Network Effects

The adversary is trying to intercept or manipulate network traffic to or from a device.

This category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.

ID: TA0038
Created: 17 October 2018
Last Modified: 27 January 2020


Techniques: 9
ID Name Description
T1466 Downgrade to Insecure Protocols An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate. Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.
T1439 Eavesdrop on Insecure Network Communication If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.
T1449 Exploit SS7 to Redirect Phone Calls/SMS An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication.
T1450 Exploit SS7 to Track Device Location An adversary could exploit signaling system vulnerabilities to track the location of mobile devices.
T1464 Jamming or Denial of Service An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating.
T1463 Manipulate Device Communication If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks .
T1467 Rogue Cellular Base Station An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique.
T1465 Rogue Wi-Fi Access Points An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication.
T1451 SIM Card Swap An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account. The adversary could then obtain SMS messages or hijack phone calls intended for someone else.