Rule ID
SV-272334r1093534_rule
Version
V1R1
CCIs
CCI-001443, CCI-002314
If no authentication is required to establish personal hotspot connections, an adversary may be able to use that device to perform attacks on other devices or networks without detection. A sophisticated adversary may also be able to exploit unknown system vulnerabilities to access information and computing resources on the device. Requiring authentication to establish personal hotspot connections mitigates this risk. Application Note: If hotspot functionality is permitted, it must be authenticated via a preshared key. There is no requirement to enable hotspot functionality, and it is recommended this functionality be disabled by default. SFR ID: FMT_SMF_EXT.1.1 #41
This is a User-Based Enforcement (UBE) control. Check a sample of LEXL11 phones at the site and verify the Wi-Fi hotspot preshared key (password) is set to "WPA2/WPA3-Personal" or "WPA3-Personal". 1. Go to Settings >> Network & Internet >> Hotspot & tethering. 2. Enable "Wi-Fi hotspot". 3. On the left of the slide, tap on "Wi-Fi Hotspot" to bring up the configuration options. 4. Click on the "Security" link and verify either "WPA2/WPA3-Personal" or "WPA3-Personal" is selected. If the Wi-Fi hotspot security is not set to "WPA2/WPA3-Personal" or "WPA3-Personal", this is a finding.
This is a User-Based Enforcement (UBE) control.
Train users to not change the default Wi-Fi hotspot security setting: 15-character complex Wi-Fi hotspot preshared key (password) ("WPA2/WPA3-Personal" or WPA3-Personal"). (MOTS-13-009800)
If the required preshared key is not set up, train users to use the following procedure to set up the required setting:
1. Go to Settings >> Network & Internet >> Hotspot & tethering.
2. Enable "Wi-Fi hotspot".
3. On the left of the slide, tap on "Wi-Fi Hotspot" to bring up the configuration options.
4. Click on the "Security" link and select either "WPA2/WPA3-Personal" or "WPA3-Personal".