BlackBerry OS 7.x.x Security Technical Implementation Guide
| Version 2 Release 11 |
| 2017-10-27 |
| U_BlackBerry_OS_7-x_STIG_V2R11_Manual-xccdf.xml |
| BlackBerry OS 7.x.x STIG in XCCDF format |
|
Vulnerabilities (16)
When the Password Keeper is enabled on the BlackBerry device, the AO must review and approve its use, and the application must be configured as required.
Discussion
Password Keeper is a default BlackBerry application that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local AO. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard.
Fix Text
When the Password Keeper is enabled on the BlackBerry device, the AO has reviewed and approved its use, and the application is configured as required.
Check Content
Detailed Policy Requirements: When the Password Keeper is enabled on the BlackBerry device, the AO must have reviewed and approved its use, and the application must be configured to enforce the following password rules. Require use of eight or more characters. The Password Keeper must be configured to enforce this policy. Set the number of incorrect passwords entered before a device wipe occurs to 10 or less. The Password Keeper must be configured to enforce this policy. Set local policy to require a change of password at least every 90 days. Check Requirements: Interview the ISSO. Ask if users are allowed to use Password Keeper on their handheld devices. If Password Keeper is used: Review the AO approval documentation regarding this. Work with the ISSO to view the Password Keeper configuration on a sampling of BlackBerry devices using this application. On each BlackBerry, go to Applications/Password Keeper. The Password Keeper icon may also be installed directly on the BlackBerry home screen. Verify the following Password Keeper setting (have user log into Password Keeper, then click menu and select Options). Verify Random Password Length is set to 8 or more. Verify Password Attempts is set to 10 or less. Verify users are trained on password change requirement (90 days or less) by reviewing user agreement or training materials. If Password Keeper is not authorized: Review a sample of site BlackBerry devices (2-3 devices) to verify Password Keeper is not installed: Settings >> Options >> Advanced >> Applications. Review the list of installed applications and confirm Password Keeper is not on the list.
Responsibility
System Administrator
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Discussion
Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.
Fix Text
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Check Content
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: The AO must approve the use of a Bluetooth smart card reader with command/site PCs. Check Procedures: Interview the ISSO and wireless email system administrator. Determine if use of the BlackBerry SCR with site PCs has been approved. If Yes, verify the following requirements are met: The AO has approved the use of the BlackBerry SCR with site PCs. Have the ISSO provide documentation showing AO approval (letter, memo, SSP, etc.).
Responsibility
System Administrator
Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.
Discussion
Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.
Fix Text
Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.
Check Content
Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate. Check a sample of BlackBerry devices (Settings >> Options >> Advanced Options >> Applications) to ensure the METAmessage application is not loaded on the BlackBerry device. On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated. View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed. The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the ISSO or reviewing a sampling of the devices.
Responsibility
System Administrator
BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy.
Discussion
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.
Fix Text
BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.
Check Content
Perform the following steps on a sample of site BlackBerry devices (use 2-3 devices as a random sample), as appropriate, to verify users have the capability to sign and encrypt email. Verify S/MIME is configured such that users may sign messages. Check a sample of BlackBerry devices: - Verify S/MIME application and Smart Card Reader drivers are installed on the device: o On the BlackBerry go to Settings>Options>Advanced Options>Applications. o Look for the following applications: ---S/MIME Support Package ---PIV Drivers (optional) ---BlackBerry Smart Card Reader ---DoD Root Certificates -Verify Certificates are configured on the BlackBerry: ---Settings>Options>Security Options>Certificate Servers – GDS and OCSP servers should be listed. ---Settings>Options>Security Options>Certificate - DoD Root certificates should be listed. ---Settings>Options>Security Options>S/MIME – User’s public keys should be loaded.
Responsibility
System Administrator
If BlackBerry email auto signatures are used, the signature message must not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”).
Discussion
The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the USCYBERCOM.
Fix Text
If BlackBerry email auto signatures are used, the signature message does not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”).
Check Content
Check a sample of BlackBerry devices (use 2-3 devices as a random sample): - Open the BlackBerry email folder. - Highlight the date line at the top of the list of messages. - Click the Menu button. - Select Options, then Email Settings. - Check the contents of “Auto Signature” text box to verify compliance.
Responsibility
Information Assurance Officer
All Internet browser icons must be disabled from the BlackBerry device except for the BlackBerry Internet Browser icon.
Discussion
The BlackBerry Browser forces all Internet browsing to go through the site internet gateway, which provides additional security over the carrier's browser.
Fix Text
All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry Internet Browser.
Check Content
Complete the following procedures on a sample of site BlackBerry devices (2-3 devices), as appropriate. - Review a sample (3-4) of handheld devices and verify the Wireless Carrier’s Internet browser icon, web portal browser icon, and all other browser icons (Yahoo, etc.) are not installed on the BlackBerry device. The only browser icon installed should be the BlackBerry browser icon. Go to the BlackBerry device Home screen and verify only the BlackBerry browser icon is present. Settings>Options>Advanced Options>Browser Verify the BlackBerry Browser is set as the default browser.
BlackBerry devices must have required operating system software version installed.
Discussion
Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.
Fix Text
Update BlackBerry devices to the required operating system software version.
Check Content
Detailed Policy Requirements: BlackBerry Handheld Software must be version 7.1 or later on BlackBerry devices. Otherwise, this is a finding. Check Procedures: Verify required BlackBerry Handheld Software version is being used. On a sample of site BlackBerry devices (use 2-3 for random sampling) check the installed software version as follows: Select Settings >> Options >> About.
Responsibility
System Administrator
Security configuration settings on the BlackBerry devices managed by the site must be compliant with requirements listed in Table 5, BlackBerry STIG Configuration Tables.
Discussion
These checks are related to a defense-in-depth approach for the BlackBerry, including ensuring the locked BlackBerry is not identified as a DoD BlackBerry and providing visual indicators when the Bluetooth radio is being used so users can verify they have initiated a Bluetooth connection attempt or if a hacker has initiated the connection.
Fix Text
Security configuration settings on the BlackBerry devices managed by the site are compliant with requirements listed in Table 1, BlackBerry STIG Configuration Tables.
Check Content
Verify the BlackBerry administrator has used the configuration settings list in Table 5, BlackBerry STIG Configuration Tables and check the following settings: -Device Name (this is checked in two locations) -Reader LED – Low Battery -Reader LED – Pairing -Reader LED – Traffic A sample of BlackBerry devices should be checked (use 2-3 devices as a random sample). Table 5, BlackBerry STIG Configuration Tables contains instructions on how to verify correct settings on a BlackBerry.
IA Controls
ECWN-1
BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications.
Discussion
S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for Blackberry BlackBerry certificate configuration information.
Fix Text
BlackBerry devices must be provisioned so users can digitally sign and encrypt emergency and/or critical email notifications.
Check Content
If user software certificates are used on the BlackBerry instead of the CAC, verify the AO has approved their use (letter, memo, SSP, etc.).
Responsibility
Information Assurance Officer
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Discussion
Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.
Fix Text
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Check Content
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: At the time of the publication of this document, the use of the BlackBerry SCR for authentication with PCs is only authorized with PCs that have Microsoft Windows XP. The Microsoft Vista and Windows 7 Bluetooth stack has not yet been tested with the BlackBerry SCR to determine if Bluetooth device pairing can be done in a secure manner and meets DoD security requirements. Check Procedures: Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR: Interview the ISSO and SA and verify the BlackBerry SCR is not used with Windows Vista and Windows 7. BlackBerry users with Vista or Windows 7 on their PCs must be put in the BlackBerry users group not authorized to use the BlackBerry SCR with their PCs.
Responsibility
System Administrator
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Discussion
Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.
Fix Text
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Check Content
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: The PC must have the Bluetooth Lockdown tool installed and configured correctly. Check Procedures: Perform the following checks on a sample (use 2-3 for random sample) of site PCs used with the BlackBerry Bluetooth SCR: Verify the Bluetooth Lockdown tool is installed and configured correctly: On the PC, go to Start >> Control Panel >> Add or Remove Programs >> Select BlackBerry Smart Card Reader v1.5.1 and click the "Change/Remove" button. In the first pop-up dialog box, click the "Next" button. In the next dialog box, verify "Modify" is selected and click the "Next" button. In the next dialog box, click the "Next" button. In the next dialog box, (Restrict Bluetooth Functionality), verify the checkbox is checked. Click the "Cancel" button to cancel installation.
Responsibility
System Administrator
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Discussion
Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.
Fix Text
BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.
Check Content
Detailed Policy Requirements: When the BlackBerry Bluetooth Smart Card Reader (SCR) is used as a PC SCR, the following requirements must be followed: Bluetooth radios installed in site PCs must be Class 2 or 3. Class 1 (100 mW) Bluetooth radios are not allowed. Note: ISSOs: To determine the "class" rating of the Bluetooth radio, look under the specification section of the Bluetooth Network Interface Card manual, which can be downloaded from the laptop vendor’s web site or the Bluetooth dongle vendor’s web site. Nearly all internal laptop Bluetooth radios are Class 2 or 3, and many Bluetooth dongle radios are Class 1. Check Procedures: Perform the following checks on site PCs used with the BlackBerry Bluetooth SCR: Interview the ISSO to verify only Bluetooth Class 2 or 3 radios are used in site PCs. Have the ISSO or site BlackBerry Administrator show for a sample of PCs the Bluetooth radio is not a Class 1 radio by providing a copy of the Bluetooth radio specification sheet.
