What is a rogue base station (IMSI catcher), and why is it the central enabler of several LTE attacks?
A rogue base station is a fake cell — transmitting at high power so nearby phones prefer and attach to it — that lets the attacker sit in the middle of the radio link. It's the launch pad for downgrade, identity-tracking, and call-interception attacks.
* The rogue base station as the common entry point for several attacks. *

* Where a rogue base station inserts itself. — Greno, Public domain, via Wikimedia Commons. *
What it is:
- A device that impersonates a legitimate eNodeB (LTE base station) or an older GSM/UMTS cell
- It transmits at a higher power level than the real cells nearby, so phones — which always prefer the strongest signal — attach to it instead
- Once a phone connects, the attacker is positioned for a man-in-the-middle (MitM) role on the radio interface
- Historically called an IMSI catcher (and, by a well-known commercial brand, a "Stingray")
Why it underpins multiple attacks: a single rogue base station is the common entry point for three distinct LTE threats:
| Attack it enables | What the rogue BS does |
|---|---|
| Identity tracking | Forces the UE to reveal its IMEI/IMSI during attach |
| Downgrade / renegotiation | Tells the phone "no LTE, use GSM A5/1" to push it onto breakable crypto |
| Call interception | After a downgrade/MitM, establishes an unencrypted link and listens in |
Why mutual authentication doesn't fully stop it: LTE's mutual authentication (the phone authenticates the network too) prevents a fake cell from completing a real LTE session and delivering fake calls — a big improvement over GSM. But the attach exchange and any fallback to GSM happen before/around that protection, which is exactly where the rogue BS does its damage. The defenses are therefore: LTE-only mode (refuse fallback), temporary identities, and rogue-base-station detectors ("IMSI-catcher-catchers").
Tip: Think of the rogue base station as the vehicle and downgrade/tracking/interception as the payloads. Most LTE radio attacks in this catalogue start with "first, get the victim onto a base station you control."
Go deeper:
IMSI-catcher (Wikipedia) — the fake-base-station MitM device in detail, including how 3G/LTE mutual authentication is bypassed by forcing a downgrade.
Stingray phone tracker (Wikipedia) — the best-known commercial IMSI catcher; how it forces nearby phones to attach and what it can extract.
Detecting IMSI-catchers and other mobile network attacks (CCC, 2015) — a practical look at the tell-tale signs that give a rogue base station away.
SnoopSnitch (SRLabs, GitHub) — the actual "IMSI-catcher-catcher": an Android app that uses Qualcomm baseband debug data to flag fake base stations, silent SMS, and SS7/downgrade attacks in the field.
SMS-Blaster: a new fraud scheme in Switzerland (SRF Kassensturz, 2025) — the rogue base station as a live consumer threat: a fake cell forces nearby phones to attach and pushes mass smishing SMS — this exact attack, in Switzerland, today.
NCSC weekly review on SMS blasters (BACS, 2025) — the Swiss federal cyber-security office's advisory on the same campaign: how it works and what operators/users can do.