Network Effects

This category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.
ID: TA0038


Techniques: 9
T1466Downgrade to Insecure Protocols

An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in NIST SP 800-187 . Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.

T1439Eavesdrop on Insecure Network Communication

If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. describe numerous healthcare-related applications that did not properly protect network communication.

T1449Exploit SS7 to Redirect Phone Calls/SMS

An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication.

T1450Exploit SS7 to Track Device Location

An adversary could exploit signaling system vulnerabilities to track the location of mobile devices.

T1464Jamming or Denial of Service

An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating.

T1463Manipulate Device Communication

If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to man-in-the-middle attacks .

T1467Rogue Cellular Base Station

An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 .

T1465Rogue Wi-Fi Access Points

An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 .

T1451SIM Card Swap

An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account . The adversary could then obtain SMS messages or hijack phone calls intended for someone else .