|Finding ID||Version||Rule ID||IA Controls||Severity|
|The USB host mode feature allows select USB devices to connect to the device (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, resulting in compromise of DoD data. Disabling this feature mitigates the risk of compromising sensitive DoD data. Note: The USB HID host must be whitelisted in order to use the DeX Station. SFR ID: FMT_SMF_EXT.1.1 #47|
|Samsung Android OS 8 with Knox 3.x COBO Use Case Security Technical Implementation Guide||2019-10-01|
|Check Text ( C-79909r1_chk )|
| Review Samsung Android 8 with Knox configuration settings to determine if the mobile device is configured to disable USB host modes. |
This validation procedure is performed on both the MDM Administration Console and the Samsung Android 8 with Knox device.
On the MDM console, do the following:
1. Ask the MDM Administrator to display the “USB exception list” setting in the “Android Restrictions” rule.
2. Verify only the HID USB class is selected.
On the Samsung Android 8 with Knox device, do the following:
1. Connect a Micro USB to USB OTG adapter to the device.
2. Connect a USB thumb drive to the adapter.
3. Verify the device cannot access the USB thumb drive.
If the MDM console “USB exception list” setting has non-HID USB classes selected or on the Samsung Android 8 with Knox device, the user is able to access the USB thumb drive from the device, this is a finding.
|Fix Text (F-87043r1_fix)|
| Configure Samsung Android 8 with Knox to disable USB host modes. |
On the MDM console, select the HID USB class in the “USB host mode exception list” setting in the “Android Restrictions” rule.