Windows 10 Mobile must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked.

From Microsoft Windows 10 Mobile Security Technical Implementation Guide

Part of PP-MDF-991000

Associated with: CCI-000366

SV-84757r1_rule Windows 10 Mobile must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked.

Vulnerability discussion

When a mobile device is locked, there should be no access to its protected/sensitive data as it could enable unauthorized people with physical access to the device to bring up and view sensitive information. The Cortana personal assistant can perform a number of voice related queries and actions which can aid productivity but also allows some of its actions to be done while the device is locked. For example, even if the device is locked, if you can bring up the Cortana search page you can ask things like "show me my calendar" and that will bring up potentially sensitive information under lockscreen. Disabling this feature mitigates the exposure of potentially sensitive information that should remain secured when a device is locked.SFR ID: FMT_SMF_EXT.1.1 #45

Check content

Review Windows 10 Mobile configuration settings to determine if the mobile device can still use Cortana voice control while it is locked. If feasible, use a spare device to determine if calling up Cortana to listen and respond to commands is possible while the device is locked. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. It assumes you have an existing device timeout policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow access to the Cortana personal assistant". 3. Verify that setting restriction is turned off/disallowed. On the Windows 10 Mobile device: 1. Unlock the device. 2. Tap the "Search" button at the lower right of the device. 3. Verify that when the search screen comes up that a message with "Sorry, but your company policy prevents me from working" appears at the top. If the MDM does not have a policy setting enforced for "allow access to the Cortana personal assistant" or if when you tap the "Search" button on an unlocked device a message does not come up with the wording "Sorry, but your company policy prevents me from working", this is a finding.

Fix text

Configure the MDM system to require the "allow access to the Cortana personal assistant" policy be disabled for Windows 10 Mobile devices. Deploy the MDM policy on managed devices.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer