UCF STIG Viewer Logo

The mobile operating systems Bluetooth module must enforce pairing using a randomly generated passkey size of at least 6 digits.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33089 SRG-OS-000114-MOS-000067 SV-43487r1_rule Medium
Description
When done properly, Bluetooth pairing prevents rogue devices from communicating with the operating system. If a rogue device is paired with the mobile device, then there is the potential for the rogue device to obtain sensitive information. Short passkeys make the pairing process vulnerable to brute force attacks. The use of known fixed passkeys makes the device even more vulnerable. The use of Bluetooth 2.1EDR or later technology greatly mitigates the risk of this attack because it relies on certificates in addition to the PIN to generate a secure pairing key. If device pairing is accomplished with a randomly generated 6-digit passkey, this greatly mitigates the risk of unauthorized pairing in all cases.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41348r2_chk )
Review the mobile operating system configuration to determine if the Bluetooth stack enforces passkeys of 6 digits or more. If greater assurance is required, attempt to pair the device with another Bluetooth device using an 6 digit passkey. If the Bluetooth stack does not enforce pairing using a randomly generated passkey size of at least 6 digits, this is a finding.
Fix Text (F-36989r2_fix)
Configure the operating system to support Bluetooth passkeys of at least 6 digits.