Mobility Threat Modeling — Index

Mobility Threat Modeling — Index

BLUF. This is the published Mobility threat-modeling entry point. The key modeling unit is not “a hostname”; it is a state-changing workflow: SIM/eSIM, port-out, APN, private cellular, IoT/M2M fleet control, CPE/router provisioning, 4G/5G core policy, OSS/BSS, field/edge work orders, and support/vendor actions.

Boundaries and safety

Start here

Need Read
Overall mobility threat-modeling framing Theory_Threat_Model
Mobility methodology 0. Methodology
5G core overview mobility-5g-core
Macro telecom infrastructure model Theory_Macro_Overall
Fiber telecom infrastructure Theory_Fiber_Telecom_Infrastructure
Satellite telecom infrastructure Theory_Satellite_Telecom_Infrastructure
UE / Android / SIM layer Phase2_UE_Android_SIM
RF air interface Phase3_RF_Air_Interface
RRC / NAS signaling Phase3_RRC_NAS_Signaling
Core network / GTP Phase4_Core_Network_GTP
5G-specific topics Phase4_5G_Specific
Open5GS lab index open5gs_lab/00_index
Holistic 4G/5G lab test plan open5gs_lab/17_test_plan_4g_5g_holistic
Site-to-core mobility test plan open5gs_lab/18_test_plan_mobility_site_to_core

