of the RIM BlackBerry SCR with site PCs. Have
the IAO provide documentation showing DAA approval (letter, memo, SSP, etc.).
METAmessage not installed on BlackBerry device<GroupDescription></GroupDescription>WIR1050-01 Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.
<VulnDiscussion>Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.
Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate.
Check a sample of BlackBerry devices (Settings>Options>Advanced Options>Applications) to ensure the METAmessage application is not loaded on the BlackBerry device.
On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated.
View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed.
The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the IAO or reviewing a sampling of the devices.
Sign email messages - 01<GroupDescription></GroupDescription>WIR1055-01 BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy. <VulnDiscussion>S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications. Perform the following steps on a sample of site BlackBerry devices (use 2-3 devices as a random sample), as appropriate, to verify users have the capability to sign and encrypt email.
Verify S/MIME is configured such that users may sign messages.
Check a sample of BlackBerry devices:
- Verify S/MIME application and Smart Card Reader drivers are installed on the device:
o On the BlackBerry go to Settings>Options>Advanced Options>Applications.
o Look for the following applications:
---S/MIME Support Package
---PIV Drivers (optional)
---BlackBerry Smart Card Reader
---DoD Root Certificates
-Verify Certificates are configured on the BlackBerry:
---Settings>Options>Security Options>Certificate Servers – GDS and OCSP servers should be
listed.
---Settings>Options>Security Options>Certificate - DoD Root certificates should be listed.
---Settings>Options>Security Options>S/MIME – User’s public keys should be loaded.
Auto signature configuration<GroupDescription></GroupDescription>WIR1060-01 If BlackBerry email auto signatures are used, the signature message must not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”). <VulnDiscussion>The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the JTF GNO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854If BlackBerry email auto signatures are used, the signature message does not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”).
Check a sample of BlackBerry devices (use 2-3 devices as a random sample):
- Open the BlackBerry email folder.
- Highlight the date line at the top of the list of messages.
- Click the Menu button.
- Select Options, then Email Settings.
- Check the contents of “Auto Signature” text box to verify compliance.
Disable wireless carrier Internet browser<GroupDescription></GroupDescription>WIR1075-01All Internet browser icons must be disabled from the BlackBerry device except for the BlackBerry Internet Browser icon.
<VulnDiscussion>The BlackBerry Browser forces all Internet browsing to go through the site internet gateway, which provides additional security over the carrier's browser.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry Internet Browser.Complete the following procedures on a sample of site BlackBerry devices (2-3 devices), as appropriate.
- Review a sample (3-4) of handheld devices and verify the Wireless Carrier’s Internet browser icon, web portal browser icon, and all other browser icons (Yahoo, etc.) are not installed on the BlackBerry device. The only browser icon installed should be the BlackBerry browser icon. Go to the BlackBerry device Home screen and verify only the BlackBerry browser icon is present.
Settings>Options>Advanced Options>Browser
Verify the BlackBerry Browser is set as the default browser.
Complete site BlackBerry Autoberry scanning<GroupDescription></GroupDescription>WIR1015-01BlackBerry devices managed by the site must be scanned with the DoD Autoberry tool or the commercially available Fixmo Sentinel tool as required.
<VulnDiscussion>The purpose of this scan is to determine if there has been an unexplained change in the BlackBerry file system that may indicate the device has been compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry devices managed by the site must be scanned with the DoD Autoberry tool as required.
Detailed Policy Requirements:
All site managed BlackBerry devices must be scanned with the DoD Autoberry tool or the commercially available Fixmo Sentinel tool (Desktop or Enterprise version) using the following schedule:
- Scan immediately after BlackBerry is provisioned or reprovisioned (this is the “control” or “baseline” scan).
- Scan before and after the BlackBerry user travels Outside the Continental United States (OCONUS), if BlackBerry user is based within Continental United States (CONUS) and perform a comparison of the two scans.
- Scan at least every 90 days if BlackBerry user is based OCONUS and compare current scan results to the previous scan.
- BlackBerry devices of executives, senior managers, and staff in sensitive positions should be scanned at least every 90 days, and results from the current scan compared to the previous scan. Commanders, DAAs, or IAOs will designate BlackBerry users who meet this criteria.
- All other BlackBerry devices should be scanned at least once every 6 months and results from the current scan compared to the previous scan.
Note: Autoberry and Sentinel Desktop scans can be conducted by either the site BlackBerry administrator or by each BlackBerry user. Sentinel Enterprise scans are automated and require no action by the user.