Responsibility
System Administrator
Required version of the BlackBerry Smart Card Reader (SCR) hardware must be used, and required versions of the drivers must be installed both on the BlackBerry and the SCR.
Discussion
Required SCR security features are not available in earlier versions, and therefore Bluetooth vulnerabilities will not have been patched.
Fix Text
Comply with DoD policy.
Check Content
Detailed Policy Requirements: Site BlackBerry devices and SCRs must have required software versions installed. The BlackBerry SCR hardware must be version 1 (model PRD-09695-004) or version 2 (model PRD-16951-001). BlackBerry SCR software package version 4.2.0.107 or later is required (Application version 4.2.0.107, Software platform 1.5.0.81). Apriva Bluetooth SCR (BT200) driver v03-30-02 or later is required. Biometric Associates BaiMobile 3000MP SCR driver 0.1.3(19.07.13) or later. Check Procedures: If using the BlackBerry SCR: Verify required SCR model is used. The model number can be found under the battery. Verify required BlackBerry SCR software is being used. On a sample of BlackBerry SCRs (use 2-3 devices for random sample), press and hold the Action button until "rEsetInG" appears, and then read the Application version and Software platform version as they are displayed. If using the Apriva SCR: On the BlackBerry, press lower case v (as in Victor) to verify the version number of the Apriva Utility installed on the BlackBerry. On the BlackBerry, press lower case r (as in Romeo) to verify the version number of the Apriva driver installed on the Apriva SCR. If using the Biometric Associates SCR: On the BlackBerry, go to Settings >> Device >> Application Management >> baiSmartCardReader and verify the version number of the installed driver. If the required driver is not installed, this is a finding.
Responsibility
System Administrator
BlackBerry Web Desktop Manager (BWDM) or BlackBerry Desktop Manager (BDM) must be configured as required.
Discussion
The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.
Fix Text
Configure BlackBerry Web Desktop Manager (BWDM) for CAC authentication, if used or use approved version of BlackBerry Desktop Manager.
Check Content
Detailed Policy Requirement: BDM nor BWDM are required on BlackBerry users desktops, but if either are used, they must meet the following requirements: -For BDM, follow instructions found in USCYBERCOM IAVM Notice 2010-A-0132. If BWDM is used, the BlackBerry Administration Server (BAS) must be configured for Microsoft Active Directory authentication on the BES. Check Procedures: The site can use either BlackBerry Desktop Manager or BlackBerry Web Desktop Manager or neither. Check a sample of BlackBerry user PCs (2-3). If BlackBerry Desktop Manager is used, verify the requirements found in USCYBERCOM IAVM Notice 2010-A-0132 have been followed. If BlackBerry Web Desktop Manager is used, no further action is required since the BES review will verify the BES has been configured for Microsoft Active Directory authentication in check WIR1355-01 (V-22102).
Responsibility
System Administrator
Only approved Bluetooth headset and handsfree devices must be used with site managed BlackBerry devices.
Discussion
Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.
Fix Text
Use only approved Bluetooth headset and handsfree devices.
Check Content
Detailed Policy Requirements: The following Bluetooth headset and handsfree devices are approved: Biometric Associates, LP (BAL) blueARMOR family of headsets (blueARMOR 100, blueARMOR 105, and blueARMOR 200) with firmware version 1.5.x. Check Procedures: For the BAL headset, the only way to verify the device model number and firmware version is to check the Bluetooth device name of a paired headset. Have the user pair the device to the BlackBerry, if not already paired. On the BlackBerry handheld, go to Options > Networks and Connections > Bluetooth Connections and check the list of paired devices. The device name should be in the form of baiMobileBA100 V1.5.0. The reviewer should check a sample of BlackBerry devices at the site (2-3) and verify compliance. Note: If the site uses the FIXMO Sentinel Enterprise integrity verification tool, checking BlackBerry handhelds is not required. Have the system administrator show that the Sentinel server is configured to audit paired Bluetooth devices on site managed BlackBerry handhelds.
Only supported versions of BlackBerry OS 7.x must be used.
Discussion
If an unsupported version of BlackBerry OS 7.x is being used, the device is not being updated with security patches and may contain vulnerabilities that may expose sensitive DoD data to unauthorized people. BlackBerry OS 7.x supports old and obsolete technologies and is no longer being supported by BlackBerry.
Fix Text
Remove all BlackBerry devices using BlackBerry OS 7.x.
Check Content
Determine if any version of BlackBerry OS 7.x is installed at the site. BlackBerry stopped supporting all versions of BlackBerry OS on 30 September 2017. If any version of BlackBerry OS 7.x is installed on site BlackBerry devices, this is a finding.