Radio Access Security
highIMSI catchers · Rogue BTS · Jamming
Every other attack in this framework requires some level of network access. Radio attacks require only proximity and commodity hardware. A complete IMSI catcher capable of real-time interception can be assembled for under $1,000 using off-the-shelf software-defined radio components. The reason radio attacks remain so dangerous in 4G and 5G networks — long after 2G's known weaknesses — is backwards compatibility: as long as networks support 2G fallback, any device near a rogue base station can be forced to downgrade and lose its encryption protections.
Threat vectors
IMSI catching and identity harvesting
highAn IMSI catcher (also known as a Stingray, cell-site simulator, or IMSI grabber) impersonates a legitimate base station with a stronger signal than the real network. Devices prioritise signal strength in cell selection and connect to the rogue station. The attacker can extract the device's IMSI and IMEI, track its location in real time, and force a 2G-equivalent downgrade for call and SMS interception. Commercial-grade IMSI catchers are deployed by law enforcement globally; the same capability is accessible to well-resourced criminal actors.
Downgrade to 2G for encryption bypass
criticalThe most common IMSI catcher attack flow forces a connected device to fall back to 2G (GSM), where A5/1 encryption has been completely broken since 2009, or to negotiate A5/0 (no encryption). In 3G networks, false authentication rejection can force UMTS-to-GSM fallback. Even in 4G networks, devices configured to allow 2G fallback for coverage reasons remain vulnerable to this attack when a rogue station is stronger than the legitimate LTE signal.
Rogue eNB/gNB man-in-the-middle
highMore sophisticated attackers operate rogue LTE (eNB) or 5G (gNB) base stations that proxy connections to the real network while intercepting traffic. Unlike simple IMSI catchers, these relay attacks can intercept encrypted 4G/5G traffic by being positioned in the transmission path. RRC (Radio Resource Control) protocol vulnerabilities can also be exploited through malformed control messages injected from a rogue base station.
RF jamming and denial of service
highBroadband or targeted radio frequency jamming renders devices in range unable to connect to any base station. Narrowband jammers targeting specific frequency bands (LTE Band 3, Band 7, etc.) are cheap to build and difficult to attribute. GPS jammers interfere with timing and location functions that telecom networks depend on. Jamming is used as a tactical denial-of-service tool against individuals, vehicles, and in some cases, infrastructure.
5G NR RRC protocol attacks
medium5G NR's Radio Resource Control protocol is more complex than its predecessors and introduces new attack vectors. RRC Inactive state messages, beam management procedures, and system information block (SIB) broadcasts are processed before authentication. Malformed or replayed RRC messages from a rogue gNB can cause device crashes, forced reconnections, or information disclosure about connected devices before the authentication procedure completes.
Impact
- 01
Targeted surveillance of specific individuals — IMSI catchers allow law enforcement and threat actors alike to track physical movements, identify device owners, and intercept communications with precision that was previously only possible via network-level access.
- 02
Communication interception for intelligence and extortion — downgrade attacks enable real-time voice and SMS interception, exposing sensitive business communications and providing material for blackmail or competitive intelligence.
- 03
Disruption of emergency services — RF jamming in the frequencies used by public safety LTE networks (FirstNet in the US, MCPTT networks globally) can prevent emergency communication at critical moments.
- 04
Privacy violations at scale — IMSI catcher deployment at public events captures identities of all devices in range, enabling retrospective tracking and association of individuals with specific locations and times.
Mitigations & solutions
Accelerate 5G SA deployment and eliminate 2G fallback
5G Standalone (SA) with SUCI (Subscription Concealed Identifier) is the first generation of mobile network that provides robust IMSI privacy over the air. Critically, networks with no 2G fallback eliminate the downgrade attack surface entirely. Accelerating 5G SA rollout and disabling 2G in areas where coverage permits is the most durable solution to IMSI catcher attacks.
Deploy network-side false base station detection
Implement monitoring for false base station indicators: unexpected cells appearing in drive-test data, anomalous signal strength patterns, devices repeatedly reporting location update failures, and RRC establishment failures concentrated in specific areas. Triangulate reports from multiple devices to localise rogue station activity.
Enable SUCI for 5G subscribers
Ensure 5G devices and network elements are configured to use SUCI (Subscription Concealed Identifier), which encrypts the SUPI/IMSI in over-the-air identity exchanges. This prevents IMSI harvesting from initial attach messages without requiring a full man-in-the-middle position.
Implement device-side downgrade alerting
Work with handset manufacturers and MDM vendors to alert users and enterprise IT teams when a device unexpectedly falls back to 2G. Android's built-in '2G network alert' and equivalent iOS settings provide user-level visibility; enterprise MDM profiles can enforce 4G/5G-only mode on managed devices.
Spectrum monitoring and RF anomaly detection
Deploy passive spectrum monitoring sensors in sensitive locations (government buildings, financial district, critical infrastructure perimeters) to detect rogue base stations and jammers. Integrate with geolocation systems to identify and report transmitter locations to relevant authorities.