Title

The Personal Hotspot feature of the mobile OS must be disabled if it does not meet DoD WLAN or Bluetooth security requirements and is not approved by the IAO. (Cat III impact)

Discussion

The Wi-Fi radio and Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. This setting would allow the device Wi-Fi radio to automatically connect to a Wi-Fi network. The Bluetooth and Wi-Fi connections do not support DoD wireless encryption and authentication requirements.

Check Content

USB connections for Personal Hotspot service will only be used if authorized. Bluetooth and Wi-Fi connections will not be used. Currently, the setup.apk configuration script is used to disable the “Enable Wi-Fi tethering” configuration setting in Android. (In late 2011, this configuration setting will be available in the Good server console.) Verify the Dell Setup.apk file has been installed on the mobile OS device. -Have the system administrator show that Setup.apk is in the list of installed applications on the device (Settings>Applications>Manage applications>All). If the file is not listed, confirm with the SA that the file was installed on the device during setup, run, and then removed. Note: “Tethered Modem” service must be added to the Android wireless account by the carrier for the Personal Hotspot service to work.

Fix Text

Set the mobile OS device Personal Hotspot feature as required.

Additional Identifiers

Rule ID: SV-35002r1_rule

Vulnerability ID: V-26559

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.