Configure communication protocols
Summary
The system must keep mobile devices communication protocols hidden, protected with credentials or turned off. This refers to protocols that allow data exchange such as Bluetooth, NFC and Tethering.
Description
This is requirement emphasizes in protecting mobile devices against unauthorized access by using different types of attacks, such as Bluejacking, Bluesnarfing, eavesdropping, data interception, etc.
Turning off or securing communication protocols that are not actively used reduces the attack surface of the mobile device.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- OWASP TOP 10-A5. Security misconfiguration
- OWASP-M TOP 10-M3. Insecure communication threat agents
- SANS 25-18. Use of hard-coded credentials
- CMMC-AC_L2-3_1_18. Mobile device connection
- CMMC-SC_L1-3_13_1. Boundary protection
- HITRUST CSF-09_s. Information exchange policies and procedures
- HITRUST CSF-09_v. Electronic messaging
- OSSTMM3-9_2_2. Wireless security (logistics) - Communications
- PTES-4_5_3. Threat capability analysis - Communication mechanisms
- PTES-5_2_2_2. Vulnerability analysis - Network vulnerability scanners (service based)
- NIST 800-171-1_16. Authorize wireless access prior to allowing such connections
- NIST 800-171-1_18. Control connection of mobile devices
- SIG Lite-SL_142. Is there a mobile device management solution in place?
- SIG Core-M_1_25. End user device security
- CWE TOP 25-798. Use of hard-coded credentials
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.