MTC Overview · Mobile Threat Catalogue

Mobile Threat Catalogue

Mobile Threat Catalogue Overview

The MTC captures a broad range of the threats posed to mobile devices and their associated infrastructure. The following sections describe the methodology used to create the catalogue, the category breakdown, and the description of each category.

Methodology

NCCoE’s mobile security engineers performed a foundational review of mobile security literature in order to identify major categories of mobile threats. Building upon this knowledge, threats were identified using a modified NIST SP 800-30 Rev. 1 risk assessment process. One of the primary drivers for change was the lack of a specific information system under review. A single mobile deployment was not under review – instead the threats posed to foundational mobile technologies were analyzed. Therefore, key risk information necessitated by NIST SP 800-30 Rev. 1 such as likelihood, impact, and overall risk was unavailable and not included. Threats were identified in communication mechanisms, the mobile supply chain, and at each level of the mobile device technology stack. These threats were then placed into threat categories alongside information pertaining to specific instantiations of these threats.

During the threat identification process, it was necessary to identify which associated systems would be included and applicable mitigation capabilities. The mitigation capabilities are inclusive of a mobile security literature review and submissions resulting from the request for information on mobile threats and defenses, which support the congressional study on mobile device security. A broad scope was used in an effort to be comprehensive. The threats listed in the catalogue are sector-agnostic. For instance, threats pertaining to the use of mobile devices in a medical setting are not included. The exception to this is the inclusion of threats pertaining to the telecommunications industry, since this includes threats to cellular networks and infrastructure by definition.

Catalogue Structure

Threats are presented in categories and subcategories within the catalogue. NIST SP 800-30 Rev. 1 defines a threat as “any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service”. For each threat identified within our analysis, the following information is provided:

The CVE is a dictionary of publicly known information security vulnerabilities and exposures.

Category Descriptions

There are 12 tabs within the MTC, each acting as general threat categories with subcategories defined as necessary.

Mobile Device Technology Stack

The mobile device technology stack consists of the hardware, firmware, and software used to host and operate the mobile device.

Cellular

Threats exist to a number of cellular systems, broken into the following subcategories

LAN & PAN

This threat category consists of local and personal area wireless network technologies.

GPS

A network of orbiting satellites used to help a device determine its location.

Authentication

Authentication mechanisms are grouped within the three subcategories listed below. Individual credential and token types are not broken into their own categories and are instead included within one of these three broad categories.

Supply Chain

This category includes threats related to the device and component supply chain. To the extent that they are included, software supply chain related threats are noted within the Exploitation of Vulnerabilities in Applications category.

Physical Access

This category includes general threats originating from outside of the device, such as device loss and malicious charging stations.

Ecosystem

This category includes threats related to the greater mobile ecosystem includes a number of items, including EMMs, mobile OS vendor infrastructure, and mobile enterprise services such as email, contacts, and calendar.

Enterprise Mobility

This threat category comprises enterprise mobility management systems and threats to enterprises services.

Payment

Threats related to mobile payments are included within this category, including a variety of mobile payment technologies such as USSD, NFC-based payments, and credit card tokenization. Although general threats relating to USSD and NFC are included elsewhere, threats relating to payment specific use cases are captured here.