LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a rogue base station (IMSI catcher), and why is it the central enabler of several LTE attacks?

A rogue base station is a fake cell — transmitting at high power so nearby phones prefer and attach to it — that lets the attacker sit in the middle of the radio link. It's the launch pad for downgrade, identity-tracking, and call-interception attacks.

UE attaches to rogue BS, enabling tracking, downgrade, interception.

* The rogue base station as the common entry point for several attacks. *

GSM network architecture: mobile station, base station subsystem, core network.

* Where a rogue base station inserts itself. — Greno, Public domain, via Wikimedia Commons. *

What it is:

  • A device that impersonates a legitimate eNodeB (LTE base station) or an older GSM/UMTS cell
  • It transmits at a higher power level than the real cells nearby, so phones — which always prefer the strongest signal — attach to it instead
  • Once a phone connects, the attacker is positioned for a man-in-the-middle (MitM) role on the radio interface
  • Historically called an IMSI catcher (and, by a well-known commercial brand, a "Stingray")

Why it underpins multiple attacks: a single rogue base station is the common entry point for three distinct LTE threats:

Attack it enables What the rogue BS does
Identity tracking Forces the UE to reveal its IMEI/IMSI during attach
Downgrade / renegotiation Tells the phone "no LTE, use GSM A5/1" to push it onto breakable crypto
Call interception After a downgrade/MitM, establishes an unencrypted link and listens in

Why mutual authentication doesn't fully stop it: LTE's mutual authentication (the phone authenticates the network too) prevents a fake cell from completing a real LTE session and delivering fake calls — a big improvement over GSM. But the attach exchange and any fallback to GSM happen before/around that protection, which is exactly where the rogue BS does its damage. The defenses are therefore: LTE-only mode (refuse fallback), temporary identities, and rogue-base-station detectors ("IMSI-catcher-catchers").

Tip: Think of the rogue base station as the vehicle and downgrade/tracking/interception as the payloads. Most LTE radio attacks in this catalogue start with "first, get the victim onto a base station you control."

Go deeper:

From Quiz: MOBINFSEC / LTE Attack Vectors (NIST) | Updated: Jul 14, 2026