1 Draft NISTIR 8144 2 Assessing Threats to 3 Mobile Devices & Infrastructure 4 The Mobile Threat Catalogue 5 Christopher Brown 6 Spike Dog 7 Joshua M Franklin 8 Neil McNab 9 Sharon Voss-Northrop 10 Michael Peck 11 Bart Stidham 12 13 14 15 16 17 18 19 Draft NISTIR 8144 20 Assessing Threats to 21 Mobile Devices & Infrastructure 22 The Mobile Threat Catalogue 23 Joshua M Franklin 24 National Cybersecurity Center of Excellence 25 National Institute of Standards and Technology 26 27 Christopher Brown 28 Spike Dog 29 Neil McNab 30 Sharon Voss-Northrop 31 Michael Peck 32 The MITRE Corporation 33 McLean, VA 34 35 Bart Stidham 36 STS Mobile 37 38 39 40 September 2016 41 42 43 44 U.S. Department of Commerce 45 Penny Pritzker, Secretary 46 47 National Institute of Standards and Technology 48 Willie May, Under Secretary of Commerce for Standards and Technology and Director 49 National Institute of Standards and Technology Interagency Report 8144 50 50 pages (September 2016) 51 52 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 53 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 54 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 55 available for the purpose. 56 There may be references in this publication to other publications currently under development by NIST in accordance 57 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 58 may be used by federal agencies even before the completion of such companion publications. Thus, until each 59 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For 60 planning and transition purposes, federal agencies may wish to closely follow the development of these new 61 publications by NIST. 62 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to 63 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 64 http://csrc.nist.gov/publications. 65 66 Public comment period: September 12, 2016 through October 12, 2016 67 National Institute of Standards and Technology 68 Attn: Computer Security Division, Information Technology Laboratory 69 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 70 Email: [email protected] 71 All comments are subject to release under the Freedom of Information Act (FOIA). 72 NISTIR 8144 (DRAFT) ASSESSING THREATS TO MOBILE TECHNOLOGIES 73 Reports on Computer Systems Technology 74 The Information Technology Laboratory (ITL) at the National Institute of Standards and 75 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 76 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 77 methods, reference data, proof of concept implementations, and technical analyses to advance the 78 development and productive use of information technology. ITL’s responsibilities include the 79 development of management, administrative, technical, and physical standards and guidelines for 80 the cost-effective security and privacy of other than national security-related information in federal 81 information systems. 82 Abstract 83 Mobile devices pose a unique set of threats, yet typical enterprise protections fail to address the 84 larger picture. In order to fully address the threats presented by mobile devices, a wider view of 85 the mobile security ecosystem is necessary. This document discusses the Mobile Threat 86 Catalogue, which describes, identifies, and structures the threats posed to mobile information 87 systems. 88 89 Keywords 90 cellular security; enterprise mobility; mobility management; mobile; mobile device; mobile 91 security; mobile device management; telecommunications 92 93 94 Acknowledgements 95 The NCCoE and NIST would like to thank Michael Ogata and Andrew Regenscheid of NIST; 96 Vincent Sritapan of the Department of Homeland Security (DHS) Science & Technology 97 Directorate; and Kori Fisk and Mary Yang of MITRE for their contributions to this document. 98 Note to Readers 99 The development of this interagency report and the Mobile Threat Catalogue supports the Study 100 on Mobile Device Security, as a part of the Cybersecurity Act of 2015 - Title IV, Section 401. 101 Mobile threats and mitigations supporting the Congressional Study on Mobile Device Security 102 and the Mobile Threat Catalogue may incorporate submissions from request for information 103 (RFI) – Mobile Threats & Defenses from FedBizOps solicitation number: QTA00NS16SDI0003. 104 Trademark Information 105 All product names are registered trademarks or trademarks of their respective companies. The 106 Bluetooth logo is property of the Bluetooth Special Interest Group (SIG). ii NISTIR 8144 (DRAFT) ASSESSING THREATS TO MOBILE TECHNOLOGIES 107 Table of Contents 108 1 Introduction ............................................................................................................ 1 109 1.1 Purpose .......................................................................................................... 1 110 1.2 Scope .............................................................................................................. 1 111 1.3 Audience ......................................................................................................... 2 112 1.4 Document Structure ........................................................................................ 2 113 1.5 Document Conventions ................................................................................... 2 114 2 Mobile Device & Infrastructure Attack Surface ................................................... 3 115 2.1 Mobile Technology Stack ................................................................................ 3 116 2.2 Communication Mechanisms .......................................................................... 5 117 2.2.1 Subscriber Identity Module (SIM) ......................................................... 5 118 2.2.2 Cellular Air Interface ............................................................................. 6 119 2.2.3 WiFi ...................................................................................................... 6 120 2.2.4 Global Navigation Satellite System (GNSS) ......................................... 7 121 2.2.5 Bluetooth .............................................................................................. 7 122 2.2.6 Near Field Communication (NFC) ........................................................ 7 123 2.2.7 Secure Digital (SD) Card ...................................................................... 7 124 2.2.8 Power & Synchronization Port .............................................................. 8 125 2.3 Supply Chain .................................................................................................. 8 126 2.4 Mobile Ecosystem ........................................................................................... 8 127 2.4.1 Cellular Infrastructure ........................................................................... 9 128 2.4.2 Public Application Stores ...................................................................... 9 129 2.4.3 Private Application Stores .................................................................. 10 130 2.4.4 Device & OS Vendor Infrastructure .................................................... 10 131 2.4.5 Enterprise Mobility Management Systems ......................................... 10 132 2.4.6 Enterprise Mobile Services ................................................................. 10 133 3 Mobile Threat Catalogue ..................................................................................... 11 134 3.1 Methodology ................................................................................................. 11 135 3.2 Catalogue Structure ...................................................................................... 11 136 3.3 Category Descriptions ................................................................................... 12 137 3.3.1 Mobile Device Technology Stack ....................................................... 12 138 3.3.2 Network Protocols, Technologies, and Infrastructure ......................... 13 iii NISTIR 8144 (DRAFT) ASSESSING THREATS TO MOBILE TECHNOLOGIES 139 3.3.3 Authentication ..................................................................................... 14 140 3.3.4 Supply Chain ...................................................................................... 15 141 3.3.5 Physical Access ................................................................................. 15 142 3.3.6 Ecosystem .......................................................................................... 15 143 3.3.7 Enterprise Mobility .............................................................................. 15 144 3.3.8 Payment ............................................................................................. 16 145 3.4 Next Steps .................................................................................................... 16 146 147 List of Appendices 148 Appendix A— Acronyms ............................................................................................ 17 149 Appendix B— References .........................................................................................