Title

BlackBerry 10 OSs Wi-Fi module must use EAP-TLS authentication when authenticating to DoD WLAN authentication servers. (Cat II impact)

Discussion

Without strong mutual authentication a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. EAP-TLS is strong mutual authentication leveraging a public key infrastructure. Its use greatly mitigates risk associated with authentication transactions.

Check Content

From either the Work Space or Personal Space, navigate to "Settings >> Network Connections >> Wi-Fi >> Saved" and select a saved DoD Wi-Fi profile to check. Verify "Security Type" is set to "WPA Enterprise" or "WPA2 Enterprise" and "Security Sub Type" is set to "EAP-TLS". These options should be grayed out. Otherwise, this is a finding. NOTE: Wi-Fi profiles, other than those connecting to DoD Wi-Fi networks, are not a finding. If no DoD Wi-Fi networks are saved, this requirement is NA.

Fix Text

On BlackBerry Device Service, select the affected Wi-Fi Profile(s), and set "EAP Security Setting" to "TLS".

Additional Identifiers

Rule ID:

Vulnerability ID: V-47191

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.