UCF STIG Viewer Logo

The mobile operating system must disable access to the devices contact database when the device is locked.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33295 SRG-OS-999999-MOS-000138 SV-43714r2_rule Medium
Description
On some devices, users can access the device's contact database to obtain phone numbers and other information using voice-activated Bluetooth peripherals even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database in these situations mitigates the risk of this attack. The DAA may waive this requirement with written notice if the operational environment requires this capability.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41592r2_chk )
Review the mobile operating system configuration to determine the ways in which someone can access the contact database, focusing on ways without viewing the display (e.g., voice commands or Bluetooth peripherals). If there are no such methods, there is no finding. If there are such methods, verify the effectiveness of the control. If the data can be accessed, this is a finding.

Exception:
Certain fields can be made accessible outside of the security container such as name, phone number, and pager number, etc. This exception will allow such capability as displaying a caller’s phone number when the device is locked or allowing a user to make a call from the contact list without unlocking the security container.
Fix Text (F-37225r1_fix)
Configure the operating system to disable access to the device's contact database when the device is locked.