The mobile operating systems Bluetooth module must not permit any data transfer between devices prior to Bluetooth mutual authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33090 | SRG-OS-000114-MOS-000068 | SV-43488r1_rule | Medium |
| Description |
|---|
| Bluetooth mutual authentication provides assurance that both the mobile device and Bluetooth peripheral are legitimate. If the authentication does not occur immediately before permitting a network connection, there is the potential for a man-in-the-middle attack in which a third device intercepts the traffic between the two legitimate devices. Mutual authentication prevents this from occurring. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41349r1_chk ) |
|---|
| The local Bluetooth stack either supports this functionality or it does not. Review the system documentation to determine if the functionality is supported. If the Bluetooth stack permits any data transfer between devices prior to Bluetooth mutual authentication, this is a finding. |
| Fix Text (F-36990r1_fix) |
|---|
| Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication. |