Mobility Threat Modeling — Index
Mobility Threat Modeling — Index
BLUF. This is the published Mobility threat-modeling entry point. The key modeling unit is not “a hostname”; it is a state-changing workflow: SIM/eSIM, port-out, APN, private cellular, IoT/M2M fleet control, CPE/router provisioning, 4G/5G core policy, OSS/BSS, field/edge work orders, and support/vendor actions.
Boundaries and safety
- Defensive threat modeling, architecture review, OSINT synthesis, and authorized lab work only.
- No live exploitation, credential testing, support-line testing, RF interference, signaling abuse, or interaction with real subscribers/services without explicit scope.
- Treat missing scope as a constraint: convert ideas into document review, synthetic tabletop, authorized test account, or lab-only validation.
Start here
| Need | Read |
|---|---|
| Overall mobility threat-modeling framing | Theory_Threat_Model |
| Mobility methodology | 0. Methodology |
| 5G core overview | mobility-5g-core |
| Macro telecom infrastructure model | Theory_Macro_Overall |
| Fiber telecom infrastructure | Theory_Fiber_Telecom_Infrastructure |
| Satellite telecom infrastructure | Theory_Satellite_Telecom_Infrastructure |
| UE / Android / SIM layer | Phase2_UE_Android_SIM |
| RF air interface | Phase3_RF_Air_Interface |
| RRC / NAS signaling | Phase3_RRC_NAS_Signaling |
| Core network / GTP | Phase4_Core_Network_GTP |
| 5G-specific topics | Phase4_5G_Specific |
| Open5GS lab index | open5gs_lab/00_index |
| Holistic 4G/5G lab test plan | open5gs_lab/17_test_plan_4g_5g_holistic |
| Site-to-core mobility test plan | open5gs_lab/18_test_plan_mobility_site_to_core |
Mobility vector index
| Vector class | Mobility-specific meaning | Primary surfaces | Safe validation mode | Defensive control theme |
|---|---|---|---|---|
| Unauthenticated or weak-auth network join | A device, SIM/eSIM profile, CPE/router, gateway, UE, private-cellular endpoint, partner app, or admin client is allowed onto a network/control plane with weak proof of ownership, stale enrollment, default credentials, weak pairing, weak certificate lifecycle, or over-trusted bearer tokens. | IoT/M2M onboarding, CPE/fixed-wireless gateways, managed routers, private cellular SIMs, APN/private-network enrollment, partner/MSP delegated portals, UE/core lab attachment flows. | Document review; synthetic tenant; lab UE/core only; authorized test fleet if scoped. | Strong device identity, ownership proof, certificate-backed enrollment, tenant-bound tokens, mTLS, least-privilege APN/private-network entitlements, stale-device cleanup. |
| Subscriber state-change abuse | Changing who controls a number, device, SIM/eSIM, port lock, recovery path, billing owner, shipping address, or delegated admin state. | Consumer portal/app, support, retail, BPO, business mobility admin, fraud desk. | Authorized test account only; tabletop for support paths. | Step-up proof independent of affected phone, cooldowns, rollback, dual control, agent/action anomaly detection. |
| Business delegated-admin abuse | A compromised or stale business admin can change many lines, devices, APNs, users, orders, tickets, or services at once. | Business wireless portals, delegated admin consoles, reseller/MSP delegation, enterprise APIs. | Authorized business tenant review only. | RBAC lifecycle, scoped roles, bulk-change approval, high-risk action notifications, delegated admin recertification. |
| IoT/M2M fleet-control abuse | Bulk actions against SIM fleets, device inventory, rate plans, APNs, routers, gateways, fixed wireless, private cellular, or telemetry. | IoT control planes, APIs, MSP/reseller access, enterprise admins. | Authorized test fleet/device; document/API review; lab simulation. | Fleet ownership proof, API token scoping, approval for bulk changes, anomaly detection, per-device lifecycle audit. |
| API/OAuth token abuse | Over-scoped tokens or weak redirect/callback validation allow data access or state-changing automation beyond intended app scope. | Developer/API portals, API gateways, partner integrations, web/mobile apps, enterprise automation. | Authorized test app or documentation review only. | Exact redirect URIs, audience-bound tokens, least-privilege scopes, rotation, consent review, token-use baselines. |
