Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33089 | SRG-OS-000114-MOS-000067 | SV-43487r1_rule | Medium |
Description |
---|
When done properly, Bluetooth pairing prevents rogue devices from communicating with the operating system. If a rogue device is paired with the mobile device, then there is the potential for the rogue device to obtain sensitive information. Short passkeys make the pairing process vulnerable to brute force attacks. The use of known fixed passkeys makes the device even more vulnerable. The use of Bluetooth 2.1EDR or later technology greatly mitigates the risk of this attack because it relies on certificates in addition to the PIN to generate a secure pairing key. If device pairing is accomplished with a randomly generated 6-digit passkey, this greatly mitigates the risk of unauthorized pairing in all cases. |
STIG | Date |
---|---|
Mobile Operating System Security Requirements Guide | 2013-04-12 |
Check Text ( C-41348r2_chk ) |
---|
Review the mobile operating system configuration to determine if the Bluetooth stack enforces passkeys of 6 digits or more. If greater assurance is required, attempt to pair the device with another Bluetooth device using an 6 digit passkey. If the Bluetooth stack does not enforce pairing using a randomly generated passkey size of at least 6 digits, this is a finding. |
Fix Text (F-36989r2_fix) |
---|
Configure the operating system to support Bluetooth passkeys of at least 6 digits. |