VSecLab - Threat Catalogue

Dark Mode

Settings

Threat Catalogue

The Threat Catalogue is a collection of threats that can be used to identify and mitigate risks to an organization. Each entry represents a couple $(Threat, AssetType)$ identified by a $TID$, which indicates that an asset of a given $AssetType$ can be affected by the $Threat$.

Threat Catalogue Table

TID	Asset	Threat	Description	STRIDE	Compromised	PreC	PreI	PreA	PreCondition	PostC	PostI	PostA	PostCondition	Capec Meta	Capec Standard	Capec Detailed	Easy of Discovery	Easy of Exploit	Awareness	Intrusion Detection	Loss of Confidentiality	Loss of Integrity	Loss of Availability	Loss of Accountability	Commento
T1	Device.MEC	False or rogue MEC Gateway	The open nature of edge gateways allows a malicious user to deploy their own gateway devices, this threat can produce the same result as a Man-in-the-Middle attack.	S	self	n	n	n	[n,n,n]	f	f	f	[f,f,f]				5	5	5	5	5	5	5	5
T10	Device.MEC	Memory Acquisition	An attacker can steal information from this de-allocated memory by using any kind of memory acquisition tools.	I	self	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T100	Network	Message Modification	An adversary can simply intercept and modify the packets' content meant for the base station or intermediate nodes coming from the asset	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]	94			7	5	5	6	3	8	7	4
T101	Network	Message Replay	An adversary can re-transmit the content of the packets coming from the asset at a later time	S,T	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				6	6	4	5	3	6	5	3	Non dovrebbe essere Replay? La descrizione sembra proprio quella dei Replay Attack.
T102	Network	Message Injection	An adversary can send out false data into asset, maybe masquerading as one of the nodes with the objective of corrupting the collected nodes'reading or disrupting the internal control data	S,E	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]	94 594	595	596	5	7	6	6	3	8	6	4
T103	Network	Network Partitioning	An adversary can make a certain section of the asset inaccessibile by others	D	self , target(connects)	n	n	n	[n,n,n]	n	p	p	[n,p,p]	94 154	582 616	584 585 615	4	6	3	6	2	5	9	3
T104	Network	Selective Forwarding	An attacker can forward a packets that traverse a malicious node depending on some criteria	S	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]	94			5	5	4	6	2	7	6	3
T105	Network	Topology Disclosure	An attacker can exploit forwarding updates between the variuos nodes to know network tolopogy	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	169	292 309		7	6	5	4	9	4	3	5	Perché la descrizione prevede solo il caso di invio di aggiornamenti tra i nodi? [Contemplato solo scanning passivo]
T106	Network	Network Abusive Access	An attacker can abusively access (send and receive messages) this network	S	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	114 115 216 272			6	6	5	5	8	7	6	5
T107	Network	Resource Exhaustion	An Adversay is able to denial (at least partially) the network resourcees	D	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]	125	482 486 487 490		5	6	5	6	3	4	9	4
T108	Network	Spoofing	An attacker sends messages with a spoofed identity	S	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]	148			7	6	5	6	5	7	4	4
T109	Network	Communication Lock	An attacker can manipualte the Network behavioour in some way	D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]	216 272			5	6	4	5	3	5	8	3
T11	Device.MEC	Modifying Metadata	Since the Edge system is heavily virtualized, it has to keep track of many logs. An attacker can manipulate log files and corrupt parts of the system.	T	self,target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T110	Network.Core	Resouce Exhaustion	DDoS attacks can be lauched as Signaling Amplification and HSS saturation by using a botnet to control a large number of infected Ues	D	self,souce(connects)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				6	5	5	4	8	2	3	3
T111	Network.Core	TLS/SSL vulnerabilities exploitation	The TLS/SSL based communication used in SDN based Core Network is vulnerable to attacks such as TCP SYN DDoS, RC4 biases in TLS, Browser Exploit against TLS, Compression ratio info-leak made easy (CRIME), LUCKY 13 attack and POODLE attack	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				6	6	4	5	3	7	4	4
T112	Network.Core	SDN Scanner	Attackers can passively collect network information like IP of SDN controller and key network elements by analyzing SDN traffics. It is possible to perform various attacks like DoS, TCP reset, replay and spoofing attacks .	I	self,target(connects)	p	n	n	[p,n,n]	p	n	p	[p,n,p]				6	6	4	5	4	8	4	4
T113	Network.Core	Theft of Service	Services can be compromised by the Roaming Network	S,T,I,D	self,target(uses)	n	n	n	[n,n,n]	p	n	p	[p,n,p]				7	5	4	5	9	6	4	5
T114	Network.Core	Malicious Software	Injection attacks worms, Ransomware, Malicious network functions, Botnet	S,T,I,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				6	5	4	5	8	5	3	4
T115	Network.Core	Unauthorized Access	IMSI catching attacks, Brute force, Port knocking	S,T	self,target(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	7	5	6	3	8	6	4
T116	Network.Core	Data Breach	Log tampering, File misuse, Customer data theft	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	7	5	6	4	8	7	5
T117	Network.Core	Remote access	manifested when malicious users exploit a given vulnerability that provides remote access for maintenance and troubleshooting	S,T,I,D	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				6	6	4	5	8	3	2	3
T118	Network.Core	Injection	the attacker has the injection capability for generating and transmitting the wireless packets in 5G (which requires the radio/antenna frontend hardware and the wireless signal processing to generate wireless signals complying with the 5G NR standard) and can detect and listen another legitimate user’s transmission (passive radio receiving capability).	S	target(connects)	p	n	n	[p,n,n]	p	p	n	[p,p,n]				4	6	5	6	4	9	4	5
T119	Network.Core	Disruption of limited func_x0002_tionalities of the network	Some attacks affecting the net_x0002_work core may result in serious disruptions of the functioning of the network. One of the most critical points of the network is the interconnect network, which may be misused for signaling fraud (e.g., false charging).	S,I,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				7	6	5	4	8	5	4	3
T12	Device.MEC	Memory Tampering	An attacker can acquire memory and read information from it using any kind of memory accusation tool. With proper security privilege they can access storage memory blocks and tamper the stored data.	T	self,target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T120	Network.Core	Massive failure of network functionalities	An insider attack may cause a massive failure of the network. This is very hard to achieve by a simple misconfiguration of the network core	D	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]				5	7	5	6	2	3	9	3
T121	Network.Core	Massive dysfunctionality of 5G Core, controlled by an external party	The core may be controlled remotely by a third party, which results in the malfunctioning of the entire network. This attack may be very difficult to discover (if it is point-specific).	S,I,D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	7	4	5	2	3	8	3
T122	Network.Core	Signaling Threats	Storms or Frauds	D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				6	6	5	6	3	4	9	4
T123	Network.Core	Saturation threat	malicious or even legitimate but compromised nodes will be capable of causing saturation attacks	D	target(connects)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				6	6	5	6	3	4	9	4
T124	Network.Core	Eavesdropping	Attackers eavesdrop on sensitive data on the network	I	self, target(connects)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				6	8	5	7	5	9	6	4
T125	Network.Core	TCP SYN Scanning	an attacker is attempting to determine the state of every TCP port of the target IP address (65536 ports in total) without establishing a full connection. Tis is achieved by sending a SYN segment addressed to every port on the server.	I	self,target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T126	Network.Core	Use of JSON is a liability	Diferent implementations will use diferent JSON libraries. There is a considerable chance that there will be inconsistencies, and these may lead to security problems	I	self	None	None	None	[,,]	None	None	None	[,,]				5	5	5	5	5	5	5	5
T127	Network.Core	Authorization and OAuth 2.0	Use of authorization is new to the 3GPP core network signaling system. There is therefore a considerable chance that there will be wrongful or inappropriate use. This afects both the design requirements and the realization of the requirements. Furthermore, it is well known that there are problems with some of the OAuth 2.0 implementations.	S,I	self	None	None	None	[,,]	None	None	None	[,,]				5	5	5	5	5	5	5	5
T128	Network.Core	Unsecured connections	Lack of using TLS to secure the connections	S,I	target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T129	Network.Core	Masquerade	These threats would encompass aspects such as identifcation and entity authentication. For signalling, it also involves message origin authentication aspects. Related to: entity authentication and message origin authentication.	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T13	Device.MEC	Exhausting Log Space	Log files must be maintained on Edge systems in order to ensure traceability of actions. An attacker can attempt to write garbage values on these files and consume the log space.	D	self	n	n	n	[n,n,n]	n	f	f	[n,f,f]				5	5	5	5	5	5	5	5
T130	Network.Core	Authorization and access rights	Threats towards authorization and access rights includes access violation and illicit privilege elevation. Defnition of consistent and complete security policies is a prerequisite.	E	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T131	Network.Core	Accountability and attributability	This typically includes threats where a party attempts to deny sending or receiving messages	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T132	Network.Core	Accidental	Misconfigured systems/network outdated systems, Human error, Unintentional deletion	T,I,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T133	Network.Core	Vulnerable API	Orchestrator or SDN controller can be subjected to API-based attacks	T,I,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T134	Network.Core	Network Configuration Manipulation	Routing table manipulation, Malicious network function registration, DNS manipulation, Exploitation of misconfigured data, Tampering of cryptographic keys and policies, OS services tampering	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T135	Network.WiFi	Jamming	An attacker jams the comunication channel of the asset and avoids any member of the network in the affected area to send or receive any packet	D	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]	607	601	604	5	5	5	5	5	5	5	5
T136	Service.5G.AMF	Data forging	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behaviour and unauthorised access to critical platforms, impacting network confidentiality and integrity. This threat affects core elements such as SDN, which are compromised to launch DoS attacks.	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T137	Service.5G.AMF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	S,I,D	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T138	Service.5G.AMF	Resouce Exhaustion	An attempt is made to make a network resource unavailable to the users for whom it is intended by temporarily or indefinitely interfering with or interrupting network service. The attack involves the generation of a massive number of requests or with such traffic that the network becomes partially or completely unavailable.	D	self, source(uses)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T139	Service.5G.AMF	Remote Access exploitation	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	source(hosts),self	p	n	n	[p,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T14	Device.MEC	Exhausting Buffer Space	An attacker can create a large number of unnecessary files and request them continuously fill the available space. Also, attacker can request buffer space with unresponsive connection similar to syn-flood attack in TCP/IP communication.	D	self	n	n	n	[n,n,n]	n	f	f	[n,f,f]				5	5	5	5	5	5	5	5
T140	Service.5G.AMF	Compromised service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T141	Service.5G.AMF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T142	Service.5G.AMF	Abuse of virtualization mechanisms	These are threats related to the virtualisation of the IT infrastructure, network and underlying functions.	T,D	self, source(connects)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T143	Service.5G.AMF	Manipulation of software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T144	Service.5G.AMF	Misconfigured or poorly configured system	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T145	Service.5G.AMF	Inadequate designs and planning or lack of adaption	Obsolete system or network due to lack of management of updates or patches. Threat related to errors due to lack of management of configuration changes or poor network and system architecture design	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T146	Service.5G.AMF	Erroneous use or administration of the system	Classified as unintentional damage (mismanagement of devices and systems), errors resulting from a poorly managed and administered network can compromise the confidentiality, integrity and availability of the network.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T147	Service.5G.AMF	Eavesdropping	Attackers eavesdrop on sensitive data on control and bearer plane	S,T	self, source(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T148	Service.5G.AMF	Network slicing specific	Template modification, Configuration tampering, Fake slice creation, Deny access to slices, Data breach delete slices, Unauthorized access, Misuse of resources and functions, Side channel attacks	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T149	Service.5G.AMF	Incorrect SUCI de-concealment	If the SUPI in the UE and the SUPI retrieved from Nudm_Authentication_Get Response message are not the same, the AMF key generated based on the SUPI in the UE is also not the same as the AMF key generated in the AMF/SEAF. As a result, the subsequent NAS SMC procedure will always fail. Hence, UE will never be able to use the services provided by the serving AMF.	D	self, source(uses)	n	n	n	[n,n,n]	n	n	f	[n,n,f]				5	5	5	5	5	5	5	5
T15	Device.MEC	Network Communication Disruptor	Adversaries can jam or disrupt the network communication medium using different congestion techniques.	D	self	n	n	n	[n,n,n]	n	f	f	[n,f,f]				5	5	5	5	5	5	5	5
T150	Service.5G.AMF	Resynchronization	f RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system.	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T151	Service.5G.AMF	Bidding down	If SMC does not include the complete initial NAS message if either requested by the AMF or the UE sent the initial NAS message unprotected, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised.	T,I	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T152	Service.5G.AMF	Invalid or unacceptable UE security capabilities	A flawed AMF implementation accepting insecure or invalid UE security capabilities may put User Plane and Control Plane traffic at risk, without the operator being aware of it. If NULL ciphering algorithm and/or NULL integrity protection algorithm of the UE security capabilities is accepted by the AMF, all the subsequent NAS, RRC, and UP messages will not be confidentiality and/or integrity protected. The attacker can easily intercept or tamper control plane data and the user plane data. This can result in information disclosure as well as tampering of data	T	self, source(uses)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T153	Service.5G.AMF	Manipulation of network configuration	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behaviour and unauthorised access to critical platforms, impacting network confidentiality and integrity. This threat affects core elements such as SDN, which are compromised to launch DoS attacks.	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T154	Service.5G.AMF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	S,I,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T155	Service.5G.AMF	Resouce Exhaustion	An attempt is made to make a network/service resource unavailable to the users for whom it is intended by temporarily or indefinitely interfering with or interrupting network service. The attack involves the generation of a massive number of requests or with such traffic that the network becomes partially or completely unavailable.	D	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]				5	5	5	5	5	5	5	5
T156	Service.5G.AMF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T157	Service.5G.AMF	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T158	Service.5G.AMF	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T159	Service.5G.AMF	Misconfigured or poorly configured networks	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T16	Device.MEC	User Impersonation	An attacker can impersonate an user by retrieving her credentials.	S	self	n	n	n	[n,n,n]	f	n	n	[f,n,n]				5	5	5	5	5	5	5	5
T160	Service.5G.AMF	Inadequate design and planning or lack of adaption	Obsolete system or network due to lack of management of updates or patches. Threat related to errors due to lack of management of configuration changes or poor network and system architecture design	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T161	Service.5G.AMF	Erroneous use of administration of the network	Classified as unintentional damage (mismanagement of devices and systems), errors resulting from a poorly managed and administered network can compromise the confidentiality, integrity and availability of the network.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T162	Service.5G.AMF	Improper use of the interface	As the gateway between devices and the 5G network, attackers can use the open interfaces from a gNodeB to attack the network, including the radio baseband.	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T163	Service.5G.AMF	Traffic Modification	Attackers modify information during transit in user plane N3 (SIP header modification, RTP spoofing)	T	source(uses)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T164	Service.5G.AMF	Jamming	An attack that attempts to interfere with the reception of broadcast communications.	D	self	n	p	n	[n,p,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T165	Service.5G.AMF	Eavesdropping	Attackers eavesdrop on sensitive data on control and bearer plane	S,T	target(connects)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T166	Service.5G.AMF	Resource Starvation	Resource starvation at cRAN VNFs by additional vFirewall functions during DDOS attack	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T167	Service.5G.AMF	IMSI Caching	A malicious device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies ac_x0002_cess of subscribers to the commercial network	D	target(connects)	p	n	n	[p,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T168	Service.5G.AMF	Unauthorized access to signaling data	In case of unauthorized access to user plane or signaling data, sensitive information such as user data, cryptographic keys, monitoring logs and signaling data can be leaked	I	target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T169	Service.5G.AMF	Unauthorized access to Network Traffic	An attacker can obtain network information	I	target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T17	Device.MEC	Power Disruption	Fog/Edge node can often be located at public space where security is minimum. Adversaries can disrupt the power supply which will make the Fog/Edge node unavailable for service.	D	self	n	n	n	[n,n,n]	n	f	f	[n,f,f]				5	5	5	5	5	5	5	5
T170	Service.5G.AMF	Physical Attacks	Sabotage of network hardware or Terrorist attacks or Unauthorized physical access to base station	S,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T171	Service.5G.AMF	Network slicing specific	Misuse of resources and function or Side-channel attacks	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T172	Service.5G.AMF	Signaling Threats	Storms or Frauds	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T173	Service.5G.AMF	Message Insertion	These types of attacks are possible in 5G networks to initiate DoS attacks. For instance, false flow table updates can be used to overload SDN devices.	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T174	Service.5G.AMF	Fake access network node	This threat considers the compromise of a base station by masquerading as legitimate, facilitating different types of attacks such as man-in-the-middle or network traffic manipulation	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T175	Service.5G.AMF	Exploitation of software vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	S,I,D	self, source(hosts)	n	p	n	[n,n,n]	n	f	p	[n,f,p]				5	5	5	5	5	5	5	5
T176	Service.5G.AMF	Remote Access exploitation	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	source(hosts),self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T177	Service.5G.AMF	Abuse of virtualization mechanisms	These are threats related to the virtualisation of the IT infrastructure, network and underlying functions.	T	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T178	Service.5G.AMF	Manipulation of software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T179	Service.5G.AMF	Misconfigured or poorly configured service	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,I	self, source(connects)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T18	Device.MEC	Communication Disruption	An attacker can cut off the network line or break the communication antenna.	D	self,source(connects)	n	n	n	[n,n,n]	n	f	f	[n,f,f]				5	5	5	5	5	5	5	5
T180	Service.5G.AMF	Inadequate designs and planning or lack of adaption	Obsolete system or network due to lack of management of updates or patches. Threat related to errors due to lack of management of configuration changes or poor network and system architecture design	T,D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T181	Service.5G.AMF	Erroneous use or administration of the network, system and devices	Classified as unintentional damage (mismanagement of devices and systems), errors resulting from a poorly managed and administered network can compromise the confidentiality, integrity and availability of the network.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T182	Service.5G.AMF	Impersonation of Session Management Function	Successful impersonation of the SMF can give the attacker the ability to establish Packet Forwarding Control Protocol (PCFP) session to the User Plane Function (UPF) (via N4 interface), which is responsible for connecting the subscriber to the public Internet. The UPF and SMF are likely to be logically in the same trusted domain, and therefore, the UPF will execute commands sent from the SMF. Potential damaging commands include dropping users from the network, denying service after the drop, and redirecting data	S	source(uses)	n	n	n	[n,n,n]	f	n	p	[f,n,p]				5	5	5	5	5	5	5	5
T183	Service.5G.AMF	Resouce Exhaustion	A DDoS attack is caused by a very large group of automated devices (commonly called a Botnet) which all repeatedly request the same resource until that resource is so overwhelmed no one can access it. The primary risk points for a 5G core network are on the N4 interface, which is the central control point between remote and central data centers	D	self, source(uses)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T184	Service.5G.AMF	Information Leakage	Network traffic, Cloud computing, Misuse of security audit tools, Security keys theft, Unauthorized access to user plane data, Unauthorized access to signalling data	I	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T185	Service.5G.AMF	Eavesdropping	Attackers eavesdrop on sensitive data	S,T	self, source(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T186	Service.5G.AMF	Priority of UP security policy	It is required that user Plane Security Policy from UDM takes precedence over locally configured User Plane Security Policy in SMF. If SMF fails to comply with the requirement, user plane security may be degraded. For example, if the UP security policy from the UDM mandates the ciphering and integrity protection of the user plane data, but no protection is indicated in the local UP security policy at the SMF, and the local UP security policy takes the priority, then the user plane data will be sent over the air without any protection.	T,I	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T187	Service.5G.AMF	Chargiing Failure	TEID, as part of the CN Tunnel information, is used by the UPF and gNB/ng-eNB for user plane routing. The failure to guarantee the uniqueness of the TEID for a PDU session result in interruption of the routing of the user traffic. It also create charging errors. If multiple PDU sessions were to share the same TEID at the same time, the counts for the network usage of a single PDU session will be in fact the counts for the network usage of multiple sessions, creating charging errors.	S,T,D,I	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T188	Service.5G.AMF	Security policy check	It is required that the SMF verifies that the UP security policy received from the ng-eNB/gNB is the same as that stored locally at the SMF. If the SMF fails to check, security degradation of UP traffic may occur. For example, if the UP security policy received from the ng-eNB/gNB indicates no security protection, while the local policy mandates the opposite, and SMF uses the received UP security policy without validation, then the user plane data will be unprotected.	T,I	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T189	Service.5G.AUSF	Data forging	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behaviour and unauthorised access to critical platforms, impacting network confidentiality and integrity. This threat affects core elements such as SDN, which are compromised to launch DoS attacks.	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T19	Device.MEC	Device Theft	An attacker can open the MEC server and detach the storage unit.	E	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T190	Service.5G.AUSF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	S,I,D	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T191	Service.5G.AUSF	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T192	Service.5G.AUSF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T193	Service.5G.AUSF	Manipulation of software	These are threats related to the virtualisation of the IT infrastructure, network and underlying functions.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T194	Service.5G.NEF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T195	Service.5G.NEF	Resouce Exhaustion	An attempt is made to make a network resource unavailable to the users for whom it is intended by temporarily or indefinitely interfering with or interrupting network service. The attack involves the generation of a massive number of requests or with such traffic that the network becomes partially or completely unavailable.	D	self,souce(uses)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T196	Service.5G.NEF	Remote Access exploitation	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T197	Service.5G.NEF	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	f	f	p	[f,f,p]				5	5	5	5	5	5	5	5
T198	Service.5G.NEF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T199	Service.5G.NEF	Abuse of virtualization mechanisms	These are threats related to the virtualisation of the IT infrastructure, network and underlying functions.	T,D	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T2	Device.MEC	Edge node overload	This threat refers to attacks on edge nodes by flooding the node with requests from mobile Apps or IoT devices.	D	self	n	n	n	[n,n,n]	n	f	f	[n,f,f]				5	5	5	5	5	5	5	5
T20	Device.MEC	Physical Disruption	A MEC node can be physically damaged by the adversaries. One can simply damaged a Fog node by hitting it with heavy object or putting it in fire or pouring liquid like water.	E	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T200	Service.5G.NEF	Manipulation of hardware and software	These are threats related to the virtualisation of the IT infrastructure, network and underlying functions.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T201	Service.5G.NEF	Misconfigured or poorly configured system	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T202	Service.5G.NEF	Inadequate designs and planning or lack of adaption	Obsolete system or network due to lack of management of updates or patches. Threat related to errors due to lack of management of configuration changes or poor network and system architecture design	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T203	Service.5G.NEF	Erroneous use or administration of the network function	Classified as unintentional damage (mismanagement of devices and systems), errors resulting from a poorly managed and administered network can compromise the confidentiality, integrity and availability of the network.	T,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T204	Service.5G.NEF	Illegal access to API	Some third party applications can access illegally to API and perform DOS attacks to API.	D	self, source(uses)	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T205	Service.5G.NEF	No authentication on application function	If the authentication of the Application Function is not supported, the application function without legal certificates, or pre-shared key could be able to establish a TLS connection with the NEF. The data stored in the NEF may be exposed to an attacker.	T,I	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T206	Service.5G.NRF	Data forging	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behavior and unauthorized access to critical platforms, impacting the confidentiality and integrity of the network. This threat affects core elements such as SDN, compromised to launch DoS attacks.	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T207	Service.5G.NRF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T208	Service.5G.NRF	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	f	f	p	[f,f,p]				5	5	5	5	5	5	5	5
T209	Service.5G.NRF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T21	Device.MEC	Hardware based attack	An attacker can easily attach an USB stick and install malicious software. Also, an attacker can connect to MEC node directly connecting it via its own terminal at the location.	T	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T210	Service.5G.NRF	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T211	Service.5G.NRF	Lack of Authorization between Slice Components	After a slice’s network function is instantiated, it can perform authentication using TLS/mTLS with the NRF (if enabled) and start the registration process. However, there is no mechanism to authorize the NF to check if it belongs to the correct slice. There are several scenarios where an unauthorized NF can register with the NRF. For instance, an attacker could impersonate a valid NF, a mis-configured NF could be added during the life cycle of a slice, or a malicious actor is able to modify the configuration of a compromised NF	E	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T212	Service.5G.NRF	No slice specific authorization for NF discovery	If NF discovery authorization for specific slice is not supported by the NRF, the NF instance in one slice can discover NF instances belonging to other slices. This can result in reduced assurance level of slice data isolation, making the system easily attacked as well as wasting resource.	I,E	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T213	Service.5G.NRF	Data forging	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behavior and unauthorized access to critical platforms, impacting the confidentiality and integrity of the network. This threat affects core elements such as SDN, compromised to launch DoS attacks.	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T214	Service.5G.NSSF	Data forging	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behaviour and unauthorised access to critical platforms, impacting network confidentiality and integrity. This threat affects core elements such as SDN, which are compromised to launch DoS attacks.	S,I,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T215	Service.5G.NSSF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	S,I,D	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T216	Service.5G.NSSF	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	f	f	p	[f,f,p]				5	5	5	5	5	5	5	5
T217	Service.5G.NSSF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T218	Service.5G.NSSF	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T219	Service.5G.NSSF	Network slicing specific	Template modification, Configuration tampering, Fake slice creation, Deny access to slices, Data breach delete slices, Unauthorized access, Misuse of resources and functions, Side channel attacks	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T22	Device.MEC	Privacy Leakage	The possibilities of adversaries accessing the information stored at the upper layer of the edge infrastructure could warrant substantial concerns for privacy leakage.	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T220	Service.5G.NSSF	Slice Threft	An attacker can obtain the control of a slice	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T221	Service.5G.NSSF	Impersonation of NSMF	The NSMF is a critical component of 5G. It is the master of all 5G slices and dic_x0002_tates when/how/where a slice is instantiated. If an attacker successfully impersonated the NSMF, it would have control over every slice on the network	S	self, source(uses)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T222	Service.5G.NWDAF	API interface Spoofing	The exchange of data and invocation of capabilities between NWDAF and other network functions are carried out through API interfaces. After obtaining the authentication information of API interfaces, the attacker can call the NWDAF API interface to execute malicious commands by spoofing the identity, which leads to sensitive data leakage or denial of service.	S,D	self	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T223	Service.5G.NWDAF	AF spoofing attack	Third-party AFs that are not in the trusted zone interact with NWDAF through the NEF, which provides security from the external AF to the inside of the core network, and if the AF’s own security mechanism is not well-established, there is a security risk of spoofing	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T224	Service.5G.NWDAF	Data stored by ADRF may be com_x0002_promised	Consumer NF saves data and analysis results to ADFR via request messages. Without effective protection mechanisms, the transmitted data can be tampered with by attackers, thus affecting the integrity and availability security properties of storage data	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T225	Service.5G.NWDAF	Data poisoning against MTLF	NWDAF data sources are diverse, the data used lacks security controls, and adversarial examples that are carefully constructed in the collected data can lead to model skew, which can provide erroneous results in inference	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T226	Service.5G.NWDAF	Insufficient logging and monitoring capabilities	Attackers may take advantage of the lack of log monitoring and attack behavior monitoring to perform some data reading, modification operations and other attacks, so that the subject of the operation cannot be identified through auditing, and the attack behavior may not be alerted and blocked.	R	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T227	Service.5G.NWDAF	Data Stream Sniffing	If the communication between NWDAF and other network functions is not effectively protected, the data can be sniffed by attackers who can read the data for use in attacking the system or cause sensitive information to be leaked.	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T228	Service.5G.NWDAF	Improper security configuration	NWDAF may have improper security configuration, which may lead_x0002_ing to the leakage of sensitive system information, and attackers could use such information to execute further attacks	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T229	Service.5G.NWDAF	User Privacy Leakage	The NWDAF architecture supports the deployment of multiple N_x0002_WDAF instances in a hierarchical tree structure. The process of data and analysis results transfer between NWDAF instances may leak users’ private information, such as location, user configuration information, etc	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T23	HW.Chassis	Jamming	Jamming specifically refers to intentionally using a transmission blocking signal to disrupt communications between a drone and the pilot	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]	607	601 603	583 604 605	5	5	5	5	5	5	5	5
T230	Service.5G.NWDAF	Denial of Service due to Interface Robustness Issues	There are numerous and complex interfaces between NWDAF and other network functions. When receiving maliciously constructed abnormal packets, it may cause system exceptions, or exploit vul_x0002_nerabilities in various network protocols, resulting in server crashes	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T231	Service.5G.NWDAF	OAuth 2.0 Defect Exploitation	NWDAF gains access to other network functions by requesting tokens from NRF, which is vulnerable to man-in-the-middle attacks.	E	self, source(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T232	Service.5G.NWDAF	System Vulnerability Causes Virtu_x0002_al Machine Escape	NWDAF is usually deployed in virtualized environments, and due to security vulnerabilities in the operating system images of virtual machines, there may be users of virtual machines or containers who exploit the vulnerabilities to elevate their privileges, resulting in virtual machine escapes or container escapes	E	self, source(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T233	Service.5G.PCF	Data forging	Inadequate policies in the management and protection of critical configuration data can lead to unpredictable system behavior and unauthorized access to critical platforms, impacting the confidentiality and integrity of the network. This threat affects core elements such as SDN, compromised to launch DoS attacks.	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T234	Service.5G.PCF	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T235	Service.5G.PCF	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	f	f	p	[f,f,p]				5	5	5	5	5	5	5	5
T236	Service.5G.PCF	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T237	Service.5G.PCF	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T238	Service.5G.UDM	Exploitation of software, hardware vulnerabilities	This type of threat allows a malicious user to take advantage of unknown software or hardware defects, i.e., not yet registered to carry out an attack. The example includes the exploitation of known hardware and software defects, such as meltdown, spectre and buffer overflow.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T239	Service.5G.UDM	Compromised supply chain, vendor and service providers	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	S,T,R,I,D,E	self	n	n	n	[n,n,n]	f	f	p	[f,f,p]				5	5	5	5	5	5	5	5
