The Samsung Knox Android Bluetooth module must not permit any data transfer between devices prior to Bluetooth mutual authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48265	KNOX-23-012700	SV-61137r1_rule		Medium

Description
Bluetooth mutual authentication provides assurance that both the mobile device and Bluetooth peripheral are legitimate. If the authentication does not occur immediately before permitting a network connection, there is the potential for a man-in-the-middle attack in which a third device intercepts the traffic between the two legitimate devices. Mutual authentication prevents this from occurring. SFR ID: FIA_BLT_EXT.1.1

Description

Bluetooth mutual authentication provides assurance that both the mobile device and Bluetooth peripheral are legitimate. If the authentication does not occur immediately before permitting a network connection, there is the potential for a man-in-the-middle attack in which a third device intercepts the traffic between the two legitimate devices. Mutual authentication prevents this from occurring. SFR ID: FIA_BLT_EXT.1.1

STIG	Date
Samsung Android (with Knox 1.x) STIG	2014-04-22

Details

Check Text ( C-50697r4_chk )
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Note: There is no Samsung Knox Android feature that enables an administrator to comply with the stated requirement through direct configuration. The compliance approach is to restrict permitted Bluetooth peripherals to those that have been certified to comply with this requirement. When only such devices are used, Samsung Knox Android will not transfer data prior to Bluetooth mutual authentication. Only the BAI smart card reader and headset are currently certified to meet DoD Bluetooth peripheral requirements. Check the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" rule. 2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59"). On the Samsung Knox Android device: 1. Open device settings and select "Bluetooth". 2. Review existing Bluetooth devices and verify only whitelisted devices are paired and/or are able to pair. If there are any unauthorized Bluetooth devices on the whitelist, this is a finding.

Check Text ( C-50697r4_chk )

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Note: There is no Samsung Knox Android feature that enables an administrator to comply with the stated requirement through direct configuration. The compliance approach is to restrict permitted Bluetooth peripherals to those that have been certified to comply with this requirement. When only such devices are used, Samsung Knox Android will not transfer data prior to Bluetooth mutual authentication. Only the BAI smart card reader and headset are currently certified to meet DoD Bluetooth peripheral requirements.

Check the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" rule.
2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59").

On the Samsung Knox Android device:
1. Open device settings and select "Bluetooth".
2. Review existing Bluetooth devices and verify only whitelisted devices are paired and/or are able to pair.

If there are any unauthorized Bluetooth devices on the whitelist, this is a finding.

Fix Text (F-51873r2_fix)
Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication. On the MDM Console, enter the manufacturer ID of the Bluetooth MAC address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule. Note: To whitelist the Biometric Associates, LP Bluetooth smart card reader and headset, enter: "401D59".

Fix Text (F-51873r2_fix)

Configure the operating system's Bluetooth stack to prohibit data transfer between devices prior to Bluetooth mutual authentication.

On the MDM Console, enter the manufacturer ID of the Bluetooth MAC address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule.

Note: To whitelist the Biometric Associates, LP Bluetooth smart card reader and headset, enter: "401D59".