UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Samsung Knox Android Bluetooth module must not permit any data transfer between devices prior to Bluetooth mutual authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48265 KNOX-23-012700 SV-61137r1_rule Medium
Description
Bluetooth mutual authentication provides assurance that both the mobile device and Bluetooth peripheral are legitimate. If the authentication does not occur immediately before permitting a network connection, there is the potential for a man-in-the-middle attack in which a third device intercepts the traffic between the two legitimate devices. Mutual authentication prevents this from occurring. SFR ID: FIA_BLT_EXT.1.1
STIG Date
Samsung Android (with Knox 1.x) STIG 2014-04-22

Details

Check Text ( C-50697r4_chk )
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Note: There is no Samsung Knox Android feature that enables an administrator to comply with the stated requirement through direct configuration. The compliance approach is to restrict permitted Bluetooth peripherals to those that have been certified to comply with this requirement. When only such devices are used, Samsung Knox Android will not transfer data prior to Bluetooth mutual authentication. Only the BAI smart card reader and headset are currently certified to meet DoD Bluetooth peripheral requirements.

Check the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" rule.
2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59").

On the Samsung Knox Android device:
1. Open device settings and select "Bluetooth".
2. Review existing Bluetooth devices and verify only whitelisted devices are paired and/or are able to pair.

If there are any unauthorized Bluetooth devices on the whitelist, this is a finding.
Fix Text (F-51873r2_fix)
Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication.

On the MDM Console, enter the manufacturer ID of the Bluetooth MAC address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule.

Note: To whitelist the Biometric Associates, LP Bluetooth smart card reader and headset, enter: "401D59".