NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0645:  Bluetooth audit details

Publication Date
2023.03.22

Protection Profiles
MOD_BT_V1.0

Other References
FAU_GEN.1/BT

Issue Description

Currently the log events for FIA_BLT_EXT.1/2/3 all require the full BD_ADDR (and in some cases the name) to be provided in the audit record. This has raised privacy concerns about the ability to track the devices that are being connected to (as seen with the COVID-19 tracing apps listing devices that were being contacted initially) and a need to further restrict the full information.

Resolution

Table 2 is modified for FIA_BLT_EXT.1/2/3 as follows, with strikethrough denoting deletions and underline denoting additions:

 

Requirement

Auditable event

Additional Audit Record Contents

FIA_BLT_EXT.1

Failed user authorization of Bluetooth device.

Failed user authorization for local Bluetooth Service.

 

User authorization decision (e.g., user rejected connection, incorrect pin entry).

 Bluetooth address [selection: complete, last [assignment: integer greater than or equal to 2 ] octets of the] BD_ADDR and [selection: name of device, uniquely generated nonce for each pairing, no other information].

Bluetooth profile. Identity of local service with [selection: service ID, profile name].

 

FIA_BLT_EXT.2

Initiation of Bluetooth connection.

 

 

Failure of Bluetooth connection.

 

Bluetooth address [selection: complete, last [assignment: integer greater than or equal to 2 ] octets of the] BD_ADDR and [selection: name of device, uniquely generated nonce for each pairing, no other information].

 

Reason for failure.

FIA_BLT_EXT.3

(optional)

 

Duplicate connection attempt.

 

[selection: complete, last [assignment: integer greater than or equal to 2 ] octets of the] BD_ADDR of connection attempt.

 

 

Justification

See issue description.

 
 
Site Map              Contact Us              Home