Note: For DoD sites using an approved Bluetooth headset/hands free device, it is strongly recommended that the site deploy Sentinel Enterprise. Sentinel Enterprise has the ability to scan actively paired Bluetooth devices on site managed BlackBerrys and perform an audit to verify only approved devices are connected to the BlackBerry.
Check Procedures:
Interview the IAO and BlackBerry Administrator.
- Determine if the site is conducting required control or baseline scans and is saving the results of the scans.
- Determine if the site has any executives, senior managers, and staff in sensitive positions. If yes, determine if Autoberry or Fixmo Sentinel scans are conducted as required and the scan results are maintained by the site IAO or BlackBerry administrator.
- If the site is located CONUS, determine if the site has BlackBerry users that travel OCONUS. If yes, determine if Autoberry scans are conducted as required on BlackBerry devices of these users and the scan results are maintained by the site IAO or BlackBerry administrator.
- If the site is located CONUS, determine if Autoberry/Sentinel scans are conducted at least every 6 months on site BlackBerry devices and the scan results are maintained by the site IAO or BlackBerry administrator.
- If the site is located OCONUS, determine if Autoberry/Sentinel scans are conducted at least every 90 days on site BlackBerry devices and the scan results are maintained by the site IAO or BlackBerry administrator.
Mark as a finding if any requirements are not being met by the site.
Use approved BlackBerry software versions<GroupDescription></GroupDescription>WIR1040-01BlackBerry devices must have required operating system software version installed.<VulnDiscussion>Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry devices have required operating system software version installed.Detailed Policy Requirements:
BlackBerry Handheld Software version 4.1.0.294 to version 7.1 is used on all BlackBerry devices.
Version 4.5 or later is recommended.
Also:
-If using BlackBerry Device Software Version 4.5.0.x, must upgrade to version BlackBerry Device Software Version 4.5.0.173 or later.
-If using BlackBerry Device Software Version 4.6.0.x, must upgrade to version BlackBerry Device Software Version 4.6.0.303 or later.
-If using BlackBerry Device Software Version 4.6.1.x, must upgrade to version BlackBerry Device Software Version 4.6.1.309 or later.
-If using BlackBerry Device Software Version 4.7.0.x, must upgrade to version BlackBerry Device Software Version 4.7.0.179 or later.
-If using BlackBerry Device Software Version 4.7.1.x, must upgrade to version BlackBerry Device Software Version 4.7.1.57 or later.
Check Procedures:
Verify required BlackBerry Handheld Software version is being used. On a sample of site BlackBerry devices (use 2-3 for random sampling) check the installed software version as follows: Select Settings > Options > About.
Implement Autoberry mitigation actions <GroupDescription></GroupDescription>WIR1015-02Mitigation actions identified by Autoberry or Fixmo Sentinel scans on site managed BlackBerrys must be implemented. (The results and mitigation actions reported by the tool should be available from the site IAO or BlackBerry administrator.)<VulnDiscussion>If mitigation actions identified by the Autoberry or Fixmo Sentinel tools are not implemented, DoD data and the enclave could be at risk of being compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854Implement required mitigation actions.Interview the IAO and BlackBerry Administrator. Review the results of Autoberry or Fixmo Sentinel tool scans that were conducted over the previous 6 months that the site has on file. Determine if Autoberry recommended mitigation actions were completed on site BlackBerry devices. Mark as a finding if mitigation actions were not completed.Maintain results of Autoberry scans<GroupDescription></GroupDescription>WIR1015-03The results and mitigation actions from Autoberry and Fixmo Sentinel tool scans must be maintained by the site for at least 6 months (1 year recommended).<VulnDiscussion>Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends for site managed BlackBerry devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854The results and mitigation actions from Autoberry scans must be maintained by the site for at least 6 months (1 year recommended).Detailed Policy Requirements:
Each site must maintain the results of Autoberry scans on site managed BlackBerrys as follows:
- The results of all Autoberry and Fixmo Sentinel tool scans will be maintained by either the site BlackBerry Administrator or IAO.
- Autoberry scans can be conducted by either the site BlackBerry Administrator or by each BlackBerry user. If conducted by the BlackBerry user, the results and mitigation actions reported by the tool will be provided to the site IAO or BlackBerry Administrator for storage.