| Support / BPO / help-desk workflow abuse | Human exception handling bypasses technical controls: KBA, supervisor override, callbacks, MFA resets, remote support, or insider-assisted account changes. | Call center, chat, IVR, retail, fraud desk, vendor/BPO agent desktops. | Tabletop, call-flow documentation review, synthetic scenarios. | KBA reduction, voice/device proofing, queue-to-record binding, dual control, session recording, social-engineering analytics. |
| Vendor / MSP trust pivot | Vendor connectivity is treated as internal, allowing compromised vendor identities/endpoints to reach portals, SaaS, edge appliances, OSS/BSS, or data stores. | VPN/ZTNA, CCaaS, CRM, MSP portals, cloud data platforms, edge/remote-access appliances. | Architecture/log review; no live pivoting. | Per-app ZTNA, vendor segmentation, posture checks, telemetry sharing, privileged-access controls, vendor-to-core anomaly detection. |
| Cloud data export / metadata exposure | Valid credentials or service accounts are used to query/export CDRs, location, billing records, support notes, recordings, transcripts, or analytics data. | Data warehouses, CRM, BI/ETL, SaaS exports, support recordings. | Policy/log review; synthetic data only. | Phishing-resistant MFA, service-account hardening, query baselines, DLP on exports, row/column controls, retention minimization. |
| 4G/5G core service-identity weakness | Network functions, service discovery, roaming/interconnect, slice lifecycle, UPF/MEC placement, or orchestration trust is too broad or poorly segmented. | 4G EPC, IMS/VoLTE/SMS, 5G SBA, NRF/SEPP, UPF/MEC, OSS/BSS, lab Open5GS/UERANSIM. | Lab-only or internal architecture review. | NF identity, mTLS/cert lifecycle, service authorization, segmentation, signaling controls, blocked-event review. |
| Legacy residue / migration drift | Sunset systems, stale support scripts, stale accounts, migrated customers, 3G/4G exceptions, or old KB assumptions weaken current controls. | 3G sunset residue, legacy M2M, old portals, support KBs, decommissioned aliases. | Documentation/CMDB/IAM reconciliation. | Decommission closure, redirect/alias cleanup, IAM reconciliation, script retirement, legacy exception review. |
| Emergency / priority workflow manipulation | Urgency-driven exceptions can affect priority/preemption, deployables, satellite backup, coverage restoration, or public-safety trust. | Public-safety admins, deployables, NDR, field ops, emergency support paths. | Tabletop/docs only; no live service impact. | Emergency override governance, verified contacts, dual approval, post-action audit, incident comms. |
| Field / CPE / edge physical-logical bridge | Work orders, remote hands, tower/colo/site access, managed CPE, OOB, or edge infrastructure become a bridge between physical operations and network control. | Towers, small cells, DAS, fixed-wireless gateways, routers, colocation, remote hands, OOB networks. | Passive/docs/internal review only; no physical testing without scope. | Work-order validation, badge/site alarm correlation, OOB logging, remote-hands callbacks, separation of duties. |
| Content / brand / support routing trust abuse | Content, PDFs, redirects, KB pages, AI support bots, or vendor-hosted shells route users or agents toward the wrong workflow or leak context. | CMS/DAM, support pages, chatbot/RAG, redirects, app links, PDFs. | Benign content-integrity review; authorized prompt-safety review if scoped. | Canonical domain matrix, redirect governance, content integrity, RAG/tool authZ, transcript controls. |
State-change questions to ask for every vector
- Who can change state? Customer, business admin, agent, BPO, MSP, API app, network function, field contractor, vendor service account?
- What proof authorizes the change? Password, MFA, phone possession, KBA, callback, certificate, token scope, work order, supervisor approval?
- What is the blast radius? One subscriber, one enterprise tenant, one IoT fleet, one APN/private network, one region, one network slice, one data warehouse?
- What telemetry proves it happened? Portal logs, API logs, agent desktop, call recording, device enrollment, OSS/BSS event, NF log, SIM/eSIM profile event, ticket/work order?
- How is it reversed? Rollback, SIM reissue, port recovery, APN restore, credential revocation, token rotation, slice/UPF rollback, customer notification?
Published notes in this folder
Update rule
When a mobility note introduces a reusable vector phrase, add it here as a defensive vector class and point to the detailed note. Keep this index scoped to navigation, blast-radius framing, validation mode, and controls — not exploitation steps.