UCF STIG Viewer Logo

The Samsung Knox Android Bluetooth stack must use 128-bit Bluetooth encryption when performing data communications with other Bluetooth devices.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48283 KNOX-23-013100 SV-61155r1_rule Medium
Description
If data traffic is sent unencrypted, an adversary may be able to read it to obtain sensitive information. 128-bit Bluetooth encryption for data communications mitigates the risk of unauthorized eavesdropping. DoD has determined that FIPS 140-2 validated encryption is not required for voice communications. SFR ID: FMT_SMF.1.1 #42
STIG Date
Samsung Android (with Knox 1.x) STIG 2014-04-22

Details

Check Text ( C-50715r3_chk )
This validation procedure is performed on both the MDM Console and the Samsung Knox Android device:

Note: There is no Samsung Knox Android feature that enables an administrator to comply with the stated requirement through direct configuration. The compliance approach is to restrict permitted Bluetooth peripherals to those that have been certified to comply with this requirement. When only such devices are used, Samsung Knox Android will use 128-bit Bluetooth encryption. Only the BAI smart card reader and headset are currently certified to meet DoD Bluetooth peripheral requirements.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the administrator to display the list of whitelisted Bluetooth devices in the "Android Restrictions" group.
2. Verify only the BAI smart card reader and headset are present on the list (Note: this is signified by a single entry of "401D59").

On the Samsung Knox Android device:
1. Open device settings and select "Bluetooth".
2. Review existing Bluetooth devices and verify only whitelisted devices are paired.

If there are any unauthorized devices on the whitelist, this is a finding.
Fix Text (F-51891r2_fix)
Limit Bluetooth devices to those known to employ 128-bit Bluetooth encryption.

On the MDM Console, enter the manufacturer ID of the Bluetooth MAC Address (first 6 characters) of each device that should be allowed to pair on the whitelist of the "Android Restrictions" rule.

Note: To whitelist the Biometric Associates, LP Bluetooth Smart card reader and headset: 401D59