Check: AIOS-01-000005
Apple iOS 7 STIG:
AIOS-01-000005
(in version v1 r2)
Title
Apple iOS must wipe all storage media after 10 consecutive, unsuccessful attempts to unlock the mobile device. (Cat II impact)
Discussion
Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen, or misplaced, attempts can be made to unlock the device by guessing the password. Once unlocked, an adversary may be able to obtain sensitive data on the device. Wiping storage media renders all such data permanently inaccessible. There are two acceptable methods to wipe the device. The first is to overwrite the data on the media several times, so it is not longer recoverable. In this case, the device should implement DoD 5220.22-M (E) (3pass), in which the media is overwritten three times. The second is to delete the locally stored encryption key on a device that encrypts all data stored on the device. In this case, the key must be wiped using a method complying with DoD 5220.22-M (ECE) (7 pass), in which all storage sectors containing the key are overwritten seven times. Alternative methods consistent with those described in NIST SP 800-88 (as revised) are acceptable.
Check Content
This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Maximum number of failed attempts" value is set to 10 or less. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Policies". 3. Click or tap the policy name. 4. Expand "Details" under "Policy Details". 5. Verify "Maximum number of Failed Attempts" value is set to 10 or less. Note: A value less than 10 is acceptable but not recommended. Alternatively, verify the text "<key>maxFailedAttempts</key> <integer>10</integer>" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Open the Settings app. 2. Tap "General". 3. Tap "Passcode Lock". 4. Enter Passcode. 5. Scroll to the bottom of the screen and verify the "Erase Data" control is toggled to the right and appears green. 6. Verify the phrase "Erase all data on this iPhone after 10 failed passcode attempts" appears under "Erase Data". If the "Maximum number of failed attempts" is a value more than 10 in the iOS Over-the-Air management tool, or "<key>maxFailedAttempts</key>" has an integer value of more than 10 in the configuration profile, or if "Erase Data" is toggled to the left and does not appear green on the iOS device, this is a finding.
Fix Text
Configure Apple iOS to wipe the iOS device after 10 consecutive, unsuccessful attempts to unlock it. In the iOS Over-the-Air management tool, configure the "Maximum number of failed attempts" to a value of 10 or less. For example, in Mobile Iron Admin Portal, edit the policy and set "Maximum number of Failed Attempts" to 10 or less.
Additional Identifiers
Rule ID:
Vulnerability ID: V-43209
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-001383 |
The information system provides additional protection for mobile devices accessed via login by purging information from the device after an organization-defined number of consecutive, unsuccessful login attempts to the mobile device. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |