Cybersecurity in mobile telecommunication networks and management risk
DOI:
https://doi.org/10.14482/inde.38.2.006.31Keywords:
3.5G, 4G, Computer attack, Cybersecurity, Risk managementAbstract
The 3.5G and 4G network technology are currently the most used in Colombia, given the great deployment that Internet service providers have made, which represents a security challenge with respect to the different attacks on these networks. The interception of data with "Man in the middle attacks" (MiTM) and denial of service - DoS (in the smartphone or in the mobile network) are very feasible. In this article of applied research, some risk and security vulnerabilities in mobile networks and their possibility of exploitation, as well as the general recommendations for risk reduction. To achieve the above, an investigation of different vulnerabilities in these telecommunications networks was carried out, a risk map was made, in order to visualize the possible impacts, then, a technical test was run to capture traffic with the MiTM attack (which was successful), and as a final result, deliver recommendations in the event that they can execute cyber-attacks.
References
Ministerio de Tecnologías de la Información y las Comunicaciones. (31 en. 2020). Boletín trimestral de las TIC, enero de 2020 [En línea]. Disponible en: https://colombiatic.mintic.gov.co/679/w3-article-125648.html
Ministerio de Tecnologías de la Información y las Comunicaciones. (24 abr. 2020). Boletín trimestral de las TIC: cifras primer trimestre de 2019 [En línea]. Disponible en: https://colombiatic.mintic.gov.co/679/w3-article-135691.html
Ministerio de Tecnologías de la Información y las Comunicaciones. (5 mzo. 2019). Boletín trimestral de las TIC: cifras tercer trimestre 2018 [En línea]. Disponible en: https://colombiatic.mintic.gov.co/679/w3-article-82350.html
Gartner Group. (26 sep. 2019). Gartner says global device shipments will decline 3.7 % in 2019[En línea]. Disponible en: https://www.gartner.com/en/newsroom/press-releases/2019-09-26-gartner-says-global-device-shipments-will-decline-1-percent-in-2019
ESET. (2019). ESET Security Report América Latina 2019 [En línea]. Disponible en: https://es.readkong.com/page/eset-security-report-latinoamerica-2019-4355431
A. Almanza. XIX Encuesta Nacional de Seguridad Informática. Sistemas, no. 151, pp. 12-41, 2019. https://doi.org/10.29236/sistemas.n151a3
Dinero. (1 en. 2018). Sistemas operativos iOS y Android se volvieron menos confiables en el 2017 [En línea]. Disponible en: https://www.dinero.com/empresas/artículo/ios-y-android-tuvieron-mas-vulnerabilidades-durante-el-2017/253771
J. Domenech. (2 en. 2018). 2017 registró un aumento de las vulnerabilidades en plataformas móviles [En línea]. Disponible en: https://www.silicon.es/2017-registro-aumento-las-vulnerabilidades-plataformas-moviles-2368302?inf_by=5a6a2fb8671db8a70c8b4692
National Vulnerability Database. (2019). Statistics results of android [En línea]. Disponible en: https://nvd.nist.gov/vuln/search/statistics?adv_search=false&form_type=basic&results_type=statistics&search_type=last3years&query=android
Kaspersky Labs. (10 abr. 2013). ¿Qué es un ataque Man-in-the-Middle? [En línea]. Disponible en: https://www.kaspersky.es/blog/que-es-un-ataque-man-in-the-middle/648/
D. Pérez y J. Pico. (2011). A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communi-cations [En línea]. Disponible en: http://www.cic.ipn.mx/~pescamilla/MS/papers_2014/PerezandPico2011.pdf
S. Prowell, R. Kraus y M. Borkin, “Man-in-the-Middle”, en Seven deadliest network attacks, C. Grimes, Ed. Syngress: Elsevier, 2010, pp. 101-120.
M. Conti, N. Dragoni y V. Lesyk, “A survey of man in the middle attacks”, IEEE Journal, vol. 18, no. 3, 2016, pp. 2027-2051. Doi: 10.1109/COMST.2016.2548426
Instituto Nacional de Ciberseguridad. (20 mzo. 2017). Amenaza vs. vulnerabilidad, ¿sabes en qué se diferencian? [En línea]. Disponible en: https://www.incibe.es/protege-tu-empresa/blog/amenaza-vs-vulnerabilidad-sabes-se-diferencian
A. Kumar1, Y. Liu y J. Sengupta. (2010, ag.). Evolution of mobile wireless communication networks-1G to 5G as well as future prospective of next generation communication network. IJECT [En línea]. 1 (1), pp. 68-72. Disponible en: http://chenweixiang.github.io/docs/Evolution_of_Mobile_Wireless_Communication_Networks.pdf
O. Rodríguez, R. Hernández, L. Torno, L. García y R. Rodríguez. (2005, en.-mzo.). Telefonía móvil celular: origen, evolución, perspectivas. Ciencias Holguín [En línea]. 11 (1), pp. 1-8. Disponible en: https://www.redalyc.org/artículo.oa?id=181517913002
National Vulnerability Database. (7 mzo. 2019). CVE-2018-11422 details [En línea]. Disponible en: https://nvd.nist.gov/vuln/detail/CVE-2018-11422
National Vulnerability Database. (7 mzo. 2019). CVE-2018-11421 detail [En línea]. Disponible en: https://nvd.nist.gov/vuln/detail/CVE-2018-11421
National Vulnerability Database. (3 my. 2018). CVE-2018-5455 detail [En línea]. Disponible en: https://nvd.nist.gov/vuln/detail/CVE-2018-5455
National Vulnerability Database. (29 my. 2017). CVE-2017-7913 detail [En línea]. Disponible en: https://nvd.nist.gov/vuln/detail/CVE-2017-7913
A. L. García Reis, A. F. Barros, K. Gusso Lenzi, L. G. Pedroso Meloni y S. E. Barbin, “Introduction to the software-defined radio approach”, IEEE Latin America Transactions, vol. 10, no. 1, pp. 1156-1161, en. 2012. Doi: 10.1109/TLA.2012.6142453
R. Díaz y Y. García. (2017, nov. 10). Desarrollo de un sistema receptor de FM utilizando radio definida por software [En línea]. Disponible en: https://www.academia.edu/download/57598047/Ciencias_economicas-aportaciones_de_las_tecnologias_de_neuroimagen_p._127-129.pdf#page=295
GNU Radio Foundation. (2020). About GNU Radio [En línea]. Disponible en: https://www.gnuradio.org/about/
B. Bhushan, G. Sahoo y A. K. Rai, “Man-in-the-middle attack in wireless and computer networking: a review”, en 2017 3rd International Conference on Advances in Computing, Communication & Automation (ICACCA) (Fall), IEEE, Dehradun, 2017, pp. 1-6. Doi: 10.1109/ICACCAF.2017.8344724
S. Yubo, K. Zhou y X. Chen, “Fake BTS attacks of GSM system on software radio platform”, Journal of Networks, vol. 7, no. 2, 2012. Doi: 10.4304/jnw.7.2.275-281
H. Alrashede y R. A. Shaikh, “IMSI Catcher Detection Method for Cellular Networks”, 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS), IEEE, Riyadh, 2019, pp. 1-6. Doi:10.1109/CAIS.2019.8769507
Kaspersky Labs. (2019). Amenazas de seguridad móvil dirigidas a dispositivos Android [En línea]. Disponible en: https://latam.kaspersky.com/resource-center/threats/mobile
National Vulnerability Database. (12 sep. 2019). CVE-2019 detail [En línea]. Disponible en: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Simjacker&search_type=all
K. Lee, B. Kaiser, J. Mayer y A. Narayanan. (2020). An Empirical study of wireless carrier authentication for SIM Swaps [En línea]. Disponible en: https://www.usenix.org/conference/soups2020/presentation/lee
Portal IsSMS2FASecure.com. (2020). Security analysis of SMS-enabled websites [En línea]. Disponible en: https://www.issms2fasecure.com/dataset
International Organization for Standardization. ISO/IEC 27005:2018 Information technology - Security techniques - Information security risk management. Suiza: International Organization for Standardization, 2018.
Municipio de Viterbo Carlas. (2019). Plan de tratamiento de riesgos de seguridad y privacidad de la información [En línea]. Disponible en: http://www.viterbo-caldas.gov.co/planes/plan-de-tratamiento-de-riesgos-de-seguridad-y-privacidad
National Institute of Standards and Technology. (2012). Guide for Conducting Risk Assessments - NIST 800-30 [En línea]. Disponible en: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
International Organization for Standardization. Norma técnica ISO/IEC 27001:2013, 2.ª ed. Suiza: International Organization for Standardization, 2013.
Unión Internacional de Telecomunicaciones. (2019). X.500: Information technology - Open Systems Interconnection - The Directory: Overview of concepts, models and services [En línea]. Disponible en: https://www.itu.int/rec/T-REC-X.500/e
National Institute of Standards and Technology. (2013). 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organization. [En línea]. Disponible en: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