Mobility vector index

Vector class Mobility-specific meaning Primary surfaces Safe validation mode Defensive control theme
Unauthenticated or weak-auth network join A device, SIM/eSIM profile, CPE/router, gateway, UE, private-cellular endpoint, partner app, or admin client is allowed onto a network/control plane with weak proof of ownership, stale enrollment, default credentials, weak pairing, weak certificate lifecycle, or over-trusted bearer tokens. IoT/M2M onboarding, CPE/fixed-wireless gateways, managed routers, private cellular SIMs, APN/private-network enrollment, partner/MSP delegated portals, UE/core lab attachment flows. Document review; synthetic tenant; lab UE/core only; authorized test fleet if scoped. Strong device identity, ownership proof, certificate-backed enrollment, tenant-bound tokens, mTLS, least-privilege APN/private-network entitlements, stale-device cleanup.
Subscriber state-change abuse Changing who controls a number, device, SIM/eSIM, port lock, recovery path, billing owner, shipping address, or delegated admin state. Consumer portal/app, support, retail, BPO, business mobility admin, fraud desk. Authorized test account only; tabletop for support paths. Step-up proof independent of affected phone, cooldowns, rollback, dual control, agent/action anomaly detection.
Business delegated-admin abuse A compromised or stale business admin can change many lines, devices, APNs, users, orders, tickets, or services at once. Business wireless portals, delegated admin consoles, reseller/MSP delegation, enterprise APIs. Authorized business tenant review only. RBAC lifecycle, scoped roles, bulk-change approval, high-risk action notifications, delegated admin recertification.
IoT/M2M fleet-control abuse Bulk actions against SIM fleets, device inventory, rate plans, APNs, routers, gateways, fixed wireless, private cellular, or telemetry. IoT control planes, APIs, MSP/reseller access, enterprise admins. Authorized test fleet/device; document/API review; lab simulation. Fleet ownership proof, API token scoping, approval for bulk changes, anomaly detection, per-device lifecycle audit.
API/OAuth token abuse Over-scoped tokens or weak redirect/callback validation allow data access or state-changing automation beyond intended app scope. Developer/API portals, API gateways, partner integrations, web/mobile apps, enterprise automation. Authorized test app or documentation review only. Exact redirect URIs, audience-bound tokens, least-privilege scopes, rotation, consent review, token-use baselines.
Support / BPO / help-desk workflow abuse Human exception handling bypasses technical controls: KBA, supervisor override, callbacks, MFA resets, remote support, or insider-assisted account changes. Call center, chat, IVR, retail, fraud desk, vendor/BPO agent desktops. Tabletop, call-flow documentation review, synthetic scenarios. KBA reduction, voice/device proofing, queue-to-record binding, dual control, session recording, social-engineering analytics.
Vendor / MSP trust pivot Vendor connectivity is treated as internal, allowing compromised vendor identities/endpoints to reach portals, SaaS, edge appliances, OSS/BSS, or data stores. VPN/ZTNA, CCaaS, CRM, MSP portals, cloud data platforms, edge/remote-access appliances. Architecture/log review; no live pivoting. Per-app ZTNA, vendor segmentation, posture checks, telemetry sharing, privileged-access controls, vendor-to-core anomaly detection.
Cloud data export / metadata exposure Valid credentials or service accounts are used to query/export CDRs, location, billing records, support notes, recordings, transcripts, or analytics data. Data warehouses, CRM, BI/ETL, SaaS exports, support recordings. Policy/log review; synthetic data only. Phishing-resistant MFA, service-account hardening, query baselines, DLP on exports, row/column controls, retention minimization.
4G/5G core service-identity weakness Network functions, service discovery, roaming/interconnect, slice lifecycle, UPF/MEC placement, or orchestration trust is too broad or poorly segmented. 4G EPC, IMS/VoLTE/SMS, 5G SBA, NRF/SEPP, UPF/MEC, OSS/BSS, lab Open5GS/UERANSIM. Lab-only or internal architecture review. NF identity, mTLS/cert lifecycle, service authorization, segmentation, signaling controls, blocked-event review.
Legacy residue / migration drift Sunset systems, stale support scripts, stale accounts, migrated customers, 3G/4G exceptions, or old KB assumptions weaken current controls. 3G sunset residue, legacy M2M, old portals, support KBs, decommissioned aliases. Documentation/CMDB/IAM reconciliation. Decommission closure, redirect/alias cleanup, IAM reconciliation, script retirement, legacy exception review.
Emergency / priority workflow manipulation Urgency-driven exceptions can affect priority/preemption, deployables, satellite backup, coverage restoration, or public-safety trust. Public-safety admins, deployables, NDR, field ops, emergency support paths. Tabletop/docs only; no live service impact. Emergency override governance, verified contacts, dual approval, post-action audit, incident comms.
Field / CPE / edge physical-logical bridge Work orders, remote hands, tower/colo/site access, managed CPE, OOB, or edge infrastructure become a bridge between physical operations and network control. Towers, small cells, DAS, fixed-wireless gateways, routers, colocation, remote hands, OOB networks. Passive/docs/internal review only; no physical testing without scope. Work-order validation, badge/site alarm correlation, OOB logging, remote-hands callbacks, separation of duties.
Content / brand / support routing trust abuse Content, PDFs, redirects, KB pages, AI support bots, or vendor-hosted shells route users or agents toward the wrong workflow or leak context. CMS/DAM, support pages, chatbot/RAG, redirects, app links, PDFs. Benign content-integrity review; authorized prompt-safety review if scoped. Canonical domain matrix, redirect governance, content integrity, RAG/tool authZ, transcript controls.

State-change questions to ask for every vector

  1. Who can change state? Customer, business admin, agent, BPO, MSP, API app, network function, field contractor, vendor service account?
  2. What proof authorizes the change? Password, MFA, phone possession, KBA, callback, certificate, token scope, work order, supervisor approval?
  3. What is the blast radius? One subscriber, one enterprise tenant, one IoT fleet, one APN/private network, one region, one network slice, one data warehouse?
  4. What telemetry proves it happened? Portal logs, API logs, agent desktop, call recording, device enrollment, OSS/BSS event, NF log, SIM/eSIM profile event, ticket/work order?
  5. How is it reversed? Rollback, SIM reissue, port recovery, APN restore, credential revocation, token rotation, slice/UPF rollback, customer notification?

