Title

Google Android Pie must be configured to enforce that Wi-Fi Sharing is disabled. (Cat II impact)

Discussion

Wi-Fi Sharing is an optional configuration of Wi-Fi Tethering/Mobile Hotspot, which allows the device to share its Wi-Fi connection with other wirelessly connected devices instead of its mobile (cellular) connection. Wi-Fi Sharing grants the "other" device access to a corporate Wi-Fi network and may possibly bypass the network access control mechanisms. This risk can be partially mitigated by requiring the use of a preshared key for personal hotspots. SFR ID: FMT_SMF_EXT.1.1 #47

Check Content

Review device configuration settings to confirm Wi-Fi Sharing is disabled. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the Authorizing Official (AO) has not approved Mobile Hotspot, and it has been verified as disabled on the MDM console, no further action is needed. If Mobile Hotspot is being used, use the following procedure to verify Wi-Fi Sharing is disabled: On the MDM console: 1. Open the User restrictions setting. 2. Verify "Disallow config tethering" to on. On the Google Android Pie device, do the following: 1. Open Settings. 2. Tap "Networks & internet". 3. Verify that "Hotspots & tethering" is disabled. If on the Google Android Pie device "Wi-Fi sharing" is enabled, this is a finding.

Fix Text

Configure Google Android Pie to disable Wi-Fi Sharing. Mobile Hotspot must be enabled in order to enable Wi-Fi Sharing. If the AO has not approved Mobile Hotspot, and it has been disabled on the MDM console, no further action is needed. If Mobile Hotspot is being used, use the following procedure to disable Wi-Fi Sharing: On the MDM console: 1. Open the User restrictions setting. 2. Set "Disallow config tethering" to on.

Additional Identifiers

Rule ID: SV-106451r1_rule

Vulnerability ID: V-97347

Group Title: PP-MDF-991000

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.