T24	HW.Chassis	Message/Command forgery	the attacker can create multiple virtual identities for transmitting fake messages using different forged positions in potential UAVs	S	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T240	Service.5G.UDM	Abuse of remote access to the network	This threat consists of a malicious user who has remote access to critical network components and takes control of a virtual machine to perform other types of attacks.	T	self, source(hosts)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T241	Service.5G.UDM	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T242	Service.5G.UDM	Identity fraud / account or service	Injection of messages to perform phishing attacks, fraud.	S	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T243	Service.5G.UDM	Data Leakage	Unauthorized access to sensitive data on the server (UDR, UDSF) profile, etc.)	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T244	Service.5G.UDM	Synchronization failure	If the UDM cannot handle the synchronization failure case during primary authentication, the SQN value stored in the UE and that stored in the UDM will not be synchronized. Hence, the UE will not be able to successfully authenticate with the core network	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T245	Service.5G.UPF	Abuse of virtualization mechanisms	These are threats related to the virtualisation of the IT infrastructure, network and underlying functions.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T246	Service.5G.UPF	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T247	Service.5G.UPF	Misconfigured or poorly configured system	This threat concerns the inclusion by the seller of malicious or defective software. It also considers the implementation of uncontrolled software updates, manipulation of functionality, inclusion of functions to bypass control mechanisms, backdoors, undocumented test functionality.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T248	Service.5G.UPF	Inadequate designs and planning or lack of adaption	Obsolete system or network due to lack of management of updates or patches. Threat related to errors due to lack of management of configuration changes or poor network and system architecture design	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T249	Service.5G.UPF	Erroneous use or administration of the network, system and devices	Classified as unintentional damage (mismanagement of devices and systems), errors resulting from a poorly managed and administered network can compromise the confidentiality, integrity and availability of the network.	T,D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T25	HW.Chassis	GPS spoofing	The open nature of the GPS signals enables spoofing attacks and allows the attacker to emit false GPS signals orienting the UAV to a false location	S	self, source(uses)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T250	Service.5G.UPF	Resouce Exhaustion	An attempt is made to make a network resource unavailable to the users for whom it is intended by temporarily or indefinitely interfering with or interrupting network service. The attack involves the generation of a massive number of requests or with such traffic that the network becomes partially or completely unavailable.	D	self, source(uses)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T251	Service.5G.UPF	UE IP depletion	Causing IP resource depletion that can be allocated by PGW when injecting Create Session Request that contains random NISIDN into the user data and transmitting the request.	D	target(connects)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T252	Service.5G.UPF	Eavesdropping	f the user traffic transported over the interfaces is not confidentiality protected, it can be subject to eavesdropping. Information is leaked to unauthorized parties. If the user traffic is not integrity protected, attackers can tamper with user traffic at will.	I	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T253	Service.5G.UPF	Signalling data - related	No protection or weak protection for signalling data	I	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T254	Service.DB	Read Injection	Execution of an unauthorized Read query	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	248	66	7 109 110	6	5	5	4	8	2	3	3
T255	Service.DB	Insert Injection	Execution of an unauthorized Insert query	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]	248	66	7 109 110	6	6	4	5	3	7	4	4
T256	Service.DB	Update Injection	Execution of an unauthorized Update query	T	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	248	66	7 109 110	6	6	4	5	4	8	4	4
T257	Service.DB	File Access	Unauthorized access to internal DB files	I	source(hosts),self	p	n	n	[p,n,n]	p	p	p	[p,p,p]	184	185 186	187 533 657	7	5	4	5	9	6	4	5
T258	Service.DB	Read DB Configuration	Unauthorized access to DB configuration data	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	116 169 224	54 150 292 300 309 312 313 497 529 541 545 569 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 310 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 546 568 581 639 643	6	5	4	5	8	5	3	4
T259	Service.DB	Delete Injection	Execution of an unauthorized Read query	D	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	248	66	7 109 110	5	7	5	6	3	8	6	4
T26	HW.Chassis	Identity spoofing	The identity spoofing allow the attacker to masquerade as a legitimate user in the UAV network with the spoofing ID of the legitimate user and then he gets the access to all network parameters	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T260	Service.DB	Delete DB FIle	Unauthorized deletion of an internal DB file	D	self	p	n	n	[p,n,n]	p	p	n	[p,p,n]	184	185 186	187 533 657	5	7	5	6	4	8	7	5
T261	Service.DB	Deanonymization	Extrapolation of unauthorized data trough computation over acessible data	S,I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				6	6	4	5	8	3	2	3	Non c'è nulla in capec
T262	Service.DB	Change DB	Unauhuthroized change of DBMS configuration	E	self	n	n	n	[n,n,n]	f	f	n	[f,f,n]	184	185 186	187 533 657	4	6	5	6	4	9	4	5
T263	Service.DB	Unauthorized remote	Unauthorized remote access to the DBMS	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	112 114 115 122 151 233 560	1 17 20 30 49 68 69 89 98 194 195 473 555 600 629	16 55 70 120 163 164 206 236 263 275 459 474 475 476 477 479 485 543 544 562 565 598 633 642 656	7	6	5	4	8	5	4	3
T264	Service.DB	Remote DoS	Made the DBMS unaccessible to remote clients	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]	25 125 130 607	231 482 486 487 489 490 494 495 496 547 582 603	96 201 229 583 584 585 589 590	5	7	5	6	2	3	9	3
T265	Service.DB	Local DoS	Made the DBMS unaccessible to local clients	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]	25 125 130 227	231 482 486 487 489 490 494 495 496	201 229	5	7	4	5	2	3	8	3
T266	Service.DB	Data DoS	Made the DBMS impossible to access to data in DBs	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				6	6	5	6	3	4	9	4	Non c'è nulla in capec
T267	Service.DB	Crash	Made the DBMS no more in execution	D,I	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]	607	547 582 603	96 583 584 585 589 590	6	6	5	6	3	4	9	4
T268	Service.DB	Code Injection	Execute code through the DBMS and with DBMS user	S,E	source(host)	n	n	n	[n,n,n]	n	f	n	[n,f,n]	248	66	7 108 109 110 470	6	8	5	7	5	9	6	4
T269	Service.MQTTBroker	CommunicationLock	An attacker can make the MQTT communication un-available	D	self,source(uses)	p	n	n	[p,n,n]	n	n	f	[n,n,f]	125 130 176 184 227 607	75 185 186 203 230 231 469 482 486 487 488 489 490 492 493 494 495 496 528 536 547 578 582 603	96 147 187 197 201 229 491 533 583 584 585 589 590 657	5	5	5	5	5	5	5	5
T27	HW.Chassis	Malware Compromission	e is a virus, which, once installed on the UAV, it enables the attacker to take control of the UAV	D,I,T	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T270	Service.MQTTBroker	Eavesdropping (Global)	An adversary retrieve data accessing communication among multiple assets communicating through MQT	I	source(uses),self	n	n	n	[n,n,n]	f	n	n	[f,n,n]	117 176 184	75 157 185 186 203 536 578	65 158 187 533 657	5	5	5	5	5	5	5	5
T271	Service.MQTTBroker	Action Spoofing	An attacker can access to reserved topic, to publish or receive messages.	S	self, source(uses)	p	n	n	[p,n,n]	f	f	n	[f,f,n]	22 112 114 115 122 148 151 176 184 233 560	1 20 39 49 75 77 90 180 185 186 194 195 202 203 207 473 536 555 578 600 629	13 16 55 70 162 187 459 474 475 476 477 479 485 533 565 587 599 633 657	5	5	5	5	5	5	5	5
T272	Service.MQTTBroker	Message Tampering	An adversary intercept and modify the packets’ content sent using the asset	T	self, source(uses)	p	n	n	[p,n,n]	p	n	n	[p,n,n]	94 176 184 216 272	12 75 185 186 203 217 220 276 277 384 536 578	187 385 389 533 657	5	5	5	5	5	5	5	5
T273	Service.MQTTBroker	Data Leakage	An adversary can access to local data of the asset	I	source(uses),self	p	n	n	[p,n,n,]	f	n	n	[f,n,n]	116 169 176 184 224	54 75 150 185 186 203 292 300 309 536 541 545 569 578	143 144 187 285 287 294 295 296 297 298 299 301 302 303 304 305 306 307 308 310 533 657	5	5	5	5	5	5	5	5
T274	Virtual.VM	VM Manipulation	Attackers would manipulate the VM and potentially extend the attack to other VMs. This threat category includes Buffer overflow, DOS, ARP, Hypervisor, and vswitch threa	S,I,D	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	161 165 176 438 439	73 75 141 166 203 268 271 444 447 481 523 524 536 571 572 578 635 636	443 445 446 511 516 520 532 537 538 539	5	6	5	5	7	7	6	4
T275	Virtual.VM	Improper Configuration	The attacker exploits vulnerabilities caused by the main poor design of hypervisors and improper configuration and injects malicious software to virtual memory and control VM. This threat category includes the malformed packet attacks to hypervisors	S,T,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]	122 129	180	679 681	6	5	5	4	8	6	5	4
T276	Virtual.VM	Improper Network Isolation	Attack from host applications communicating with VMs. This includes attacks that exploit vulnerabilities caused by improper network isolation and improper configuration to application privileges of the host machine	S,E	self, target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]	161 192 216 594	12 97 217 481 595	81 93 142 463 596	5	6	5	6	9	7	7	4
T277	Virtual.VM	Data Breach	A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised lo do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.	I	self, target(hosts)	n	n	n	[n,n,n]	,	,	]	p,n,n]	117 122	1 54 157 180 651	58 65 127 158 177 261 508 650 680	8	7	6	5	9	8	6	5
T278	Virtual.VM	Crash	An Adversary is able to stop with a failure the full VM, causing, eventually, a lost of data.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	f	[n,p,f]				6	6	5	6	3	4	9	4	Non c'è nulla in capec
T279	Virtual.VM	Authentication Abuse	An Adversy is able to access the VM abusing the authentication system.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	112 560	20 49 555 600 652 653	16 55 70 509 561 565 644 645	6	6	5	5	8	7	5	6
T28	HW.Chassis	Eavesdropping	The eavesdropping is specified as unauthorized real-time interception of UAV communication allowing an attacker to detect all the commands sent from the GCS to the UAV.	S,I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T280	Virtual.VM	Authorization Abuse	An adversary is able to circumvent the authorization controls accessing data and services that should be not accessible to him.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	117 122	1 17 180 503	221 263 562 563 642 650	6	6	5	5	8	7	6	5
T281	Virtual.VM	Elevation of privileges	An Adversary is able to change its privileges in access to the system services and data	E	self, target(hosts)	n	n	n	[n,n,n]	f	f	n	[f,f,n]	233	30 68 69 104 234	206 236	5	6	5	6	7	9	5	5
T282	Virtual.VM	Excessive Resource Consuption	An Adversary is able to enahnce the amount of resources consumed by the VM	D	self, target(hosts)	p	p	n	[p,p,n]	,	,	]	n,n,p]	125 130	230 231 482 486 487 488 489 490 492 493 494 495 496 528		5	6	5	6	3	4	9	4
T283	Virtual.VM	Account Hijacking	In account hijacking, a hacker uses a compromised account to impersonate the account owner. Typically, account hijacking is carried out through social engineering, phishing, sending spoofed emails to the user, password guessing or a number of other hacking tactics. In many cases, the outcome of an account hijacking is the hacker will have full system access and the ability to laterally access other systems on the target user network. The effective breach scope may expand to other services, such as financial and social networks, due to password re-use across services.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	560	555 600 652 653	509 561 644 645	6	7	5	5	8	8	6	6
T284	Virtual.VM	Advanced Persistent Threats (APTs)	An advanced persistent threat (APT) is a system attack in which an unauthorized actor gains access to the infrastructure and remains undetected. The intention of an APT attack is to locate and steal data and evade detection, rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing, infrastructure, medical, scientific, and the financial industry.	S	self, target(hosts)	,	,	]	n,n,n]	p	p	n	[p,p,n]	212 549 554	542 682	550 551 552 556 558 564 579 698	7	6	8	6	9	9	7	6
T285	Virtual.VM	Denial of Service	Some of thee services and functionalities of the VM are no more available	D	self, target(hosts)	p	p	n	[p,p,n]	n	n	p	[n,n,p]	125	482 486 487 488 489 490 528	147	5	7	6	6	2	4	9	4
T286	Virtual.VM	Data Deletion	Deleting data or metadata is an extreme DoS attack but also one that is easily detectable and possibly recoverable given versioning or backups in time or space. If the deleted data is unrecoverable, the cost may range from insignificant to incalculable. Deleting system and network logs is commonly used by attackers to cover their attack traces.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]	122	1 17 180	177 562 563 642 679 680	5	7	6	6	6	9	6	4
T287	Virtual.VM	Unauthorized Code Execution	An adversary is able to execute codes and/or commands wihtout having an explicit authorization to do this (e.g. code injection, ..)	S,E	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	26 154 184 441 549	29 159 185 186 442 452 456 542	27 38 132 187 448 457 458 471 533 550 551 552 556 558 564 579 638 641 657	6	8	6	6	7	9	6	5