Published notes in this folder

Note Updated Tags
0. Methodology 2026-05-14 #methodology, #mobility, #assessment, #Open5GS, #UERANSIM, #srsRAN
Master_Blackbox_UE_to_Node_Test_Plan 2026-05-22 #mobility, #blackbox-testing, #ue, #4g, #5g, #open5gs, #pixel9a, #libresdr
MBX-02_08_App_Interception_Toolkit 2026-06-19 #MBX-02, #MBX-08, #app-security, #frida, #burp-suite, #carrier-apps, #mobile-security, #testing-toolkit
mobility-5g-core 2026-07-05 #threat-modeling, #mobility, #5G, #5G-core, #open5gs, #lab
Phase1_Core_Simulation 2026-05-14 #phase1, #open5gs, #ueransim, #infrastructure
Phase2_UE_Android_SIM 2026-05-14
Phase3_RF_Air_Interface 2026-05-14
Phase3_RRC_NAS_Signaling 2026-05-14
Phase4_5G_Specific 2026-05-14
Phase4_Core_Network_GTP 2026-05-14
proxy-cleanup-incident-2026-05-22 2026-05-22
proxy-cleanup-script 2026-05-22
Reference 2026-05-14
Research_NAS_Fuzzing 2026-05-14 #TelecomSecurity, #5GSecurity, #MobileSecurity, #CyberSecurity, #NetworkSecurity, #Fuzzing, #5G, #telecom-security, #fuzzing, #research, #NAS, #AMF, #SMF, #auth-bypass, #DoS, #red-team, #future-reading
Support_Hardware_Lab_Equipment 2026-06-19 #lab-setup, #equipment, #B210mini, #LibreSDR, #AD9361, #FlipperZero5G, #srsRAN, #pixel9, #5G, #rogue-gNB, #red-team, #setup-guide
Support_Hardware_Pixel9 2026-06-19 #pixel9, #android, #rooting, #mobile-security, #5G, #NAS, #modem-logging, #red-team, #setup-guide
Theory_Fiber_Telecom_Infrastructure 2026-05-14 #threat-modeling, #telecom, #fiber, #transport, #backhaul, #infrastructure
Theory_Macro_Overall 2026-05-14
Theory_Satellite_Telecom_Infrastructure 2026-05-22 #threat-modeling, #telecom, #satellite, #leo, #resilience, #backhaul
Theory_Threat_Model 2026-05-22 #threat-modeling, #mobility, #5G, #4G-LTE, #telecom, #assessment, #STRIDE
00_index 2026-05-14
01_4g_lte_fundamentals 2026-05-14
02_5g_nsa_architecture 2026-06-19
03_5g_sa_architecture 2026-05-14
04_lab_4g_epc_docker 2026-05-14
05_lab_5g_nsa_docker 2026-05-14
06_lab_5g_sa_docker 2026-05-14
07_kubernetes_deployment 2026-05-14
08_threat_model_4g 2026-06-19
09_threat_model_5g 2026-05-14
10_threat_model_k8s_telecom 2026-06-19
11_real_world_ss7_signaling 2026-05-14
12_real_world_sim_identity 2026-06-19
13_real_world_sms_malware 2026-06-19
14_real_world_apt_mobile_ops 2026-06-19 #StopRansomware
15_real_world_attack_matrix 2026-05-14
16_android_cell_analysis 2026-05-14
17_test_plan_4g_5g_holistic 2026-06-19
18_test_plan_mobility_site_to_core 2026-05-14
README 2026-05-14
TP-00_resources_and_setup 2026-05-14
TP-01_registration_mobility 2026-05-14
TP-02_authentication 2026-05-14
TP-03_sbi_security 2026-06-19
TP-04_gtp_userplane 2026-06-19
TP-05_ss7_diameter 2026-05-14
TP-06_slice_isolation 2026-05-14
TP-07_dos_robustness 2026-05-14
TP-08_stride_threat_emulation 2026-06-19
TP-09_container_k8s 2026-05-14
TP-10_monitoring_detection 2026-05-14

Update rule

When a mobility note introduces a reusable vector phrase, add it here as a defensive vector class and point to the detailed note. Keep this index scoped to navigation, blast-radius framing, validation mode, and controls — not exploitation steps.