Title

The smartphone Bluetooth radio must be disabled if not authorized for use. (Cat II impact)

Discussion

The Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.

Check Content

The Bluetooth radio should be turned off by the user (User Based Enforcement (UBE)) if not being used to connect the approved Bluetooth smart card reader or handsfree headset to the smartphone. On a sample of site-managed Android devices (pick 3-4 random devices), verify the Bluetooth radio is turned off if the Bluetooth smart card reader is not being used by the user. -Have the user log into the device. -Go to Settings > Wireless & networks > Bluetooth. -Verify the Bluetooth radio is off. Mark as a finding if configuration is not set as required.

Fix Text

Train the user to not connect the iOS device to unauthorized Bluetooth peripherals.

Additional Identifiers

Rule ID: SV-34994r1_rule

Vulnerability ID: V-25019

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.