T288	Virtual.VM	Scanning	An advserary is able to undestand your (mostly public) configuration	I	self, target(hosts)	p	p	n	[p,p,n]	n	n	n	[n,n,n]	169 224	292 300 309 312 313 497 529 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 317 318 319 320 321 322 323 324 326 327 328 329 330 331 332 581 612 613 618 619 643	6	5	5	5	6	4	4	4
T289	Service.Web	Resource Exhaustion	Made (authorized) requests in order to exhaust the thread/process pool of the web server	D	source(hosts),self	n	n	n	[n,n,n]	n	n	p	[n,n,p]	125 130 131 227 607	230 231 469 482 486 487 488 489 490 492 493 494 495 496 547 582 603	96 147 197 221 229 491 585 589 590	5	6	5	6	3	4	9	4	Omessi: 583, 584
T29	HW.Chassis	Falsifying signals	sending fake signals to prohibit the UAV to check the authenticity of the received signals and to oblige it responding to the fake signals	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T290	Service.Web	Injection	Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.	S,E	self,source(uses)	n	n	n	[n,n,n]	n	p	n	[n,p,n]	28 137 153 175 184 242 248	6 15 19 23 63 66 88 126 128 134 136 182 183 185 186 250 251 253 267 468 676	3 4 7 41 43 44 52 53 64 71 76 78 79 80 83 84 92 101 108 109 110 120 139 174 178 187 193 215 228 252 460 470 500 533 588 591 592 597 657	6	7	6	6	8	9	6	5
T291	Service.Web	Sensitive Data Exposure	Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.	I	source(hosts),self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	28 116 117 153 169 188 224	54 126 128 150 157 167 189 267 292 300 309 312 313 497 529 541 545 569 573 574 575 576 577 580 646 651	3 4 31 43 52 53 57 64 65 71 72 76 78 79 80 85 92 95 120 127 139 143 144 149 158 170 215 261 285 287 290 291 293 294 295 296 297 298 299 301 302 303 305 306 307 308 310 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 462 472 508 546 581 597 612 613 618 619 621 639 643	8	6	6	5	9	7	5	5
T292	Service.Web	Broken Authentication	Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently	S	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	21 112 114 115 151 560	20 49 62 87 89 90 98 194 195 196 207 461 473 510 555 593 600 629	16 55 59 60 61 70 102 163 164 226 275 459 467 474 475 476 477 479 485 543 544 565 587 598 633 656	6	6	5	5	8	7	6	5
T293	Service.Web	Broken Access Control	Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc	E	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	21 22 117 122 233	1 17 30 39 62 68 69 77 104 180 196 202 207 503 510 593	13 31 58 59 60 61 102 107 162 200 206 208 221 226 236 263 467 562 563 642 650	6	6	5	5	8	8	6	5
T294	Service.Web	Insecure Deserialization	Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.	S,I,E	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	272	90 220 276 277 278	33 34 105 201 221 273 274 279	5	7	5	6	7	9	6	5
T295	Service.Web	Functionality Misuse	An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.	S,T,I	self, source(uses), source(hosts)	n	n	n	[n,n,n]	p	p	p	[p,p,p]	74 212	2 48 50 111 140 620		5	5	5	5	6	6	5	4
T296	Service.Web	Web Communication Channel Manipualtion	The Web (HTTP based) communication channels is under control (and/or modified) ny an adversary	S	self, source(uses)	n	n	n	[n,n,n]	f	f	f	[f,f,f]	94 148 216	2 217 219 384 386 466	145 218 385 387 388 389	6	6	5	5	7	8	6	4
T297	Service.Web	System Manipulation	An adversary is able to apply a change in the confoguration of he Web Server	S,E	self,source(hosts)	n	n	n	[n,n,n]	f	f	f	[f,f,f]	161 176	75 141 166 203 268 271 481 536 571 578	51 81 93 142 146	6	6	5	6	8	8	7	5
T298	Service.NoSQLDB	Read Injection	Execution of an unauthorized Read query	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	248	676		5	6	4	5	7	8	6	4
T299	Service.NoSQLDB	Insert Injection	Execution of an unauthorized Insert query	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]	248	676		8	7	6	5	9	8	6	5
T3	Device.MEC	Abuse of edge open application programming interfaces (APIs)	The need for open APIs in MEC is mainly to provide support for federated services and interactions with different providers and content creators. This threat can be associated with DoS, man-in-the-middle, malicious mode problems, privacy leakages.	S	self,target(hosts)	n	n	n	[n,n,n]	f	n	f	[f,n,f]				5	5	5	5	5	5	5	5
T30	HW.Chassis	Battery Hexaustion	A malicious node performing a DoS attack attempts to deplete energy	D	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]				5	5	5	5	5	5	5	5
T300	Service.NoSQLDB	Update Injection	Execution of an unauthorized Update query	T	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	248	676		6	6	5	6	3	4	9	4
T301	Service.NoSQLDB	File Access	Unauthorized access to internal DB files	I	source(hosts),self	p	n	n	[p,n,n]	p	p	p	[p,p,p]	184	185 186	187 533 657	6	6	5	5	8	7	5	6
T302	Service.NoSQLDB	Read DB Configuration	Unauthorized access to DB configuration data	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	116 169 224	54 150 292 300 309 312 313 497 529 541 545 569 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 310 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 546 568 581 639 643	6	6	5	5	8	7	6	5
T303	Service.NoSQLDB	Delete Injection	Execution of an unauthorized Read query	D	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]	248	676		5	6	5	6	7	9	5	5
T304	Service.NoSQLDB	Delete DB FIle	Unauthorized deletion of an internal DB file	D	self	p	n	n	[p,n,n]	p	p	n	[p,p,n]	184	185 186	187 533 657	6	7	5	5	8	8	6	6
T305	Service.NoSQLDB	Deanonymization	Extrapolation of unauthorized data trough computation over acessible data	S,I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				7	6	8	6	9	9	7	6	Non c'è nulla in capec
T306	Service.NoSQLDB	Change DB	Unauhuthroized change of DBMS configuration	E	self	n	n	n	[n,n,n]	f	f	n	[f,f,n]	184	185 186	187 533 657	5	7	6	6	6	9	6	4
T307	Service.NOSQLDB	Unauthorized remote	Unauthorized remote access to the DBMS	S	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	112 114 115 122 151 233 560	1 17 20 30 49 68 69 89 98 194 195 473 555 600 629	16 55 70 120 163 164 206 236 263 275 459 474 475 476 477 479 485 543 544 562 565 598 633 642 656	6	8	6	6	7	9	6	5
T308	Service.NOSQLDB	Remote DoS	Made the DBMS unaccessible to remote clients	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]	25 125 130 607	231 482 486 487 489 490 494 495 496 547 582 603	96 201 229 583 584 585 589 590	6	5	5	5	6	4	4	4
T309	Service.NOSQLDB	Local DoS	Made the DBMS unaccessible to local clients	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]	25 125 130 227	231 482 486 487 489 490 494 495 496	201 229	5	5	5	5	5	5	5	5
T31	HW.Chassis	Deauthentication	When attacker is trying to gain control of the drone, they could potentially de-authenticate the pilot from their drone connection	S,T,D	self, source(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T310	Service.NOSQLDB	Data DoS	Made the DBMS impossible to access to data in DBs	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5	Non c'è nulla in capec
T311	Service.NOSQLDB	Crash	Made the DBMS no more in execution	D,I	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]	607	547 582 603	96 583 584 585 589 590	5	5	5	5	5	5	5	5
T312	Service.NOSQLDB	Code Injection	Execute code through the DBMS and with DBMS user	S,E	source(host)	n	n	n	[n,n,n]	n	f	n	[n,f,n]	248	676		5	5	5	5	5	5	5	5
T313	Device.MEC	Node Replication	An adversary inject a new malicious edge node to the network and assign it an ID number that is a replica of existing authorized node. Attackers will be able to corrupt, steal, or misdirect data packets arriving at the malicious replica. In addition, node replicas can also even revoke legitimate EC nodes by implementing node-revocation protocols	S	self	n	n	n	[n,n,n]	f	p	n	[f,p,n]				5	5	5	5	5	5	5	5
T314	Device.MEC	Tampering/Physical Access	Attackers can physically access edge nodes, tamper the circuit can lead the system into improper working conditions	T,D,I	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T315	Device.MEC	Inessential Logging Attacks	If log files are not encrypted, this type of attacks can lead to damage in edge systems. Therefore, system and infrastructure developers must log events, such as application errors and attempts of unsuccessful/successful authorization/authentication	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T316	Device.MEC	Location exposure	The edge paradigm entrust local computations to constrained devices and local servers. This offers to the attackers a clear indication of the location of the devices to be targeted to break the system. Indeed, an attacker could target the portion of the network closer to the physical location of the target to achieve its objective	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T317	Device.MEC	Snooping on Buffered Information	An edge node stores lots of information in volatile memory as non volatile memory such as hard disk for short period of time. These buffered information could hold sensitive information of a client device. Adversaries can look into these buffer systems	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T318	Device.MEC	Memory Accusation	After finishing a particular process, the edge system unallocated the memory from particular client device. Until this unallocated memory assigned to some other client, this memory portion holds the previous data. An attacker can take advantage of this window and can steal information from this deallocated memory by using any kind of memory accusation tools	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T319	Device.MEC	Memory Tampering	An attacker can acquire memory and read information from it using any kind of memory accusation tool. With proper security privilege they can access storage memory blocks and tamper the stored data.	I	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T32	HW.Chassis	Unauthorized access	A malicious user can connect to the drone directly and access resources	E	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T320	Device.MEC	Physical Destruction	An edge node can be physically damaged by the adversaries	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T321	Device.MEC	Hardware Based Attack	An attacker can easily attach a USB stick and install malicious software. Also, an attacker can connect to edge node directly connecting it via its own terminal at the location. Even if the edge node does not have any terminal, attackers can attach its own device to it and launch attack.	E,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T322	SystemLayer.Firmware	Firmware Tampering	An attacker can inject malicious code, alter existing code, or introduce backdoors into the firmware. This can lead to a range of harmful outcomes, such as disabling security features, gaining persistent access to the device, or even bricking the device, rendering it inoperable.	T	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T323	SystemLayer.Firmware	Firmware Data Leakage	Through firmware vulnerabilities or intentional backdoors, sensitive data leaks to unauthorized parties, leading to severe privacy and security breaches.	R, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T324	SystemLayer.Firmware	Malicious Code Injection	An attacker can inject malicious code into the firmware, which can persist through system reboots, creating a persistent threat that is hard to detect and remove.	T, E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T325	SystemLayer.Firmware	Firmware Bugs	A bug in the firmware can be exploited by the attacker, who can gain unauthorized access or control over the firmware, bypassing all security measures.	E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T326	SystemLayer.Firmware	Unauthorized Modifications	An attacker gains access to the firmware and modifies it to disable key security features, introduce backdoors, or change the behavior of the device in dangerous ways.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T327	SystemLayer.Firmware	Boot Process Vulnerabilites	A vulnerability in the boot process allows an attacker to execute arbitrary code during system startup, even before security measures like Secure Boot can take effect.	T, D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T328	SystemLayer.Firmware	Firmware Rootkits	An attacker embeds a rootkit in the firmware, which hides its presence from traditional security software, making it particularly insidious and hard to detect.	I, D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T329	SystemLayer.Firmware	Supply Chain Attacks	During manufacturing or distribution, an attacker compromises the firmware, leading to widespread vulnerabilities across many devices once they reach end users.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T33	HW.Chassis	Sensors compromission	A malevolent operator cloud use sensitive data handled by the sensors to jeoparsize the flight operation	T,I	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T330	SystemLayer.Firmware	Privilege Escalation	An attacker can exploit firmware vulnerabilities to gain higher-level permissions, bypassing security controls and gaining full access to the device.	E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T331	SystemLayer.Firmware	Denial of Service	An attacker can exploit firmware vulnerabilities to launch DoS attacks, disrupting the normal functioning of the device and making it unavailable to legitimate users.	D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T332	SystemLayer.Firmware	Backdoor Installation	An attacker can insert backdoors into the firmware, allowing them to maintain persistent access to the device and its data.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T333	SystemLayer.Firmware	Firmware Downgrade Attacks	An attacker can force the firmware to revert to an older, vulnerable version, bypassing security improvements made in later updates.	T, R	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T334	SystemLayer.Firmware	Scanning	An advserary is able to undestand your (mostly public) configuration	I	self, target(hosts)	p	p	n	[p,p,n]	n	n	n	[n,n,n]	169 224	292 300 309 312 313 497 529 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 317 318 319 320 321 322 323 324 326 327 328 329 330 331 332 581 612 613 618 619 643	5	5	5	5	5	5	5	5
T335	SystemLayer.Firmware	Denial of Service	Some of thee services and functionalities of the VM are no more available	D	self, target(hosts)	p	p	n	[p,p,n]	n	n	p	[n,n,p]	125	482 486 487 488 489 490 528	147	5	5	5	5	5	5	5	5
T336	SystemLayer.Firmware	Data Deletion	Deleting data or metadata is an extreme DoS attack but also one that is easily detectable and possibly recoverable given versioning or backups in time or space. If the deleted data is unrecoverable, the cost may range from insignificant to incalculable. Deleting system and network logs is commonly used by attackers to cover their attack traces.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]	122	1 17 180	177 562 563 642 679 680	5	5	5	5	5	5	5	5
T337	SystemLayer.Firmware	Unauthorized Code Execution	An adversary is able to execute codes and/or commands wihtout having an explicit authorization to do this (e.g. code injection, ..)	S,E	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	26 154 184 441 549	29 159 185 186 442 452 456 542	27 38 132 187 448 457 458 471 533 550 551 552 556 558 564 579 638 641 657	5	5	5	5	5	5	5	5
T338	SystemLayer.Firmware	Elevation of privileges	An Adversary is able to change its privileges in access to the system services and data	E	self, target(hosts)	n	n	n	[n,n,n]	f	f	n	[f,f,n]	233	30 68 69 104 234	206 236	5	5	5	5	5	5	5	5
T339	SystemLayer.Firmware	Poisoning	corruptibility of communication caches and the support data structure, such as routing or naming tables	S,T,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]	161	141	142	5	5	5	5	5	5	5	5
T34	HW.Chassis	GNSS Spoofing	The adversary sends a forged global navigational satellite system (GNSS) signals to the drone, and so force it in the wrong direction.	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T340	SystemLayer.Firmware	Data Breach	A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.	I	self, target(hosts)	n	n	n	[n,n,n]	p	n	n	[p,n,n]	117 122	1 54 157 180 651	58 65 127 158 177 261 508 650 680	5	5	5	5	5	5	5	5
T341	HW.Microcontroller	Code Injection	Attackers can inject malicious code into the microcontroller, compromising its functionality and potentially gaining unauthorized access.	T, E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T342	HW.Microcontroller	Firmware Corruption	Malicious alterations to the firmware can disrupt the microcontroller's normal operations, leading to unpredictable behavior and potential system failures.	T	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T343	HW.Microcontroller	Unauthorized Access	Attackers exploit vulnerabilities to gain access to the microcontroller without proper authentication, potentially leading to unauthorized control over the device.	S	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T344	HW.Microcontroller	Information Leakage	Vulnerabilities within the microcontroller may be exploited to extract sensitive data, which can then be used for malicious purposes.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T345	HW.Microcontroller	Denial of Service	By exploiting certain vulnerabilities, attackers can render the microcontroller non-functional, preventing legitimate users from accessing its services.	D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T346	HW.Microcontroller	Side-Channel Attacks	These attacks utilize physical characteristics, such as power consumption or electromagnetic emissions, to derive confidential information from the microcontroller.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T347	HW.Microcontroller	Firmware Downgrade Attacks	Attackers may force the microcontroller to revert to an outdated and vulnerable firmware version, thereby circumventing security enhancements implemented in later versions.	T, R	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T348	HW.Microcontroller	Physical Access Attacks	With physical access, attackers can directly manipulate or replace the microcontroller's firmware or hardware components, leading to severe security breaches.	T, E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T349	HW.Microcontroller	Malicious Firmware Updates	Unverified or unauthorized firmware updates can introduce malicious code into the microcontroller, compromising its security and functionality.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T35	HW.Chassis	GCSS Spoofing	The third party sends false ground control signals (GCSs) to the drone to direct it to a specified place.	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T350	HW.Microcontroller	Fault Injection Attacks	By inducing faults, attackers can manipulate the microcontroller's behavior to extract sensitive information or cause it to malfunction.	T, D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T351	HW.Microcontroller	Replay Attacks	Attackers capture and replay legitimate communications to the microcontroller, potentially resulting in unauthorized actions being performed.	R	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T352	HW.Microcontroller	Microcontroller Cloning	By replicating a legitimate microcontroller, attackers can bypass security mechanisms and create counterfeit devices that can be used maliciously.	S, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T353	HW.Microcontroller	Supply Chain Attacks	Compromised microcontrollers may be introduced during manufacturing or distribution, leading to widespread vulnerabilities once these devices are deployed.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T354	HW.Microcontroller	Privilege Escalation	Attackers exploit vulnerabilities to elevate their privileges within the microcontroller, gaining unauthorized access to higher-level functions and data.	E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T355	HW.SOC	Hardware Trojan	An attacker can introduce malicious modifications to the hardware components of the SOC during manufacturing or supply chain processes.	T	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T356	HW.SOC	Side-Channel Attacks	These attacks exploit physical leakages, such as power consumption or electromagnetic emissions, to extract sensitive information from the SOC.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T357	HW.SOC	Fault Injection Attacks	An attacker can induce faults in the SOC to disrupt its normal operation and extract sensitive information.	T, D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T358	HW.SOC	Physical Tampering	Attackers with physical access can directly manipulate or replace the SOC's hardware components, leading to severe security breaches.	T, E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T359	HW.SOC	Supply Chain Attacks	An attacker can compromise the SOC during the manufacturing or distribution process, leading to widespread vulnerabilities.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T36	HW.Chassis	Sensors data leakage	Third-party can easily access the information on sensors	I	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T360	HW.SOC	Privilege Escalation	Attackers exploit vulnerabilities to gain higher-level permissions on the SOC, bypassing security controls.	E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T361	HW.SOC	Cache Attacks	An attacker can exploit vulnerabilities in the cache memory of the SOC to extract sensitive information.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T362	HW.SOC	Timing Attacks	By analyzing the time taken by the SOC to perform certain operations, sensitive information can be inferred.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T363	HW.SOC	Reverse Engineering	Examining the SOC to understand its design and functionality, which may lead to the discovery of exploitable vulnerabilities.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T364	HW.SOC	Microarchitectural Attacks	Weaknesses in the microarchitecture can be targeted to gain unauthorized access or extract confidential information.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T365	HW.SOC	Network-on-Chip Attacks	Exploiting vulnerabilities in the on-chip communication network to intercept or alter data.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T366	HW.SOC	Non-Volatile Memory Attacks	Vulnerabilities in the non-volatile memory components of the SOC can be used to extract or modify data.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T367	HW.SOC	Hardware Based Malware	Malicious code embedded in the hardware components of the SOC can be activated to perform unauthorized actions.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T368	HW.SOC	Malformed firmware Injection	An attacker can inject malicous code into a modified firmware and insert it into the SOC, in order to compromise its security and functionality	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T369	HW.SOC	Firmware Exfiltration	An attacker can extract firmware from the SOC, gaining access to sensitive code and data which can be used for further attacks or reverse engineering.	I	self	None	None	None	None	None	None	None	None			458	5	5	5	5	5	5	5	5
T37	HW.Chassis	Code/Command Injection	An attacker can inject code to disrupt UAV functions.	S,E	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T370	HW.SOC	Firmware Bricking	Malicious actions or firmware flaws can render the device inoperable, a condition known as 'bricking,' which can be very difficult to recover from.	T, D	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T371	HW.SOC	Unauthorized Firmware Updates	An attacker can perform unauthorized firmware updates, potentially introducing malicious code or backdoors into the system.	T, I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T372	HW.SOC	Side-Channel Attacks	These attacks exploit information gained from the physical implementation of the device, such as timing or power consumption, to extract sensitive information.	I	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T373	HW.SOC	Physical Access Attacks	Attackers with physical access to the device can directly manipulate or replace the firmware, leading to severe security breaches.	T, E	self	None	None	None	None	None	None	None	None				5	5	5	5	5	5	5	5
T374	HW.SOC	Excessive Resource Consuption	An Adversary is able to enahnce the amount of resources consumed by the SOC.	D	self, target(hosts)	p	p	n	[p,p,n]	,	,	]	n,n,p]	125 130	230 231 482 486 487 488 489 490 492 493 494 495 496 528		5	5	5	5	5	5	5	5
T375	Service.Browser	Session Fixation	An attacker can fixate a session ID, tricking the user into using a known session ID, enabling session hijacking.	T, I	None	None	None	None	None	None	None	None	None	21	593	61	5	5	5	5	5	5	5	5
T376	Service.Browser	Session Sidejacking	Intercepting and using session cookies to gain unauthorized access to the user's session.	I	None	None	None	None	None	None	None	None	None	21	593	102	5	5	5	5	5	5	5	5
T377	Service.Browser	Reusing Session Ids	An attacker can reuse previously captured session IDs to gain unauthorized access to the user's session.	I	None	None	None	None	None	None	None	None	None	21	593	60	5	5	5	5	5	5	5	5
T378	Service.Browser	Man-in-the-Middle Attack	Intercepting communication between the user and the server to hijack the session and gain unauthorized access.	T, I	None	None	None	None	None	None	None	None	None	21	593		5	5	5	5	5	5	5	5
T379	Service.Browser	Cross-Site Scripting	Injecting malicious scripts into web pages viewed by other users, allowing for session hijacking.	T, I	None	None	None	None	None	None	None	None	None	21	593		5	5	5	5	5	5	5	5
T38	HW.Chassis	Installing Fake Firmware	A malicious user can manipulate the firmware on the UAV and compromise both UAV and GCS	S	self, source(uses)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T380	Service.Browser	Phishing Attack	An attacker tricks the user into providing session credentials, which can then be used to hijack the session.	T, I	None	None	None	None	None	None	None	None	None	21	593		5	5	5	5	5	5	5	5
T381	Service.Browser	Browser Exploits	Exploiting vulnerabilities in the browser to hijack active sessions and gain unauthorized access.	T, I	None	None	None	None	None	None	None	None	None	21	593		5	5	5	5	5	5	5	5
T382	SystemLayer.OS	Poisoning	corruptibility of communication caches and the support data structure, such as routing or naming tables	S,T,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]	161	141	142	5	5	5	5	5	5	5	5
T383	SystemLayer.OS	Data Breach	A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised lo do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.	I	self, target(hosts)	n	n	n	[n,n,n]	,	,	]	p,n,n]	117 122	1 54 157 180 651	58 65 127 158 177 261 508 650 680	5	5	5	5	5	5	5	5
T384	SystemLayer.OS	Crash	An Adversary is able to stop with a failure the full VM, causing, eventually, a lost of data.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	f	[n,p,f]				5	5	5	5	5	5	5	5	Non c'è nulla in capec
T385	SystemLayer.OS	Authentication Abuse	An Adversy is able to access the OS abusing the authentication system.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	112 560	20 49 555 600 652 653	16 55 70 509 561 565 644 645	5	5	5	5	5	5	5	5
T386	SystemLayer.OS	Authorization Abuse	An adversary is able to circumvent the authorization controls accessing data and services that should be not accessible to him.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	117 122	1 17 180 503	221 263 562 563 642 650	5	5	5	5	5	5	5	5
T387	SystemLayer.OS	Elevation of privileges	An Adversary is able to change its privileges in access to the system services and data	E	self, target(hosts)	n	n	n	[n,n,n]	f	f	n	[f,f,n]	233	30 68 69 104 234	206 236	5	5	5	5	5	5	5	5
T388	SystemLayer.OS	Account Hijacking	In account hijacking, a hacker uses a compromised account to impersonate the account owner. Typically, account hijacking is carried out through social engineering, phishing, sending spoofed emails to the user, password guessing or a number of other hacking tactics. In many cases, the outcome of an account hijacking is the hacker will have full system access and the ability to laterally access other systems on the target user network. The effective breach scope may expand to other services, such as financial and social networks, due to password re-use across services.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	560	555 600 652 653	509 561 644 645	5	5	5	5	5	5	5	5
T389	SystemLayer.OS	Advanced Persistent Threats (APTs)	An advanced persistent threat (APT) is a system attack in which an unauthorized actor gains access to the infrastructure and remains undetected. The intention of an APT attack is to locate and steal data and evade detection, rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing, infrastructure, medical, scientific, and the financial industry.	S	self, target(hosts)	,	,	]	n,n,n]	p	p	n	[p,p,n]	212 549 554	542 682	550 551 552 556 558 564 579 698	5	5	5	5	5	5	5	5
T39	HW.Chassis	Malicious GCS	The malicious GCS could eavesdrop on telemetry data or intercept the C2 channel to take control over a UAV	S	self	n	n	n	[n,n,n]	f	p	p	[f,p,p]				5	5	5	5	5	5	5	5
T390	SystemLayer.OS	Data Deletion	Deleting data or metadata is an extreme DoS attack but also one that is easily detectable and possibly recoverable given versioning or backups in time or space. If the deleted data is unrecoverable, the cost may range from insignificant to incalculable. Deleting system and network logs is commonly used by attackers to cover their attack traces.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]	122	1 17 180	177 562 563 642 679 680	5	5	5	5	5	5	5	5
T391	SystemLayer.OS	Unauthorized Code Execution	An adversary is able to execute codes and/or commands wihtout having an explicit authorization to do this (e.g. code injection, ..)	S,E	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	26 154 184 441 549	29 159 185 186 442 452 456 542	27 38 132 187 448 457 458 471 533 550 551 552 556 558 564 579 638 641 657	5	5	5	5	5	5	5	5
T392	SystemLayer.OS	Scanning	An advserary is able to undestand your (mostly public) configuration	I	self, target(hosts)	p	p	n	[p,p,n]	n	n	n	[n,n,n]	169 224	292 300 309 312 313 497 529 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 317 318 319 320 321 322 323 324 326 327 328 329 330 331 332 581 612 613 618 619 643	5	5	5	5	5	5	5	5
T393	Virtual.Container	VM Manipulation	Attackers would manipulate the VM and potentially extend the attack to other VMs. This threat category includes Buffer overflow, DOS, ARP, Hypervisor, and vswitch threa	S,I,D	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	161 165 176 438 439	73 75 141 166 203 268 271 444 447 481 523 524 536 571 572 578 635 636	443 445 446 511 516 520 532 537 538 539	5	6	5	5	7	7	6	4
T394	Virtual.Container	Improper Configuration	The attacker exploits vulnerabilities caused by the main poor design of hypervisors and improper configuration and injects malicious software to virtual memory and control VM. This threat category includes the malformed packet attacks to hypervisors	S,T,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]	122 129	180	679 681	6	5	5	4	8	6	5	4
T395	Virtual.Container	Improper Network Isolation	Attack from host applications communicating with VMs. This includes attacks that exploit vulnerabilities caused by improper network isolation and improper configuration to application privileges of the host machine	S,E	self, target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]	161 192 216 594	12 97 217 481 595	81 93 142 463 596	5	6	5	6	9	7	7	4
T396	Virtual.Container	Data Breach	A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised lo do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.	I	self, target(hosts)	n	n	n	[n,n,n]	,	,	]	p,n,n]	117 122	1 54 157 180 651	58 65 127 158 177 261 508 650 680	8	7	6	5	9	8	6	5
T397	Virtual.Container	Crash	An Adversary is able to stop with a failure the full VM, causing, eventually, a lost of data.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	f	[n,p,f]				6	6	5	6	3	4	9	4	Non c'è nulla in capec
T398	Virtual.Container	Authentication Abuse	An Adversy is able to access the VM abusing the authentication system.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	112 560	20 49 555 600 652 653	16 55 70 509 561 565 644 645	6	6	5	5	8	7	5	6
T399	Virtual.Container	Authorization Abuse	An adversary is able to circumvent the authorization controls accessing data and services that should be not accessible to him.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	117 122	1 17 180 503	221 263 562 563 642 650	6	6	5	5	8	7	6	5
T4	Device.MEC	Compromised supply chain, vendor and service providers	Threat from third parties’ personnel accessing Mobile Network Operator’s facilities.	S	self	n	n	n	[n,n,n]	f	n	f	[f,n,f]				5	5	5	5	5	5	5	5
T40	HW.Chassis	Spoofing Sworm	The multi-UAV system implements a swarm where UAVs dynamically join and leave the swarm. A malicious UAV could make a spoofing attack and join the swarm	S	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T400	Virtual.Container	Elevation of privileges	An Adversary is able to change its privileges in access to the system services and data	E	self, target(hosts)	n	n	n	[n,n,n]	f	f	n	[f,f,n]	233	30 68 69 104 234	206 236	5	6	5	6	7	9	5	5
T401	Virtual.Container	Excessive Resource Consuption	An Adversary is able to enahnce the amount of resources consumed by the VM	D	self, target(hosts)	p	p	n	[p,p,n]	,	,	]	n,n,p]	125 130	230 231 482 486 487 488 489 490 492 493 494 495 496 528		5	6	5	6	3	4	9	4
T402	Virtual.Container	Account Hijacking	In account hijacking, a hacker uses a compromised account to impersonate the account owner. Typically, account hijacking is carried out through social engineering, phishing, sending spoofed emails to the user, password guessing or a number of other hacking tactics. In many cases, the outcome of an account hijacking is the hacker will have full system access and the ability to laterally access other systems on the target user network. The effective breach scope may expand to other services, such as financial and social networks, due to password re-use across services.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	560	555 600 652 653	509 561 644 645	6	7	5	5	8	8	6	6
T403	Virtual.Container	Advanced Persistent Threats (APTs)	An advanced persistent threat (APT) is a system attack in which an unauthorized actor gains access to the infrastructure and remains undetected. The intention of an APT attack is to locate and steal data and evade detection, rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing, infrastructure, medical, scientific, and the financial industry.	S	self, target(hosts)	,	,	]	n,n,n]	p	p	n	[p,p,n]	212 549 554	542 682	550 551 552 556 558 564 579 698	7	6	8	6	9	9	7	6
T404	Virtual.Container	Denial of Service	Some of thee services and functionalities of the VM are no more available	D	self, target(hosts)	p	p	n	[p,p,n]	n	n	p	[n,n,p]	125	482 486 487 488 489 490 528	147	5	7	6	6	2	4	9	4
T405	Virtual.Container	Data Deletion	Deleting data or metadata is an extreme DoS attack but also one that is easily detectable and possibly recoverable given versioning or backups in time or space. If the deleted data is unrecoverable, the cost may range from insignificant to incalculable. Deleting system and network logs is commonly used by attackers to cover their attack traces.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]	122	1 17 180	177 562 563 642 679 680	5	7	6	6	6	9	6	4
T406	Virtual.Container	Unauthorized Code Execution	An adversary is able to execute codes and/or commands wihtout having an explicit authorization to do this (e.g. code injection, ..)	S,E	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	26 154 184 441 549	29 159 185 186 442 452 456 542	27 38 132 187 448 457 458 471 533 550 551 552 556 558 564 579 638 641 657	6	8	6	6	7	9	6	5
T407	Virtual.Container	Scanning	An advserary is able to undestand your (mostly public) configuration	I	self, target(hosts)	p	p	n	[p,p,n]	n	n	n	[n,n,n]	169 224	292 300 309 312 313 497 529 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 317 318 319 320 321 322 323 324 326 327 328 329 330 331 332 581 612 613 618 619 643	6	5	5	5	6	4	4	4
T41	HW.Chassis	Reverse Enginering	Software on a hijacked UAV can be copied and reverse engineered. This allows an adversary to disclose how the system is being built	I	self, source(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T42	HW.Chassis	Data Injection	An attacker can inject telemetry data to compromise UAV.	E	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T43	HW.Chassis	Capture	Where the attacker intentions lead to the preservation of the UAV for hardware study, direct reuse, or confidential information retrieval.	D	self, source(uses)	n	n	n	[n,n,n]	n	n	f	[n,n,f]				5	5	5	5	5	5	5	5
T44	HW.Chassis	Damage	The altitude reached by commercial drones, often stated by the local aviation regulations, may be low enough to permit for direct physical interaction, including damages	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T45	HW.Chassis	Hijacking	the attacker can gain access to the network as the first step of a more complex attack;	I	self, source(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T46	Virtual.VM	Poisoning	corruptibility of communication caches and the support data structure, such as routing or naming tables	S,T,D	self	n	n	n	[n,n,n]	p	p	p	[p,p,p]	161	141	142	5	5	5	5	5	5	5	5
T47	HW.Chassis	Information Replay	It refers to threats related to the reuse of previously recorded pieces of legitimate communications between the endpoints for malicious purposes	S,T	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T48	HW.Chassis	Distortion	Signal Distortion due to increase of the SNR (signal to noise ratio)	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T49	HW.Chassis	Lack of policies	There are not specified rules that can lead to ambiguity or opacity in the role.	I,E	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T5	Device.MEC	Erroneous use or administration of the network, systems and devices	The errors resulting from a poorly maintained and administrated network may compromise the confidentially, integrity and availability of the network.	T	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T50	HW.Chassis	False Topology	The attacker can manipulate the topology of the system and forces some communications	I	self, source(uses), source(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T51	HW.GCS	Malware Compromission	e is a virus, which, once installed on the UAV, it enables the attacker to take control of the UAV	D,I	self, target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T52	HW.GCS	Eavesdropping	The eavesdropping is specified as unauthorized real-time interception of UAV communication allowing an attacker to detect all the commands sent from the GCS to the UAV.	S, I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T53	HW.GCS	Data Leakage	Planning data can be exposed by the GCS exploiting for example vulnerailities	I	self,target(hosts)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T54	HW.GCS	Jamming	Jamming specifically refers to intentionally using a transmission blocking signal to disrupt communications between a drone and the pilot	D	self, source(connects)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T55	HW.GCS	Map Poisoning	Maps can be altered to produce wrong navigation, traffic disturbance, crash.	D,I	target(uses)	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T56	HW.GCS	Authentication Bypass	Commercial UAS offers a software security feature that prevents the connection from GCS to UAV before a successful authentication with the manufacturer server cloud. An attacker can bypass authentication, reversing the firmware and changing the function behaviour.	S, I	self, target(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T57	HW.GCS	Resource hexaustion	Flooding using many requests and make the server allocate many resources	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T58	HW.GCS	Access Metadata	An attacker can access to Zone Service Provider and obtain metadata	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T59	HW.IOTDevice	Device Substitution	An attacker can adopt a new identity by creating or by stealing the identity of an existing node	D	self	p	n	n	[p,n,n,]	p	p	n	[p,p,n]	94 151	194 195 473	275 459 474 475 476 477 479 485 543 598 633	5	5	5	5	5	5	5	5
T6	Device.MEC	Misconfigured or poorly configured systems/networks	The exploitation of a mis- configured system creates the opportunity for a threat actor to reach critical assets in the network or stage an attack.	T	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]				5	5	5	5	5	5	5	5
T60	HW.IOTDevice	Data Leakage	An adversary can access to local data of the asset	I	self	n	n	n	[n,n,n]	f	f	f	[f,f,f]	28 94 116 117 169 188 192 224	54 97 150 157 167 189 292 300 309 312 313 497 529 541 545 569 573 574 575 576 577 580 646 651	31 37 57 65 85 143 144 149 158 170 190 191 204 215 261 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 310 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 463 472 508 581 608 609 612 613 618 619 621 622 623 634 643	5	5	5	5	5	5	5	5
T61	HW.IOTDevice	Exhaustion of Power	An attacker repeatedly requests packet from sensors to deplete their battery life	D	self	p	n	n	[p,n,n]	n	n	f	[n,n,f]	125 130 227	230 231 469 482 486 487 488 489 490 492 493 494 495 496 528	147 197 201 229 491	5	5	5	5	5	5	5	5
T62	HW.IOTDevice	Device Hijack	An attacker, through various means, gains control or access to the node itself after it has been deployed	S,E	self	n	n	n	[n,n,n]	f	f	f	[f,f,f]	94 113 123 129 148 153 176 184 212 233 272 438 439 440	36 48 75 100 121 126 128 133 160 185 186 203 267 271 401 444 447 522 523 524 534 536 540 578 627	3 4 8 9 10 14 24 42 43 44 45 46 47 51 52 53 64 67 71 72 76 78 79 80 92 120 139 145 146 187 218 256 270 443 445 446 478 511 516 517 518 519 520 521 531 532 533 537 538 539 597 614 628 657	5	5	5	5	5	5	5	5
T63	HW.IOTDevice	Spoofed Routing Information	An attacker can corrupt the internal control information such as the routing table	I	self, source(connects), source(uses), target(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	594 607	547 582 595 601 603	96 559 583 584 585 589 590 596 604 605	5	5	5	5	5	5	5	5
T64	HW.IOTDevice	Resource Exhaustion	An attacker produce an amount of requests such that the assets cannot offer their services anymore	D	self	p	p	n	[p,p,n]	f	f	f	[f,f,f]	125 130 227 594 624	230 231 469 482 486 487 488 489 490 492 493 494 495 496 528 595 625	147 197 221 229 491 596	5	5	5	5	5	5	5	5	Omessi: 607 e figli
T65	HW.IOTDevice	Topology Disclosure	An attacker can exploit forwarding updates between the variuos nodes to know network tolopogy	I	self, source(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]	116 117 169	54 150 157 292 300 309 497 529 545 569 573 574 575 576 577 580 646 651	31 57 65 85 143 144 149 158 215 261 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 508 581 609 612 613 618 619 634 643	5	5	5	5	5	5	5	5
T66	HW.IOTDevice	Physical Theft	An adversary steal the physical HW	D	self	n	n	n	[n,n,n]	p	p	f	[p,p,f]	507			5	5	5	5	5	5	5	5
T67	HW.IOTDevice	IoT Obstruction	An adversary obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or cause the system to stop working as intended. This can cause the system components to be unavailable until the obstruction mitigated.	D	self	n	n	n	[n,n,n]	n	n	f	[n,n,f]	607	547 582 601 603	583	5	5	5	5	5	5	5	5	CAPEC 584,585 s Network provocano questo threat su IoTDevice
T68	HW.Server	System Manipulation	An adversary is able to apply a change in the confoguration of the VM	E	self, target(hosts)	n	n	n	[n,n,n]	f	f	f	[f,f,f]	161 165 176 438 440 624	73 75 141 203 268 271 401 444 447 481 524 536 571 572 578 635 636	11 35 51 81 93 142 155 168 270 402 443 445 446 478 511 516 517 518 519 520 521 531 532 537 538 539 649 655	5	5	5	5	5	5	5	5
T69	HW.Server	Data Breach	A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised lo do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.	I	self, target(hosts)	n	n	n	[n,n,n]	p	n	n	[p,n,n]	390 507	391 395	392 393 394 397 398 399 400 626	5	5	5	5	5	5	5	5
T7	Device.MEC	Snooping on Buffered Information	One of the core objectives of Edge node is to act as an intermediate buffer between the end devices and the cloud. A malicious user can look into buffer systems such as hard disk.	I	self	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T70	HW.Server	Crash	An Adversary is able to stop with a failure the full VM, causig, eventually, a lost of data.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	f	[n,p,f]				5	5	5	5	5	5	5	5	Non c'è nulla in capec
T71	HW.Server	Authentication Abuse	An Adversy is able to access the VM abusing the authentication system	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	112 560	20 49 555 600 652 653	16 55 70 509 561 565 644 645	5	5	5	5	5	5	5	5
T72	HW.Server	Authorization Abuse	An adversary is able to circumvent the authorization controls accessing data and services that should be not accessible to him	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	117 122	1 17 180 503	221 263 562 563 642 650	5	5	5	5	5	5	5	5
T73	HW.Server	Elevation of provileges	An Adversary is able to change its privileges in access to the system services and data	E	self, target(hosts)	p	p	n	[p,p,n]	f	f	n	[f,f,n]	233	30 68 69 104 234	206 236	5	5	5	5	5	5	5	5
T74	HW.Server	Excessive Resource Consuption	An Adversary is able to enahnce the amount of resources consumed by the VM	D	self, target(hosts)	n	n	n	[n,n,n]	n	n	p	[n,n,p]	125 130	230 231 482 486 487 488 489 490 492 493 494 495 496 528	147 197 201 229 491	5	5	5	5	5	5	5	5
T75	HW.Server	Account Hijacking	In account hijacking, a hacker uses a compromised account to impersonate the account owner. Typically, account hijacking is carried out through social engineering, phishing, sending spoofed emails to the user, password guessing or a number of other hacking tactics. In many cases, the outcome of an account hijacking is the hacker will have full system access and the ability to laterally access other systems on the target user network. The effective breach scope may expand to other services, such as financial and social networks, due to password re-use across services.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	560	555 600 652 653	509 561 644 645	5	5	5	5	5	5	5	5
T76	HW.Server	Advanced Persistent Threats (APTs)	An advanced persistent threat (APT) is a system attack in which an unauthorized actor gains access to the infrastructure and remains undetected. The intention of an APT attack is to locate and steal data and evade detection, rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defence, manufacturing, infrastructure, medical, scientific, and the financial industry.	S	self, target(hosts)	n	n	n	[n,n,n]	p	p	n	[p,p,n]	439	523 524		5	5	5	5	5	5	5	5
T77	HW.Server	Resource Exhaustion	Some of the services and functionalities of the VM are no more available	D	self, target(hosts)	p	p	n	[p,p,n]	n	n	p	[n,n,p]	125 130 131 227 607	230 231 469 482 486 487 489 490 492 493 494 495 496 547	197 221 229 491	5	5	5	5	5	5	5	5
T78	HW.Server	Data Deletion	Deleting data or metadata is an extreme DoS attack but also one that is easily detectable and possibly recoverable given versioning or backups in time or space. If the deleted data is unrecoverable, the cost may range from insignificant to incalculable. Deleting system and network logs is commonly used by attackers to cover their attack traces.	D	self, target(hosts)	n	n	n	[n,n,n]	n	p	p	[n,p,p]	440 607 624	401 534 547	530 531 677	5	5	5	5	5	5	5	5
T79	HW.Server	Unauthorized Code Execution	An adversary is able to execute codes and/or commands wihtout having an explicit authorization to do this (e.g. code injection, ..)	S,E	self, target(hosts)	p	p	n	[p,p,n]	p	p	n	[p,p,n]	26 154 184 441 549	29 159 185 186 442 452 456 542	27 38 132 187 448 457 458 471 533 550 551 552 556 558 564 579 638 641 657	5	5	5	5	5	5	5	5
T8	Device.MEC	System Profiling	A malicious user can use the unprotected ports of the nodes.	I	self,source(uses)	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T80	HW.Server	Scanning	An advserary is able to undestand your (mostly public) configuration	I	self, target(hosts)	n	n	n	[n,n,n]	n	n	n	[n,n,n]	169 224	292 300 309 312 313 497 529 573 574 575 576 577 580 646	85 149 285 287 290 291 293 294 295 296 297 298 299 301 302 303 304 305 306 307 308 317 318 319 320 321 322 323 324 326 327 328 329 330 331 332 581 612 613 618 619 643	5	5	5	5	5	5	5	5
T81	HW.UE	Manipulation of hardware and software	Hardware or even software can be modified to compromise the system	T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T82	HW.UE	Unauthorized activities	IMSI catching attacks, Brute force, Port knocking	S,T	self	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T83	HW.UE	Failure of the device	Partial or total insufficient functioning of an asset	D	self	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T84	HW.UE	Slice Credentials Sharing	: It is expected that many users accessing a 5G network will access content hosted on mul_x0002_tiple network slices. If the same credentials (e.g., authenticating through the carrier) are used to access multiple slices, there is a risk that if the credentials are compromised (perhaps through a less secure slice), then the attacker will have the credentials to access other slices	S,E	target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T85	HW.UE	Authentication Relaxation for services	Each slice is uniquely setup for the needs of its client. In some cases where the need for availability vastly outweighs the need for confi_x0002_dentiality, authentication may be relaxed to improve latency	E	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T86	HW.UE	Location/SS7 leaks	A telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users	S,I	self,target(connects)	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T87	HW.UE	Phone call and SMS snooping	Unauthorized access to phone and sms data	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T88	HW.UE	Mobile Malware attack	Mobile malware allow attackers to stral the stored personal data on the device or even lauch attacks against other entirties.	T,I	self,target(uses)	p	n	n	[p,n,n]	p	p	p	[p,p,p]				5	5	5	5	5	5	5	5
T89	HW.UE	False Buffer status report	An attacker can exploit the buffer status report of access network components to obtain the information such as packet scheduling, load balancing and admission control algorithms.	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T9	Device.MEC	Sniffing Network Traffic	MEC-based system rely on network communication. An attacker can sniff network channel for exposed data.	I	self	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T90	HW.UE	Malicious Mobile device substitution	It may no longer be a common smartphone or a primitive IoT device but a hostile supercomputer that can inject dirty data into the network. Some mobile phones can allow remote request to update the device configuration e.g., OMA CP (Open Mobile Alliance Configuration Provisioning) and letting attackers to take over the phone.	S,T,D	self, target(uses)	n	n	n	[n,n,n]	p	n	p	[p,n,p]				5	5	5	5	5	5	5	5
T91	HW.UE	SIM Card Vulnerabilities	Although being a tamper resistant module, a SIM card may still have unknown vulnerabilities that can be exploited to change the configuration of the mobile phone, e.g., change of Access Point Name (APN).	S,E	self	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T92	HW.UE	Mobile data exposure	A lot of mobile applications, even coming from trustworthy stores, can expose user data and compromise the user equipment that is connected to the mobile network.	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T93	HW.UE	Jamming	An attack that attempts to interfere with the reception of broadcast communications.	D	self,target(connects)	n	n	n	[n,n,n]	n	n	p	[n,n,p]				5	5	5	5	5	5	5	5
T94	HW.UE	Eavesdropping	Attackers eavesdrop on sensitive data on control and bearer plane	S	self, source(uses)	n	n	n	[n,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T95	HW.UE	Hardware Manipulation	Compromised UE can communicate with the 5G infrastructure and harm the system.	T,D	target(uses)	n	n	n	[n,n,n]	n	p	n	[n,p,n]				5	5	5	5	5	5	5	5
T96	HW.UE	MITM attack	In the man-in-the-middle (MITM) attack, a temporary scenario is created by an attacker; this allows the interception of the data communication between the UEs over the network to modify the content	S,I	self,target(uses)	p	n	n	[p,n,n]	p	p	n	[p,p,n]				5	5	5	5	5	5	5	5
T97	HW.UE	Privacy Leakage	Curious or illegal edge device owners may leak the information stored in their devices and, in the worst-case scenario, sell them to a third party	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]				5	5	5	5	5	5	5	5
T98	Network	Eavesdropping	An adversary can retrieve valuable data from the transmitted messages that are sent using the asset	I	self	n	n	n	[n,n,n]	p	n	n	[p,n,n]	94 117 154 192	97 157 616	31 57 65 158 615	8	7	5	4	9	2	3	2
T99	Network	Message Elimination	An adversary can simply intercept and eliminate the packets' content meant for the base station or intermediate nodes coming from the asset	D	self	n	n	n	[n,n,n]	n	p	p	[n,p,p]	94			6	6	4	5	2	6	8	3
TID	Asset	Threat	Description	STRIDE	Compromised	PreC	PreI	PreA	PreCondition	PostC	PostI	PostA	PostCondition	Capec Meta	Capec Standard	Capec Detailed	Easy of Discovery	Easy of Exploit	Awareness	Intrusion Detection	Loss of Confidentiality	Loss of Integrity	Loss of Availability	Loss of Accountability	Commento

Threat Catalogue

Threat Catalogue Table

T1

T10

T100

T101

T102

T103

T104

T105

T106

T107

T108

T109

T11

T110

T111

T112

T113

T114

T115

T116

T117

T118

T119

T12

T120

T121

T122

T123

T124

T125

T126

T127

T128

T129

T13

T130

T131

T132

T133

T134

T135

T136

T137

T138

T139

T14

T140

T141

T142

T143

T144

T145

T146

T147

T148

T149

T15

T150

T151

T152

T153

T154

T155

T156

T157

T158

T159

T16

T160

T161

T162

T163

T164

T165

T166

T167

T168

T169