False Base Station

Description

A False Base Station (FBS) is a malicious radio transmitter that masquerades as a legitimate cell belonging to a mobile network operator. It operates by broadcasting synchronization signals and system information identical or similar to those of a genuine base station (e.g., eNB or gNB), typically with a stronger signal to attract nearby User Equipment (UE). Once a UE camps on or connects to the FBS, the attacker gains a privileged position to launch various attacks. The FBS can act as a man-in-the-middle, intercepting uplink and downlink traffic, including user data, signaling messages, and authentication vectors. It can also deny service by preventing the UE from accessing the real network or by downgrading the security context to weaker, legacy algorithms.

The architecture of an FBS attack involves the rogue station mimicking the physical layer and lower-layer protocols. It broadcasts a legitimate-looking Public Land Mobile Network (PLMN) ID, tracking area code, and cell ID. Advanced FBS implementations can complete the initial attachment procedures, including Authentication and Key Agreement (AKA), by relaying messages between the UE and the real core network, or by operating in a standalone mode with a simulated core network. This allows for the extraction of International Mobile Subscriber Identity (IMSI) and other sensitive identifiers through identity request procedures, even from idle-mode UEs.

3GPP has addressed the FBS threat across multiple releases, primarily in the security specifications (33-series). Mitigation strategies are multi-layered. Network-based detection can involve monitoring for anomalies such as unexpected cell configurations, signal strength inconsistencies, or geographical impossibilities. UE-assisted detection leverages measurements and reporting of suspicious radio conditions. Furthermore, enhancements to privacy and authentication protocols, such as the use of Subscription Concealed Identifier (SUCI) instead of IMSI during initial registration, protect against passive IMSI catchers, a common form of FBS. The ongoing evolution in 5G and beyond focuses on improving network verification of base station authenticity and UE verification of network legitimacy.

Purpose & Motivation

The concept of a False Base Station emerged from the inherent vulnerability of early cellular systems, where radio signaling was largely unauthenticated and user identities were transmitted in clear text. The primary purpose of defining and studying FBS within 3GPP is to formally characterize the threat model, enabling the development of standardized security countermeasures. Without such definitions, mitigation efforts would be fragmented and less effective.

FBS attacks exploit the fundamental need for a UE to discover and connect to the strongest available signal, a principle that ensures service continuity but creates a security loophole. The problems solved by addressing FBS include the prevention of subscriber location tracking, eavesdropping on calls and data sessions, fraud, and denial of service. Historically, 2G (GSM) networks were particularly vulnerable due to weak mutual authentication, making IMSI catchers a widespread tool. The motivation for 3GPP's work is to close these gaps by designing systems where the network authenticates to the UE and user privacy is protected from the initial radio contact, thereby raising the cost and complexity for attackers to deploy successful FBS attacks.

Key Features

• Imitates legitimate cell synchronization signals (PSS/SSS) and broadcast channels (PBCH)
• Can operate as a passive IMSI catcher or an active man-in-the-middle relay
• Exploits radio resource control (RRC) procedures to capture subscriber identities
• May force security algorithm downgrades or establish null-ciphering connections
• Can cause service denial by barring cell access or redirecting UEs
• Addressed by 3GPP security enhancements like SUCI and network authentication

Evolution Across Releases

Defining Specifications