Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33295 | SRG-OS-999999-MOS-000138 | SV-43714r2_rule | Medium |
Description |
---|
On some devices, users can access the device's contact database to obtain phone numbers and other information using voice-activated Bluetooth peripherals even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database in these situations mitigates the risk of this attack. The DAA may waive this requirement with written notice if the operational environment requires this capability. |
STIG | Date |
---|---|
Mobile Operating System Security Requirements Guide | 2013-07-03 |
Check Text ( C-41592r2_chk ) |
---|
Review the mobile operating system configuration to determine the ways in which someone can access the contact database, focusing on ways without viewing the display (e.g., voice commands or Bluetooth peripherals). If there are no such methods, there is no finding. If there are such methods, verify the effectiveness of the control. If the data can be accessed, this is a finding. Exception: Certain fields can be made accessible outside of the security container such as name, phone number, and pager number, etc. This exception will allow such capability as displaying a caller’s phone number when the device is locked or allowing a user to make a call from the contact list without unlocking the security container. |
Fix Text (F-37225r1_fix) |
---|
Configure the operating system to disable access to the device's contact database when the device is locked. |