UCF STIG Viewer Logo

Samsung Android must be configured to enforce a USB host mode exception list. NOTE: This configuration allows DeX mode (with input devices), which is DoD-approved for use.


Finding ID Version Rule ID IA Controls Severity
V-231045 KNOX-11-021000 SV-231045r608683_rule Medium
The USB host mode feature allows USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. The USB host mode exception list allows selected USB devices to operate, while disallowing others, based on their USB device class. With some USB device classes, a user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. However, some USB device classes do not allow data to be copied, such as Human Interface Devices (HID). Disabling all USB devices except for HID mitigates the risk of compromising sensitive DoD data. This allows for DeX mode to be used, with a USB keyboard and mouse, without compromising DoD data. SFR ID: FMT_SMF_EXT.1.1 #47
Samsung Android 11 with Knox 3.x Legacy Security Technical Implementation Guide 2020-12-08


Check Text ( C-33975r592749_chk )
Review Samsung Android device configuration settings to determine if USB host mode exception list is configured, or alternatively, if USB host mode is disabled.

This validation procedure is performed on both the management tool Administration Console and the Samsung Android device.

On the management tool, in the device restrictions section, verify that "HID" is the only USB class included in the "USB host mode exception list".

On the Samsung Android device:
1. Connect a micro USB-to-USB "On the Go" (OTG) adapter to the device.
2. Connect a USB thumb drive to the adapter.
3. Verify that the device cannot access the USB thumb drive.

If on the management tool the "USB host mode exception list" includes a USB class other than "HID", or on the Samsung Android device the USB thumb drive can be mounted, this is a finding.
Fix Text (F-33948r592750_fix)
Configure Samsung Android with a USB host mode exception list, or alternatively, disable the use of USB host mode.

On the management tool, in the device restrictions section, add the "HID" USB class to the "USB host mode exception list".