Rogue Base Station Location Tracking Techniques

Mobile phones are a constant presence in our lives, enabling communication with friends, easy navigation, and access to information instantly. However, alongside the conveniences of cellular networks come potential security risks, one of which is a rogue base station. A rogue base station is a device that mimics legitimate network infrastructure. These devices can be small enough to fit in a backpack or be mounted on a car. As shown in Figure 1, rogue base stations support three attack types: Communication Interception, Service Downgrading, and Location Tracking. In this blog, we’re going to focus on two techniques: grabbing a user’s IMSI and trilateration, a location tracking technique.

Figure 1 Overview of Attacks

IMSI Catcher

Traditional rogue base stations are used to obtain nearby IMSIs (International Mobile Subscriber Identities). They are, ultimately, a passive mode approach, meaning they don’t interact with the target phones past this point; they record IMSIs. Your phone is constantly searching for the base station that broadcasts the strongest signal. After a phone detects a base station (or in this case, the rogue base station) with the strongest signal strength, it initiates a connection procedure.

Figure 2 IMSI Catcher – Signal Strength

The rogue base station will advertise that it has a different LAI (Location Area Identity) or TAI (Tracking Area Identity) and, therefore, the device will have to update its information. The device will send the TMSI (Temporary Mobile Subscriber Identity) to the rogue base station within a Location Updating Request (2G / 3G) or a Tracking Area Updating Request (4G).

Figure 3 Identity Request

The rogue base station will send an Identity Request down to the device, essentially stating that it does not recognise the TMSI and therefore the device needs to send the IMSI instead. The device will send up an Identity Response containing the IMSI. After this, the rogue base station will store the IMSI and (optionally) release the device, allowing it to connect back to a legitimate network. This can now be used as an identity exposure, to track your movements, or for impersonation.

Trilateration

Trilateration is a method of determining a device’s position based on measurements taken from three (or more) known points, in this instance, three neighbouring cell towers. Assuming the victim is already connected to the rogue base station, the attacker can send an RRC Connection Reconfiguration (4G) command to the device. Traditionally, the RRC Connection Reconfiguration is used to configure a connection to a base station. As an attacker, we’re focused on the signal strengths of the specified cell towers in the response. Utilising the shared signal strength allows for trilateration calculations to take place, which provides the identification of a common intersection where the device will reside.

Figure 4 Trilateration Example

The RRC Connection Reconfiguration can also specify whether this is reported when the cell is seen or periodic reporting. With periodic reporting, the attacker can track the user as they travel throughout the network. It’s important to note that signal strength tracking is not entirely accurate; the trilateration technique will most likely not take into account building propagation, which makes the common intersection larger.

Conclusion

In this blog, we’ve looked at a small set of location tracking techniques that attackers can adopt. Rogue base stations have the potential to pose as a significant threat to users of mobile networks by enabling attackers to monitor user locations through techniques such as presence testing and trilateration. These methods take advantage of standard and defined network procedures, such as paging and signal strength reporting.

If you’d like to learn more, our expert instructors provide both live classroom and on-demand training in Cellular Location Services.