research-article

Threat modeling framework for mobile communication systems

Authors:

Siddharth Prakash Rao,

Tuomas AuraAuthors Info & Claims

Volume 125, Issue C

https://doi.org/10.1016/j.cose.2022.103047

Published: 01 February 2023 Publication History

Abstract

This paper presents a domain-specific threat-modeling framework for the cellular mobile networks. We survey known attacks against mobile communication and organize them into attack phases, tactical objectives, and techniques. The Bhadra framework aims to provide a structured way to analyze and communicate threats on a level that abstracts away the technical details but still provides meaningful insights into the adversarial behavior. Our goals are similar to existing threat modeling frameworks for enterprise information systems, but with a focus on mobile operator networks. The framework fills a gap that has existed in tools and methodology for sharing of threat intelligence within and between organizations in the telecommunications industry. The paper includes concrete case studies of applying the framework. It can also be read as a survey of attacks against mobile networks.

CCS CONCEPTS

Security and privacy → Security requirements; Mobile and wireless security; Networks → Networks Mobile networks

References

[1]

Abdelrazek, L., 2018GTScan: the Nmap scanner for telcohttps://www.github.com/SigPloiter/GTScan [Online] Accessed: 2020-03-31

[2]

L. Abdelrazek, M.A. Azer, SigPloit: a new signaling exploitation framework, 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN), IEEE, 2018, pp. 481–486.

[3]

AdaptiveMobile Security, 2019a. New simjacker vulnerability exploited by surveillance companies for espionage operationAccessed: 2020-03-15

[4]

AdaptiveMobile Security, 2019b. Simjacker next generation spying over mobile https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile [Online]Accessed: 2020-03-15

[5]

I. Ahmad, T. Kumar, M. Liyanage, J. Okwuibe, M. Ylianttila, A. Gurtov, 5G Security: analysis of threats and solutions, 2017 IEEE Conference on Standards for Communications and Networking (CSCN), IEEE, 2017, pp. 193–199.

[6]

B. Alecu, SMS fuzzing–SIM toolkit attack, Vol. 21, DEF CON, 2013.

[7]

S. Alt, P.-A. Fouque, G. Macario-Rat, C. Onete, B. Richard, A cryptographic analysis of UMTS/LTE AKA, International Conference on Applied Cryptography and Network Security, Springer, 2016, pp. 18–35.

[8]

Amine, Y. E., 2021Former softbank employee alleged to have leaked 5G data to Rakuten https://www.insidetelecom.com/former-softbank-employee-leaks-5g-secrets-to-rivals/ [Online] Accessed: 2021-09-29

[9]

M. Anagnostopoulos, G. Kambourakis, S. Gritzalis, New facets of mobile botnet: architecture and evaluation, Int. J. Inf. Secur. 15 (5) (2016) 455–473.

[10]

N. Anwar, I. Riadi, A. Luthfi, Forensic SIM card cloning using authentication algorithm, Int. J. Electron.Inform. Eng. 4 (2) (2016) 71–81.

[11]

M. Arapinis, L.I. Mancini, E. Ritter, M. Ryan, Privacy through pseudonymity in mobile telephony systems, NDSS, 2014.

[12]

Armasu, L., 2018Backdoors keep appearing in Cisco’s routers https://www.tomshardware.com/news/cisco-backdoor-hardcoded-accounts-software,37480.html [Online]Accessed: 2021-09-29

[13]

M. Ashdown, S. Lynchard, SS7 Firewall System, US Patent 6,308,276, 2001.

[14]

F.M. Aziz, J.S. Shamma, G.L. Stüber, Resilience of LTE networks against smart jamming attacks, 2014 IEEE Global Communications Conference, IEEE, 2014, pp. 734–739.

[15]

E. Barkan, E. Biham, N. Keller, Instant ciphertext-only cryptanalysis of GSM encrypted communication, J. Cryptol. 21 (3) (2008) 392–429.

[16]

D. Basin, J. Dreier, L. Hirschi, S. Radomirovic, R. Sasse, V. Stettler, A formal analysis of 5G authentication, Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 1383–1396.

Digital Library

[17]

R. Bassil, A. Chehab, I. Elhajj, A. Kayssi, Signaling oriented denial of service on LTE networks, Proceedings of the 10th ACM International Symposium on Mobility Management and Wireless Access, 2012, pp. 153–158.

[18]

R. Bassil, I.H. Elhajj, A. Chehab, A. Kayssi, Effects of signaling attacks on LTE networks, 2013 27th International Conference on Advanced Information Networking and Applications Workshops, IEEE, 2013, pp. 499–504.

[19]

Bhorkar, G., et al., 2017Security analysis of an operations support system.

[20]

J. Bickford, R. O’Hare, A. Baliga, V. Ganapathy, L. Iftode, Rootkits on smart phones: attacks, implications and opportunities, Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, 2010, pp. 49–54.

[21]

A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC, International Workshop on Fast Software Encryption, Springer, 2000, pp. 1–18.

[22]

D. Bodeau, C. McCollum, D. Fox, Cyber Threat Modeling: Survey, Assessment, and Representative Framework, HSSEDI, The MITRE Corporation, 2018.

[23]

R. Borgaonkar, L. Hirschi, S. Park, A. Shaik, New privacy threat on 3G, 4G, and upcoming 5G AKA protocols, Proc. Privacy Enhancing Technol. 2019 (3) (2019) 108–127.