- The site IAM should designate the length of time a site maintains the results of individual BlackBerry scans (6 months required at least, 1 year is recommended). Control or Baseline scans should be maintained until a BlackBerry device is decommissioned.
Check Procedures:
Interview the IAO and BlackBerry Administrator. Verify the IAO or BlackBerry Administrator is saving records of scan results and mitigation actions for the length of time designated by the site IAM.
BlackBerry device configuration<GroupDescription></GroupDescription>WIR1080-01Security configuration settings on the BlackBerry devices managed by the site must be compliant with requirements listed in Table 5, BlackBerry STIG Configuration Tables. <VulnDiscussion>These checks are related to a defense-in-depth approach for the BlackBerry, including ensuring the locked BlackBerry is not identified as a DoD BlackBerry and providing visual indicators when the Bluetooth radio is being used so users can verify they have initiated a Bluetooth connection attempt or if a hacker has initiated the connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854Security configuration settings on the BlackBerry devices managed by the site are compliant with requirements listed in Table 1, BlackBerry STIG Configuration Tables.
Verify the BlackBerry administrator has used the configuration settings list in Table 5, BlackBerry STIG Configuration Tables and check the following settings:
-Device Name (this is checked in two locations)
-Reader LED – Low Battery
-Reader LED – Pairing
-Reader LED – Traffic
A sample of BlackBerry devices should be checked (use 2-3 devices as a random sample). Table 5, BlackBerry STIG Configuration Tables contains instructions on how to verify correct settings on a BlackBerry.
Setup of team or group BlackBerrys<GroupDescription></GroupDescription>WIR1085-01The setup of group BlackBerrys must be compliant with requirements listed in Appendix E of the BlackBerry STIG Overview.<VulnDiscussion>If the configuration is not compliant, actions on team BlackBerrys will not be traceable to a specific user as required by DoD audit policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854The setup of group BlackBerrys must be compliant with requirements listed in Appendix E of the BlackBerry STIG Overview.Interview the IAO or BlackBerry system administrator. If team or Group BlackBerrys are used, ensure procedures in Appendix E of the STIG Overview document have been followed. Verify group/team BlackBerry users have been trained on how to configure the BlackBerry before it is transferred to a new user.
Sign email messages - 02<GroupDescription></GroupDescription>WIR1055-02BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications. <VulnDiscussion>S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications. If user software certificates are used on the BlackBerry instead of the CAC, verify the DAA has approved their use (letter, memo, SSP, etc.).
Bluetooth SCR usage -03<GroupDescription></GroupDescription>WIR1040-03BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
<VulnDiscussion>Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements:
When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed:
- At the time of the publication of this document, the use of the BlackBerry SCR for authentication with PCs is only authorized with PCs that have Microsoft Windows XP. The Microsoft Vista and Windows 7 Bluetooth stack has not yet been tested with the BlackBerry SCR to determine if Bluetooth device pairing can be done in a secure manner and meets DoD security requirements.
Check Procedures:
Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR:
- Interview the IAO and SA and verify the BlackBerry SCR is not used with Windows Vista and Windows 7. BlackBerry users with Vista or Windows 7 on their PCs must be put in the BlackBerry users group not authorized to use the BlackBerry SCR with their PCs.
Bluetooth SCR usage -04<GroupDescription></GroupDescription>WIR1040-04Blackberry Bluetooth SCR use with site PCs must be compliant with requirements.
<VulnDiscussion>Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements:
When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed:
The PC must have the RIM Bluetooth Lockdown tool installed and configured correctly.
Check Procedures:
Perform the following checks on a sample (use 2-3 for random sample) of site PCs used with the BlackBerry Bluetooth SCR:
- Verify the RIM Bluetooth Lockdown tool is installed and configured correctly:
o On the PC, go to Start>Control Panel>Add or Remove Programs> Select BlackBerry
Smart Card Reader v1.5.1 and click the Change/Remove button.
o In the first pop-up dialog box, click the Next button.
o In the next dialog box, verify Modify is selected and click the Next button.
o In the next dialog box, click the Next button.
o In the next dialog box, (Restrict Bluetooth Functionality), verify the checkbox is
checked. Click the Cancel button to cancel installation.
Bluetooth SCR usage -05<GroupDescription></GroupDescription>WIR1040-05BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
<VulnDiscussion>Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Detailed Policy Requirements:
When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be
followed:
- Bluetooth radios installed in site PCs must be Class 2 or 3. Class 1 (100 mW) Bluetooth radios
are not allowed.
