Mobile devices pose a unique set of threats to enterprises. Typical enterprise protections, such as isolated enterprise sandboxes and the ability to remote wipe a device, may fail to fully mitigate the security challenges associated with these complex mobile information systems. Accordingly, a set of security controls and countermeasures that address mobile threats in a holistic manner must be identified, necessitating a broader view of the entire mobile security ecosystem. This view must go beyond devices to include, as an example, the cellular networks and cloud infrastructure used to support mobile applications and native mobile services.
NIST Special Publication (SP) 800-53 Rev. 5 defines a mobile device as:
A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable data storage; and is powered on for extended periods of time with a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.
With this definition in mind, smart phones and tablets running modern mobile operating systems are the primary target of this catalogue. Devices typically classified within the Internet of Things (IoT) category are not included. Although some devices contain capabilities to communicate via the auxiliary port and infrared, these are also excluded from the scope of this effort as they are not common methods of attack.
Cellular networks are prominently featured within the catalogue, and comprise a large portion of this catalogue's information. However, although cellular networks are becoming increasingly intertwined with the internet and private packet switched networks, internet protocol (IP) network security is covered extensively by other resources and not within the scope of this work. Finally, threats specific to the Public Switched Telephone Network (PSTN) are also excluded.
Mobile security engineers and architects can leverage this catalogue to inform risk assessments, build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for their mobile deployments. Other audiences for this catalogue include mobile operating system (OS) developers, device manufacturers, mobile network operators (MNOs) (e.g., carriers), mobile application developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.
This catalogue may also be useful when developing enterprise-wide procurement and deployment strategies for mobile devices and when evaluating the risk mobile devices pose to otherwise secure parts of the enterprise. The material in this catalogue is technically oriented, and it is assumed that readers have an understanding of system and network security.
The Mobile Threat Catalogue is based on Draft NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure.
Additional reading material can be found on the NCCoE Website and NIST SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise.