TA0038 Network Effects
The adversary is trying to intercept or manipulate network traffic to or from a device.
This category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.
|Created||17 October 2018|
|Last Modified||27 January 2020|
|T1466||Downgrade to Insecure Protocols||An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate. Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.|
|T1439||Eavesdrop on Insecure Network Communication||If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.|
|T1449||Exploit SS7 to Redirect Phone Calls/SMS||An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker’s control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication.|
|T1450||Exploit SS7 to Track Device Location||An adversary could exploit signaling system vulnerabilities to track the location of mobile devices.|
|T1464||Jamming or Denial of Service||An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating.|
|T1463||Manipulate Device Communication||If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications’ network traffic to adversary-in-the-middle attacks .|
|T1467||Rogue Cellular Base Station||An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique.|
|T1465||Rogue Wi-Fi Access Points||An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication.|
|T1451||SIM Card Swap||An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account. The adversary could then obtain SMS messages or hijack phone calls intended for someone else.|