[24]

R. Borgaonkar, K. Redon, J.-P. Seifert, Security analysis of a femtocell device, Proceedings of the 4th International Conference on Security of Information and Networks, ACM, 2011, pp. 95–102.

[25]

R. Borgaonkar, A. Shaik, 5G IMSI Catchers Mirage, BlackHat Briefings, 2021.

[26]

R. Borgaonkar, A. Shaik, N. Asokan, V. Niemi, J.-P. Seifert, LTE and IMSI catcher myths, Vol. 2015, BlackHat Europe, 2015.

[27]

Brandom, R., 2017For $500, this site promises the power to track a phone and intercept its texts https://www.theverge.com/2017/6/13/15794292/ss7-hack-dark-web-tap-phone-texts-cyber-crime [Online] Accessed: 2020-03-15

[28]

Burgess, D. A., Samra, H. S., et al., 2008The OpenBTS project http://openBTS.org [Online] Accessed: 2022-01-10

[29]

K. Butler, T.R. Farley, P. McDaniel, J. Rexford, A survey of BGP security issues and solutions, Proc. IEEE 98 (1) (2009) 100–122.

[30]

S. Chalakkal, H. Schmidt, S. Park, Practical Attacks on VoLTE and VoWiFi, Tech. Rep, ERNW Enno Rey Netzwerke, 2017.

[31]

S. Checkoway, J. Maskiewicz, C. Garman, J. Fried, S. Cohney, M. Green, N. Heninger, R.-P. Weinmann, E. Rescorla, H. Shacham, A systematic analysis of the juniper dual EC incident, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 468–479.

[32]

H.Y. Chen, S.P. Rao, Adversarial trends in mobile communication systems: from attack patterns to potential defenses strategies, Nordic Conference on Secure IT Systems, Springer, 2021, pp. 153–171.

[33]

W. Christl, K. Kopp, P.U. Riechert, Corporate surveillance in everyday life, 6 (2017).

[34]

P.B. Copet, G. Marchetto, R. Sisto, L. Costa, Formal verification of LTE-UMTS handover procedures, 2015 IEEE Symposium on Computers and Communication (ISCC), IEEE, 2015, pp. 738–744.

[35]

P.B. Copet, G. Marchetto, R. Sisto, L. Costa, Formal verification of LTE-UMTS and LTE–LTE handover procedures, Comput. Standards Interfaces 50 (2017) 92–106.

[36]

Cremers, C., Dehnel-Wild, M., 2019Component-based formal analysis of 5G-AKA: channel assumptions and session confusion.

[37]

A. Creswell, T. White, V. Dumoulin, K. Arulkumaran, B. Sengupta, A.A. Bharath, Generative adversarial networks: an overview, IEEE Signal Process Mag 35 (1) (2018) 53–65.

[38]

N.J. Croft, M.S. Olivier, A silent SMS denial of service (DoS) attack, Information and Computer Security Architectures (ICSA) Research Group South Africa, Vol. 29, 2007.

[39]

Cybereason, 2019Operation soft cell: a worldwide campaign against telecommunications providers https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos [Online] Published on: June 25, 2019

[40]

Cybereason, 2021DeadRinger: Exposing chinese threat actors targeting major telcos https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos [Online] Published on: August 3, 2021

[41]

A. Dabrowski, G. Petzl, E.R. Weippl, The messenger shoots back: network operator based IMSI catcher detection, International Symposium on Research in Attacks, Intrusions, and Defenses, Springer, 2016, pp. 279–302.

[42]

Donegan, P., 2017An ATT&CK-Like framework for telcos https://www.hardenstance.com/wp-content/uploads/2020/09/HardenStance-Briefing-on-An-ATTCK-Framework-For-Telecom-Final.pdf [Online] Accessed: 2022-01-10

[43]

O. Dunkelman, N. Keller, A. Shamir, A practical-time attack on the a5/3 cryptosystem used in third generation GSM telephony, IACR Cryptol. ePrint Arch 2010 (2010) 13.

[44]

O. Dunkelman, N. Keller, A. Shamir, A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony, J. Cryptol. 27 (4) (2014) 824–849.

[45]

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, J.A. Halderman, A search engine backed by internet-wide scanning, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 542–553.

[46]

S. Ehlert, D. Geneiatakis, T. Magedanz, Survey of network security systems to counter sip-based denial-of-service attacks, Comput. Secur. 29 (2) (2010) 225–243.

[47]

Electronic Communications Committee (ECC), 2003(Report 30) technical briefing: mobile access to the internet https://docdb.cept.org/download/286 [Online] Accessed: 2022-01-10

[48]

W. Enck, P. Traynor, P. McDaniel, T. La Porta, Exploiting open functionality in SMS-capable cellular networks, Proceedings of the 12th ACM conference on Computer and communications security, 2005, pp. 393–404.

[49]

T. Engel, Locating mobile phones using signalling system 7, 25th Chaos communication congress, 2008.

[50]

T. Engel, Ss7: Locate. Track. Manipulate, Talk at 31st Chaos Communication Congress, 2014.

[51]

“ENISA”, Signalling Security in Telecom SS7/Diameter/5G EU level assessment of the current situation, Technical Report, 2018.

[52]

European Union Agency for Cybersecurity (ENISA), 2020Enisa threat landscape for 5g networks 2019 https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-5g-networks [Online] Accessed: 2021-01-15

[53]

European Telecommunications Standards Institute (ETSI),. Technical Report

[54]

European Telecommunications Standards Institute (ETSI), 2020Technical committee (TC) lawful interception (LI) https://www.etsi.org/committee/1403-li [Online] Accessed: 2022-03-15

[55]

Ettus Research,. USRP Software Defined Radio (SDR) On-Line Catalog https://www.ettus.com/products/ [Online] Accessed: 2022-08-15

[56]

A.P. Felt, M. Finifter, E. Chin, S. Hanna, D. Wagner, A survey of mobile malware in the wild, Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, 2011, pp. 3–14.

Digital Library

[57]

M.A. Ferrag, L. Maglaras, A. Argyriou, D. Kosmanos, H. Janicke, Security for 4G and 5G cellular networks: a survey of existing authentication and privacy-preserving schemes, J. Netw. Comput. Appl. 101 (2018) 55–82.

Digital Library

[58]

D.P. Fidler, S. Ganguly, The Snowden Reader, Indiana University Press, 2015.

[59]

Franceschi-Bicchierai, L., 2018How criminals recruit telecom employees to help them hijack SIM cards https://www.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam [Online],Accessed: 2020-03-15

[60]

J. Franklin, C. Brown, S. Dog, N. McNab, S. Voss-Northrop, M. Peck, B. Stidham, Assessing Threats to Mobile Devices & Infrastructure: the Mobile Threat Catalogue, Technical Report, National Institute of Standards and Technology, 2016.

[61]

Gauci, S., 2021Massive DDoS attacks on VoIP providers and simulated DDoS testing https://www.rtcsec.com/post/2021/09/massive-ddos-attacks-on-voip-providers-and-simulated-ddos-testing/ [Online], Accessed: 2021-09-29

[62]

Gellman, B., Soltani, A., 2013NSA tracking cellphone locations worldwide, Snowden documents show https://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html [Online],Accessed: 2020-03-15

[63]

3rd Generation Partnership Project, Security Algorithms, 3GPP Technical Specification Series TS 35, 1999–2022.

[64]

3rd Generation Partnership Project, Security Aspects, 3GPP Technical Specification Series TS 33, 1999–2022.

[65]

3rd Generation Partnership Project, Study into routeing of MT-SMs via the HPLMN, 3GPP Technical Report TR 23.840, 2007.

[66]

3rd Generation Partnership Project, Access to the 3GPP Evolved Packet Core (EPC) via non-3GPP access networks, 3GPP Technical Specification TS 24.302, 2020.

[67]

3rd Generation Partnership Project, Universal Subscriber Identity Module (USIM) Application Toolkit (USAT), 3GPP Technical Specification TS 31.111, 2020.

[68]

3rd Generation Partnership Project, Unstructured Supplementary Service Data (USSD) using IP Multimedia (IM) Core Network (CN) subsystem IMS; Stage 3; Release 16, 3GPP Technical Specification TS 24.390, 2020.

[69]

3rd Generation Partnership Project, IP Multimedia Subsystem (IMS) Media Plane Security; Release 16, 3GPP Technical Specification TS 33.328, 2021.

[70]

3rd Generation Partnership Project, Technical Specification Group Core Network and Terminals; InterWorking Function (IWF) between MAP based and Diameter based interfaces (Release 17), 3GPP Technical Specification TS 29.305, 2022.

[71]

G. Geng, G. Xu, M. Zhang, Y. Guo, G. Yang, C. Wei, The design of SMS based heterogeneous mobile botnet, JCP 7 (1) (2012) 235–243.

[72]

Y. Go, J. Won, D.F. Kune, E. Jeong, Y. Kim, K. Park, Gaining control of cellular traffic accounting by spurious TCP retransmission, Network and Distributed System Security (NDSS) Symposium 2014, Internet Society, 2014, pp. 1–15.

[73]

I. Goldberg, D. Wagner, L. Green, The real-time cryptanalysis of A5/2, Rump Session of Crypto 99 (1999) 16.

[74]

N. Golde, K. Redon, R. Borgaonkar, Weaponizing femtocells: the effect of rogue devices on mobile telecommunications, NDSS, 2012.

[75]

N. Golde, K. Redon, J.-P. Seifert, Let me answer that for you: exploiting broadcast information in cellular networks, Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), 2013, pp. 33–48.

[76]

J.D. Golić, Cryptanalysis of alleged A5 stream cipher, International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 1997, pp. 239–255.

[77]

I. Gomez-Miguelez, A. Garcia-Saavedra, P.D. Sutton, P. Serrano, C. Cano, D.J. Leith, srsLTE: an open-source platform for LTE evolution and experimentation, Proceedings of the Tenth ACM International Workshop on Wireless Network Testbeds, Experimental Evaluation, and Characterization, 2016, pp. 25–32.

[78]

C. Goodwin, Why Sideload? User behaviours, interactions and accessibility issues around mobile app installation, Proceedings of the 33rd International BCS Human Computer Interaction Conference 33, 2020, pp. 27–30.

[79]

GSM Association, 2018IR.34 guidelines for IPX provider networks https://www.gsma.com/newsroom/wp-content/uploads//IR.34-v14.0-3.pdf [Online] Accessed: 2020-03-15

[80]

GSM Association, 2019Mobile telecommunications security threat landscape 2020 https://www.gsma.com/security/resources/mobile-telecommunications-security-threat-landscape-report/ [Online] Accessed: 2020-09-15

[81]

M. Handley, H. Schulzrinne, E. Schooler, J. Rosenberg, SIP: Session Initiation Protocol, RFC 2543, 1999.

[82]

Harries, J., Mayer, D., 2021LightBasin: a roaming threat to telecommunications companies https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/ [Online] Published on: October 19, 2021

[83]

R. Hasan, S. Myagmar, A.J. Lee, W. Yurcik, Toward a threat model for storage systems, Proceedings of the 2005 ACM workshop on Storage security and survivability, 2005, pp. 94–102.

[84]

Hau, B., Lee, T., Homan, J., 2015SYNful knock-a Cisco router implant-Part I https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html [Online] Accessed: 2020-03-15

[85]

Hex, P., 2020Part 1: free unlimited internet trick DNS settings for all ISPs in the world https://www.techfoe.com/2020/10/part-1-free-unlimited-internet-trick.html [Online] Accessed: 2022-01-10

[86]

S. Holtmanns, I. Oliver, SMS and one-time-password interception in LTE networks, 2017 IEEE International Conference on Communications (ICC), IEEE, 2017, pp. 1–6.

[87]

S. Holtmanns, S.P. Rao, I. Oliver, User location tracking attacks for LTE networks using the interworking functionality, 2016 IFIP Networking conference (IFIP Networking) and workshops, IEEE, 2016, pp. 315–322.

[88]

B. Hong, S. Bae, Y. Kim, GUTI reallocation demystified: Cellular location tracking with changing temporary identifier, NDSS, 2018.

[89]

H. Hong, H. Choi, D. Kim, H. Kim, B. Hong, J. Noh, Y. Kim, When cellular networks met IPv6: Security problems of middleboxes in IPv6 cellular networks, 2017 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE, 2017, pp. 595–609.

[90]

Internet Engineering Task Force (IETF), 2022Secure telephone identity revisited (STIR) https://datatracker.ietf.org/wg/stir/about/ [Online] Accessed: 2022-01-10

[91]

W. Jack, T. Suri, Mobile Money: The Economics of M-PESA, Technical Report, National Bureau of Economic Research, 2011.

[92]

K. Jensen, T. Van Do, H.T. Nguyen, A. Arnes, Better protection of SS7 networks with machine learning, 2016 6th International Conference on IT Convergence and Security (ICITCS), IEEE, 2016, pp. 1–7.

[93]

K. Jia, C. Rechberger, X. Wang, Green Cryptanalysis: Meet-in-the-Middle key-Recovery for the Full KASUMI Cipher, Report 466, International Association for Cryptologic Research (IACR), Cryptology ePrint Archive, 2011.

[94]

Jordan, S., Lee, M., 2015Not so securus: massive hack of 70 million prisoner phone calls indicates violations of attorney-client privilege https://theintercept.com/2015/11/11/securus-hack-prison-phone-company-exposes-thousands-of-calls-lawyers-and-clients/ [Online] Accessed: 2020-03-15

[95]

R.P. Jover, Security attacks against the availability of LTE mobility networks: overview and research directions, 2013 16th International Symposium on Wireless Personal Multimedia Communications (WPMC), IEEE, 2013, pp. 1–9.

[96]

Jover, R. P., 2016LTE security, protocol exploits and location tracking experimentation with low-cost software radio arXiv preprint arXiv:1607.05171.

[97]

M. Kacer, P. Langlois, SS7 Attacker Heaven Turns into Riot: How to make Nation-State and Intelligence Attackers Lives Much Harder on Mobile Networkss, BlackHat, USA, 2017.

[98]

G. Kambourakis, C. Kolias, S. Gritzalis, J.H. Park, DoS attacks exploiting signaling in UMTS and IMS, Comput. Commun. 34 (3) (2011) 226–235.

Digital Library

[99]

Kaspersky Lab Report, 2014The Regin Platform: Nation-State Ownage of GSM Networks https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07185213/Kaspersky_Telecom_Threats_2016.pdf [Online] Accessed: 2020-03-15

[100]

A.D. Keromytis, A comprehensive survey of voice over ip security research, IEEE Commun. Surv. Tutor. 14 (2) (2011) 514–537.

[101]

R. Khan, P. Kumar, D.N.K. Jayakody, M. Liyanage, A survey on security and privacy of 5G technologies: potential solutions, recent advancements, and future directions, IEEE Commun. Surv. Tutor. 22 (1) (2019) 196–248.

[102]

V. Khatri, J. Abendroth, Mobile guard demo: network based malware detection, 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1, IEEE, 2015, pp. 1177–1179.

[103]

Kho, S., Kuiters, R., 2014Hitb Conference: On Her Majesty’s Secret Service - GRX & A Spy AgencyAccessed: 2021-11-24

[104]

M. Khosroshahy, D. Qiu, M.K.M. Ali, Botnets in 4G cellular networks: Platforms to launch DDoS attacks against the air interface, 2013 International Conference on Selected Topics in Mobile and Wireless Networking (MoWNeT), IEEE, 2013, pp. 30–35.

[105]

H. Kim, D. Kim, M. Kwon, H. Han, Y. Jang, D. Han, T. Kim, Y. Kim, Breaking and fixing volte: exploiting hidden data channels and mis-implementations, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 328–339.

[106]

H. Kim, J. Lee, E. Lee, Y. Kim, Touching the untouchables: dynamic security analysis of the LTE control plane, 2019 IEEE Symposium on Security and Privacy (SP), IEEE, 2019, pp. 1153–1168.

[107]

S. Kim, B. Koo, H. Kim, Tracking location information of volte phones, 2015 International Conference on Computational Science and Computational Intelligence (CSCI), IEEE, 2015, pp. 703–708.

[108]

Kirchgaessner, S., 2020Revealed: Saudis suspected of phone spying campaign in US https://www.theguardian.com/world/2020/mar/29/revealed-saudis-suspected-of-phone-spying-campaign-in-us [Online]

[109]

Kocialkowski, P., 2014Replicant developers find and close Samsung Galaxy backdoor https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor [Online] Accessed: 2019-12-30

[110]

K. Kohls, D. Rupprecht, T. Holz, C. Pöpper, Lost traffic encryption: fingerprinting LTE/4G traffic on layer two, Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, 2019, pp. 249–260.

[111]

Kotapati, K., 2008Assessing security of mobile telecommunication networks.

[112]

B. Kotte, S. Holtmanns, S. Rao, Detach Me Not–DoS Attacks Against 4G Cellular users Worldwide from Your Desk, blackhat Europe 2016, 2016.

[113]

R. Kuhne, G. Huitema, G. Carle, Charging and billing in modern communications networks–a comprehensive survey of the state of the art and future requirements, IEEE Commun. Surv. Tutor. 14 (1) (2011) 170–192.

[114]

Kune, D. F., Koelndorfer, J., Hopper, N., Kim, Y., 2012Location leaks on the GSM air interfaceISOC NDSS (Feb 2012).

[115]

Kurtz, G., Alperovitch, D., 2012Hacking exposed: mobile rat edition http://docs.huihoo.com/rsaconference/usa-2012/Hacking-Exposed-Mobile-RAT-Edition.pdf [Online] Accessed: 2022-01-10

[116]

Langlois, P., 2009SCTPscan: SCTP network and port scanner https://www.p1sec.com/corp/research/tools/sctpscan/ [Online] Accessed: 2020-03-31

[117]

Lee, K., Kaiser, B., Mayer, J., Narayanan, A., 2020An empirical study of wireless carrier authentication for SIM swaps

[118]

Lee, M., Moltke, H., 2019Everybody does it: the messy truth about infiltrating computer supply chains https://theintercept.com/2019/01/24/computer-supply-chain-attacks/ [Online] Published on: Jun 24, 2019

[119]

P.P. Lee, T. Bu, T. Woo, On the detection of signaling dos attacks on 3G/WiMax wireless networks, Comput. Netw. 53 (15) (2009) 2601–2616.

[120]

Leong, R., Perez, D., Dean, T., 2019MESSAGETAP: whos reading your text messages? https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html [Online] Accessed: 2020-03-31

[121]

W.K. Leong, A. Kulkarni, Y. Xu, B. Leong, Unveiling the hidden dangers of public ip addresses in 4G/LTE cellular data networks, Proceedings of the 15th Workshop on Mobile Computing Systems and Applications, 2014, pp. 1–6.

[122]

C.-Y. Li, C.-C. Huang, F. Lai, S.-L. Lee, J. Wu, A comprehensive overview of government hacking worldwide, IEEE Access 6 (2018) 55053–55073.

[123]

C.-Y. Li, G.-H. Tu, C. Peng, Z. Yuan, Y. Li, S. Lu, X. Wang, Insecurity of voice solution volte in LTE mobile networks, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, pp. 316–327.

[124]

V.G. Li, M. Dunn, P. Pearce, D. McCoy, G.M. Voelker, S. Savage, Reading the tea leaves: a comparative analysis of threat intelligence, 28th USENIX Security Symposium (USENIX) Security 19), 2019, pp. 851–867.

[125]

M. Lichtman, R.P. Jover, M. Labib, R. Rao, V. Marojevic, J.H. Reed, LTE/LTE-a jamming, spoofing, and sniffing: threat assessment and mitigation, IEEE Commun. Mag. 54 (4) (2016) 54–61.

Digital Library

[126]

M. Lichtman, J.H. Reed, T.C. Clancy, M. Norton, Vulnerability of LTE to hostile interference, 2013 IEEE Global Conference on Signal and Information Processing, Ieee, 2013, pp. 285–288.

[127]

S. Lindskog, A. Brunstrom, An end-to-end security solution for SCTP, 2008 Third International Conference on Availability, Reliability and Security, IEEE, 2008, pp. 526–531.

[128]

B. Marczak, J. Scott-Railton, The Million Dollar Dissident: NSO Groups iPhone Zero-Days used Against a UAE Human Rights Defender, The Citizen Lab, 2016.

[129]

B. Marczak, J. Scott-Railton, S. McKune, B. Abdul Razzak, R. Deibert, HIDE AND SEEK: Tracking NSO Groups Pegasus Spyware to Operations in 45 Countries, Technical Report, 2018.

[130]

S. Mashukov, Diameter security: an auditor’s viewpoint, J. ICT Stand. 5 (1) (2017) 53–68.

[131]

J. Matherly, Complete Guide to Shodan, Vol. 1, Shodan, 2015.

[132]

Mehra, K., Evans, J. F., Sexson, J., 2019Contextual signaling system 7 (SS7) firewall and associated method of useUS Patent App. 16/242,630

[133]

Mende, D., Rey, E., 2011Practical security research on 3G and 4G mobile telecommunications networksAccessed: 2020-03-31

[134]

U. Meyer, S. Wetzel, A man-in-the-middle attack on UMTS, Proceedings of the 3rd ACM workshop on Wireless Security, 2004, pp. 90–97.

[135]

U. Meyer, S. Wetzel, On the impact of GSM encryption and man-in-the-middle attacks on the security of interoperating GSM/UMTS networks, 2004 IEEE 15th International Symposium on Personal, Indoor and Mobile Radio Communications (IEEE Cat. No. 04TH8754), Vol. 4, IEEE, 2004, pp. 2876–2883.

[136]

N. Miramirkhani, O. Starov, N. Nikiforakis, Dial one for scam: analyzing and detecting technical support scams, 22nd Annual Network and Distributed System Security Symposium (NDSS, Vol. 16, 2016.

[137]

K.D. Mitnick, W.L. Simon, The Art of Deception: Controlling the Human Element Of security, John Wiley & Sons, 2003.

Digital Library

[138]

C. Mulliner, R. Borgaonkar, P. Stewin, J.-P. Seifert, SMS-based one-time passwords: attacks and defense, International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2013, pp. 150–159.

[139]

Nakarmi, P. K., 2021Cheatsheets for authentication and key agreements in 2G, 3G, 4G, and 5G arXiv preprint arXiv:2107.07416.

[140]

Nasser, Y., 2019Gotta catch ‘Em all: Understanding how IMSI-catchers exploit cell networks https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks#Spoofing [Online] Accessed: 2020-03-15

[141]

Nexusguard, 2020Threat report: online gaming is a hotbed for DDoS attacks https://www.nexusguard.com/hubfs/2020Q3_Threat%20Report_Final.pdf [Online] Accessed: 2021-09-29

[142]

K. Nohl, Rooting SIM cards, BlackHat Briefings (2013).

[143]

K. Nohl, Mobile self-defense, 31st Chaos Communication Congress 31C3, 2014.

[144]

K. Nohl, L. Melette, Defending mobile phones, The 28th Chaos Communication Congress, 2011.

[145]

K. Nohl, L. Melette, GPRS intercept: wardriving your country, Chaos Communications Camp 2011, 2011, 2011.

[146]

J.R. Nurse, O. Buckley, P.A. Legg, M. Goldsmith, S. Creese, G.R. Wright, M. Whitty, Understanding insider threat: a framework for characterising attacks, 2014 IEEE Security and Privacy Workshops, IEEE, 2014, pp. 214–228.

[147]

P. OHanlon, R. Borgaonkar, WiFi-based IMSI catcher, Proccedings of the Black Hat Europe 2016 Conference, London, 3rd November, Vol. 2016, 2016.

[148]

Pancevski, B., 2020U.S. officials say Huawei can covertly access telecom networks https://www.wsj.com/articles/u-s-officials-say-huawei-can-covertly-access-telecom-networks-11581452256 [Online] Accessed: 2021-09-29

[149]

S. Park, A. Shaik, R. Borgaonkar, J.-P. Seifert, Anatomy of commercial IMSI catchers and detectors, Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, ACM, 2019, pp. 74–86.

[150]

Pegg, D., Cutler, S., 2021What is Pegasus spyware and how does it hack phones? https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones [Online] Published on: July 18, 2021

[151]

A. Peltonen, R. Sasse, D. Basin, A comprehensive formal analysis of 5G handover, 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, ACM, 2021.

[152]

C. Peng, C.-y. Li, G.-H. Tu, S. Lu, L. Zhang, Mobile data charging: new attacks and countermeasures, Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, 2012, pp. 195–204.

[153]

Positive Technologies, 2017Threats to packet core security of 4G networks https://positive-tech.com/research/epc-research/#Fraud [Online] Accessed: 2020-03-15

[154]

Positive Technologies, 2018Diameter vulnerabilities in the spotlight https://positive-tech.com/research/diameter-2018/ [Online] Accessed: 2020-03-31

[155]

Positive Technologies, 2021Rootkits: evolution and detection methods https://www.ptsecurity.com/upload/corporate/ww-en/analytics/PT_Rootkit_ENG.pdf [Online] Published on: November 3, 2021

[156]

K. Puzankov, Hidden agendas: bypassing GSMA recommendations on SS7 networks, Hack In The Box Conference, 2019.

[157]

S. Puzankov, Stealthy SS7 attacks, J. ICT Stand. 5 (1) (2017) 39–52.

[158]

Puzankov, S., Kurbatov, D., 2014How to intercept a conversation held on the other side of the planetPHDays (August 2014), http://2014.phdays.com/program/tech/36930.

[159]

Qing, Z., Guangdong, B., 20173G/4G Intranet scanning and its application on the wormhole vulnerability https://www.blackhat.com/docs/asia-17/materials/asia-17-Bai-3G-4G-Intranet-Scanning-And-Its-Application-On-The-WormHole-Vulnerability.pdf [Online] Published on: March 31, 2017

[160]

R. Rajavelsamy, M. Choudhary, D. Das, A review on evolution of 3GPP systems interworking with WLAN, J. ICT Stand. (2015) 133–156.

[161]

R.M. Rao, S. Ha, V. Marojevic, J.H. Reed, LTE PHY layer vulnerability analysis and testing using open-source SDR tools, MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), IEEE, 2017, pp. 744–749.

[162]

Rao, S., Holtmanns, S., Oliver, I., Aura, T., 2016a. The known unknowns of SS7 and beyond https://ernw.de/download/TSD2016_Known_Unknowns_of_SS7.pdf [Online]

[163]

Rao, S. P., 2015Analysis and mitigation of recent attacks on mobile communication backend.

[164]

S.P. Rao, S. Holtmanns, I. Oliver, T. Aura, Unblocking stolen mobile devices using SS7-MAP vulnerabilities: Exploiting the relationship between IMEI and IMSI for EIR access, 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1, IEEE, 2015, pp. 1171–1176.

[165]

S.P. Rao, B.T. Kotte, S. Holtmanns, Privacy in LTE networks, Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, 2016, pp. 176–183.

[166]

F. Ricciato, A. Coluccia, A. DAlconzo, A review of DoS attack models for 3G cellular networks from a system-design perspective, Comput. Commun. 33 (5) (2010) 551–558.

[167]

J. Robertson, M. Riley, The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies, Vol. 4 (2018).

[168]

Rose, S. W., Borchert, O., Mitchell, S., Connelly, S., 2020Zero trust architecture.

[169]

P. Rost, A. Banchs, I. Berberana, M. Breitbach, M. Doll, H. Droste, C. Mannweiler, M.A. Puente, K. Samdanis, B. Sayadi, Mobile network architecture evolution toward 5G, IEEE Commun. Mag. 54 (5) (2016) 84–91.

Digital Library

[170]

Roth, J., Tummala, M., McEachen, J., Scrofani, J., 2017Location privacy in LTE: a case study on exploiting the cellular signaling plane’s timing advance.

[171]

D. Rupprecht, A. Dabrowski, T. Holz, E. Weippl, C. Pöpper, On security research towards future mobile network generations, IEEE Commun. Surv. Tutor. 20 (3) (2018) 2518–2542.

[172]

D. Rupprecht, K. Jansen, C. Pöpper, Putting LTE security functions to the test: a framework to evaluate implementation correctness, 10th USENIX Workshop on Offensive Technologies (WOOT 16), 2016.

[173]

D. Rupprecht, K. Kohls, T. Holz, C. Pöpper, Breaking LTE on layer two, 2019 IEEE Symposium on Security and Privacy (SP), IEEE, 2019, pp. 1121–1136.

[174]

D. Rupprecht, K. Kohls, T. Holz, C. Pöpper, Call me maybe: Eavesdropping encrypted LTE calls with ReVoLTE, 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 73–88.

[175]

D. Rupprecht, K. Kohls, T. Holz, C. Pöpper, IMP4GT: impersonation attacks in 4G networks, ISOC Network and Distributed System Security Symposium (NDSS), ISOC, 2020.

[176]

M. Sahin, A. Francillon, P. Gupta, M. Ahamad, SoK: fraud in telephony networks, 2017 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE, 2017, pp. 235–250.

[177]

SANS Institute: Global Information Assurance Certification Paper, 2002Stealth port scanning methods https://www.giac.org/paper/gsec/1985/stealth-port-scanning-methods/103446 [Online] Accessed: 2022-01-10

[178]

Scahill, J., Begley, J., 2015The great SIM heist: how spies stole the keys to the encryption castle[Online]. The Intercept, Accessed: 2020-03-15.

[179]

R. Schlegel, S. Obermeier, J. Schneider, Structured system threat modeling and mitigation analysis for industrial automation systems, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN), IEEE, 2015, pp. 197–203.

[180]

Selin, J., 2019Evaluation of threat modeling methodologies.

[181]

H. Sengar, D. Wijesekera, S. Jajodia, MTPSec: customizable secure MTP3 tunnels in the SS7 network, 19th IEEE International Parallel and Distributed Processing Symposium, IEEE, 2005, pp. 8–pp.

[182]

Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.-P., 2015Practical attacks against privacy and availability in 4G/LTE mobile communication systems arXiv preprint arXiv:1510.07563.

[183]

A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, J.-P. Seifert, Practical attacks against privacy and availability in 4G/LTE mobile communication systems, 23rd Annual Network and Distributed System Security Symposium (NDSS 2016), Internet Society, 2016.

[184]

A. Shostack, Threat Modeling: Designing for Security, John Wiley & Sons, 2014.

Digital Library

[185]

D. Sisalem, J. Kuthan, S. Ehlert, Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms, IEEE Netw. 20 (5) (2006) 26–31.

[186]

P. Snyder, P. Doerfler, C. Kanich, D. McCoy, Fifteen minutes of unwanted fame: detecting and characterizing doxing, Proceedings of the 2017 Internet Measurement Conference, 2017, pp. 432–444.

[187]

C. Spensky, J. Stewart, A. Yerukhimovich, R. Shay, A. Trachtenberg, R. Housley, R.K. Cunningham, SoK: privacy on mobile devices—its complicated, Proc. Privacy Enhancing Technol. 2016 (3) (2016) 96–116.

[188]

Spiedgel International,2014 http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html [Online], Accessed: 2022-01-10. Inside TAO: Documents reveal top NSA hacking unit

[189]

B.E. Strom, A. Applebaum, D.P. Miller, K.C. Nickels, A.G. Pennington, C.B. Thomas, MITRE ATT&CK: Design and Philosophy, Technical report, 2018.

[190]

B.E. Strom, J.A. Battaglia, M.S. Kemmerer, W. Kupersanin, D.P. Miller, C. Wampler, S.M. Whitley, R.D. Wolf, Finding Cyber Threats with ATT&CK-Based Analytics, Technical Report MTR170202, MITRE, 2017.

[191]

S.-T. Sun, A. Cuadros, K. Beznosov, Android rooting: methods, detection, and evasion, Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, 2015, pp. 3–14.

[192]

The MITRE Corporation, 2019a. MITRE ATT&CK Adversary groups https://attack.mitre.org/groups/ [Online] Accessed: 2020-04-04

[193]

The MITRE Corporation, 2019b. MITRE ATT&CK: Credential Access https://attack.mitre.org/tactics/TA0006/ [Online] Accessed: 2020-04-04

[194]

The MITRE Corporation, 2022MITRE ATT&CK: Capture SMS Messages https://attack.mitre.org/techniques/T1412/ [Online] Accessed: 2022-01-10

[195]

F. Toffalini, M. Abbà, D. Carra, D. Balzarotti, Google dorks: analysis, creation, and new defenses, International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2016, pp. 255–275.

[196]

W. Tounsi, H. Rais, A survey on technical threat intelligence in the age of sophisticated cyber attacks, Comput. Secur. 72 (2018) 212–233.

Digital Library

[197]

P. Traynor, W. Enck, P. McDaniel, T. La Porta, Mitigating attacks on open functionality in SMS-capable cellular networks, IEEE/ACM Trans. Netw. 17 (1) (2008) 40–53.

[198]

P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, T. La Porta, On cellular botnets: measuring the impact of malicious devices on a cellular network core, Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009, pp. 223–234.

[199]

G.-H. Tu, C.-Y. Li, C. Peng, Y. Li, S. Lu, New security threats caused by IMS-based SMS service in 4G LTE networks, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1118–1130.

[200]

H. Tu, A. Doupé, Z. Zhao, G.-J. Ahn, SoK: everyone hates robocalls: a survey of techniques against telephone spam, 2016 IEEE Symposium on Security and Privacy (SP), IEEE, 2016, pp. 320–338.

[201]

Tung, L., 2014Hackers access 800,000 orange customers data https://www.zdnet.com/article/hackers-access-800000-orange-customers-data/ [Online] Accessed: 2020-03-15

[202]

K. van Rijsbergen, The Effectiveness of a Homemade IMSI Catcher Build with YateBTS and a BladeRF, University of Amsterdam, 2016.

[203]

E. Vanrykel, G. Acar, M. Herrmann, C. Diaz, Leaky birds: exploiting mobile application traffic for surveillance, International Conference on Financial Cryptography and Data Security, Springer, 2016, pp. 367–384.

[204]

Z. Wang, Z. Qian, Q. Xu, Z. Mao, M. Zhang, An untold story of middleboxes in cellular networks, ACM SIGCOMM Comput. Commun. Rev. 41 (4) (2011) 374–385.

[205]

D. Webb, Echelon and the NSA, Cyber Warfare and Cyber Terrorism, IGI Global, 2007, pp. 453–468.

[206]

R.-P. Weinmann, Baseband attacks: remote exploitation of memory corruptions in cellular protocol stacks, WOOT, 2012, pp. 12–21.

[207]

H. Welte, S. Markgraf, Running your own GSM stack on a phone, 27th Chaos Communication Congress (27C3), 2010.

[208]

O. Whitehouse, G. Murphy, Attacks and Counter Measures in 2.5G and 3G Cellular IP Networks, Atstake Inc., 2004.

[209]

T. Wu, G. Gong, The weakness of integrity protection for LTE, Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2013, pp. 79–88.

[210]

C. Xenakis, Malicious actions against the GPRS technology, J. Comput. Virol. 2 (2) (2006) 121–133.

[211]

C. Xenakis, Security measures and weaknesses of the GPRS security architecture, IJ Netw. Secur. 6 (2) (2008) 158–169.

[212]

J. Xiao, X. Wang, Q. Guo, H. Long, S. Jin, Analysis and evaluation of jammer interference in LTE, Proceedings of the Second International Conference on Innovative Computing and Cloud Computing, 2013, pp. 46–50.

[213]

C. Yu, S. Chen, Z. Cai, LTE phone number catcher: a practical attack against mobile privacy, Secur. Commun. Netw. 2019 (2019).

Digital Library

[214]

Y. Zeng, K.G. Shin, X. Hu, Design of SMS commanded-and-controlled and P2P-structured mobile botnets, Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2012, pp. 137–148.

[215]

R. Zhang, X. Wang, X. Yang, X. Jiang, Billing attacks on SIP-based VoIP systems, WOOT 7 (2007) 1–8.

[216]

W. Zhang, H. Shan, Lte redirection: Forcing targeted lte cellphone into unsafe network, Proc. Defcon, 2016.

Cited By

Index Terms

Threat modeling framework for mobile communication systems

Index terms have been assigned to the content through auto-classification.

Recommendations

On Adoptability and Use Case Exploration of Threat Modeling for Mobile Communication Systems
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

As the attack surface and the number of security incidents in mobile communication networks increase, a common language for threat intelligence gathering and sharing among different parties becomes essential. We addressed this by developing the Bhadra ...
Threat modeling of a mobile device management system for secure smart work

To enhance the security of mobile devices, enterprises are developing and adopting mobile device management systems. However, if a mobile device management system is exploited, mobile devices and the data they contain will be compromised. Therefore, it ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...

Comments

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 125, Issue C

Feb 2023

499 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © 2022.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 February 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents