Back

Configure Bluetooth settings according to organizational standards.


CONTROL ID
12422
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Unpair Bluetooth devices when the pairing is no longer required., CC ID: 15232
  • Use authorized versions of Bluetooth to pair Bluetooth devices., CC ID: 15231
  • Refrain from using unit keys on Bluetooth devices., CC ID: 12541
  • Configure link keys to be based on combination keys in Bluetooth devices., CC ID: 12539
  • Refrain from using the "Just Works" model of Secure Simple Pairing in Bluetooth settings., CC ID: 12538
  • Disable all Bluetooth profiles other than the Serial Port Profile., CC ID: 12536
  • Lock Bluetooth profiles to prevent them being altered by end users., CC ID: 12535
  • Configure Bluetooth to refrain from allowing multiple profiles of Bluetooth stacks., CC ID: 12433


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing. (Security Control: 1196; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices. (Security Control: 1198; Revision: 1, Australian Government Information Security Manual, March 2021)
  • The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices. (Security Control: 1202; Revision: 1, Australian Government Information Security Manual, March 2021)
  • OFFICIAL and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing. (Control: ISM-1196; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices. (Control: ISM-1198; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported. (Control: ISM-1200; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices. (Control: ISM-0682; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices. (Control: ISM-0682; Revision: 5, Australian Government Information Security Manual, September 2023)
  • OFFICIAL: Sensitive and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing. (Control: ISM-1196; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices. (Control: ISM-1198; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Bluetooth pairing for OFFICIAL: Sensitive and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported. (Control: ISM-1200; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Bluetooth devices should be configured by default as, and remain, undiscoverable except as needed for pairing (4.2.3 G, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Bluetooth technology and associated devices are susceptible to general wireless networking threats (e.g. denial of service [DoS] attacks, eavesdropping, man-in-the-middle [MITM] attacks, message modification, and resource misappropriation) as well as specific Bluetooth-related attacks that target kn… (§ 5.13.1.3 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)