Configure communication protocols
Summary
The system must keep mobile devices communication protocols hidden, protected with credentials or turned off. This refers to protocols that allow data exchange such as Bluetooth, NFC and Tethering.
Description
This is requirement emphasizes in protecting mobile devices against unauthorized access by using different types of attacks, such as Bluejacking, Bluesnarfing, eavesdropping, data interception, etc. Turning off or securing communication protocols that are not actively used reduces the attack surface of the mobile device.
References
- OWASP10-A5. Security misconfiguration
- OWASPM10-M3. Insecure communication threat agents
- SANS25-18. Use of hard-coded credentials
- CMMC-AC_L2-3_1_18. Mobile device connection
- CMMC-SC_L1-3_13_1. Boundary protection
- HITRUST-09_s. Information exchange policies and procedures
- HITRUST-09_v. Electronic messaging
- OSSTMM3-9_2_2. Wireless security (logistics) - Communications
- PTES-4_5_3. Threat capability analysis - Communication mechanisms
- PTES-5_2_2_2. Vulnerability analysis - Network vulnerability scanners (service based)
- NIST800171-1_16. Authorize wireless access prior to allowing such connections
- NIST800171-1_18. Control connection of mobile devices
- SIGLITE-SL_142. Is there a mobile device management solution in place?
- SIG-M_1_25. End user device security
- CWE25-798. Use of hard-coded credentials
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan