Title

The smartphone device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required. (Cat III impact)

Discussion

The Wi-Fi radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.

Check Content

The user will never enable the Wi-Fi radio unless authorized to use Wi-Fi (User Based Enforcement (UBE)). If Wi-Fi use is authorized, the user should turn-off the smartphone Wi-Fi radio whenever Wi-Fi service is not needed. On a sample of site-managed Android devices (pick 3-4 random devices), verify the Wi-Fi radio is turned off. -Have the user turn on and log into the device. -Go to Settings > Wireless & networks > Wi-Fi. Wi-Fi should be turned off. Mark as a finding if configuration is not set as required.

Fix Text

Train user to disable the CMD Wi-Fi radio unless Wi-Fi connectivity is desired for a known authorized Wi-Fi connection.

Additional Identifiers

Rule ID: SV-34999r1_rule

Vulnerability ID: V-25020

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.