Note for IAOs: To determine the “class” rating of the Bluetooth radio, look under the specification section of the Bluetooth Network Interface Card manual, which can be downloaded from the laptop vendor’s web site or the Bluetooth dongle vendor’s web site. Nearly all internal laptop Bluetooth radios are Class 2 or 3, and many Bluetooth dongle radios are Class 1.
Check Procedures:
Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR:
- Interview the IAO to verify only Bluetooth Class 2 or 3 radios are used in site PCs. Have the IAO or site BlackBerry Administrator show for a sample of PCs the Bluetooth radio is not a Class 1 radio by providing a copy of the Bluetooth radio specification sheet.
Bluetooth SCR version<GroupDescription></GroupDescription>WIR1040-06Required version of the Blackberry Smart Card Reader (SCR) hardware must be used and required versions of the drivers must be installed both on the BlackBerry and the SCR.<VulnDiscussion>Required SCR security features are not available in earlier versions and, therefore, Bluetooth vulnerabilities will not have been patched.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854Comply with DoD policy.Detailed Policy Requirements:
Site BlackBerry devices and SCRs must have required software versions installed.
-The RIM BlackBerry SCR hardware must be version 1 (model PRD-09695-004) or version 2 (model PRD-16951-001).
-RIM BlackBerry SCR software package version 4.2.0.107 or later is required (Application version 4.2.0.107, Software platform 1.5.0.81).
-Apriva Bluetooth SCR (BT200) driver v03-30-02 or later is required.
Check Procedures:
If using the RIM BlackBerry SCR:
-Verify required SCR model is used. The model number can be found under the battery.
-Verify required BlackBerry SCR software is being used. On a sample of BlackBerry SCRs (use 2-3 devices for random sample), press and hold the Action button until “rEsetInG” appears and then read the Application version and Software platform version as they are displayed.
If using the Apriva SCR:
On the BlackBerry, press lower case v (as in Victor) to verify the version number of the Apriva Utility installed on the BlackBerry. On the BlackBerry, press lower case r (as in Romeo) to verify the version number of the Apriva driver installed on the Apriva SCR.
BlackBerry Web Desktop Manager <GroupDescription></GroupDescription>WIR1095-01BlackBerry Web Desktop Manager (BWDM) or Blackberry Desktop Manager (BDM) must be configured as required. <VulnDiscussion>The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854Configure BlackBerry Web Desktop Manager (BWDM) for CAC authentication, if used or use approved version of BlackBerry Desktop Manager.Detailed Policy Requirement:
BDM nor BWDM are required on BlackBerry users desktops, but if either are used, they must meet the following requirements:
-For BDM, follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132.
If BWDM is used, the BlackBerry Administration Server (BAS) must be configured for Microsoft Active Directory authentication on the BES.
Check Procedures:
The site can use either BlackBerry Desktop Manager or BlackBerry Web Desktop Manager or neither. Check a sample of BlackBerry user PCs (2-3). If BlackBerry Desktop Manager is used, verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. If BlackBerry Web Desktop Manager is used, no further action is required since the BES review will verify the BES has been configured for Microsoft Active Directory authentication in check WIR1355-01 (V-22102).
Bluetooth headset version<GroupDescription></GroupDescription>WIR1045-01Only approved Bluetooth headset and handsfree devices must be used with site managed BlackBerry devices. <VulnDiscussion>Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry ClientDISA FSOVMS TargetBlackberry Client854Use only approved Bluetooth headset and handsfree devices. Detailed Policy Requirements:
The following Bluetooth headset and handsfree devices are approved:
Biometric Associates, LP (BAL) blueARMOR family of headsets (blueARMOR 100, blueARMOR 105, and blueARMOR 200) with firmware version 1.5.x.
Check Procedures:
For the BAL headset, the only way to verify the device model number and firmware version is to check the Bluetooth device name of a paired headset. Have the user pair the device to the BlackBerry, if not already paired. On the BlackBerry handheld, go to Options > Networks and Connections > Bluetooth Connections and check the list of paired devices. The device name should be in the form of baiMobileBA100 V1.5.0. The reviewer should check a sample of BlackBerry devices at the site (2-3) and verify compliance.
Note: If the site uses the FIXMO Sentinel Enterprise integrity verification tool, checking BlackBerry handhelds is not required. Have the system administrator show that the Sentinel server is configured to audit paired Bluetooth devices on site managed BlackBerry handhelds.