An error occurred:

Check: AIOS-02-000012

Apple iOS 7 STIG: AIOS-02-000012 (in version v1 r2)

Title

Apple iOS must disable voice-activated assistant functionality when the device is locked (Voice Dialing). (Cat II impact)

Discussion

On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database and calendar in these situations mitigates the risk of this attack.

Check Content

This check procedure is performed on both the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Allow voice dialing" is unchecked. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Configurations". 3. Click or tap the configuration name. 4. Expand "Details" under "App Setting Details". 5. Verify "Allow voice dialing" is set to "false". Alternatively, verify the text "<key>allowVoiceDialing</key><false/>" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Hold down the home button on a locked iOS device for 5 seconds. 2. Verify that Voice Control does not activate. If "Allow voice dialing" is checked in the iOS Over-the-Air management tool, "<key>allowVoiceDialing</key><true/>" appears in the configuration profile, or Voice Control activates on a locked iOS device, this is a finding.

Fix Text

Configure Apple iOS to disable access to the device's contact database when the device is locked. In the iOS Over-the-Air management tool, uncheck "Allow voice dialing". For example, in Mobile Iron Admin Portal, edit the configuration and deselect the "Allow voice dialing".

Additional Identifiers

Rule ID:

Vulnerability ID: V-43213

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings