2G/3G Attacks

Downgrade Attacks

HIGH SEVERITY

Legal Warning

Performing these attacks without proper authorization is illegal in most jurisdictions. This information is for educational and authorized security testing only.

Overview

Downgrade attacks force mobile devices to connect to older, less secure network technologies (2G) where encryption is weaker and easier to break, enabling various attack vectors.

Technical Overview

Attackers use jamming or fake base stations to block 3G/4G/5G signals, forcing devices to fall back to 2G networks. Once on 2G, devices are vulnerable to A5/1 encryption breaking, IMSI catching, and other legacy protocol attacks.

Impact

Potential consequences of this attack

•Exposure to weak 2G encryption
•Vulnerability to IMSI catcher attacks
•Increased susceptibility to interception
•Bypass of modern security features
•Denial of high-speed data services

Attack Vectors

Methods used to execute this attack

•Selective jamming of 3G/4G/5G frequencies
•Fake BTS advertising only 2G support
•Protocol manipulation to force downgrade
•Exploiting automatic network selection
•Combining with IMSI catcher for full attack chain

Attack Methodology

Step-by-step attack execution process

1Deploy jamming equipment for 3G/4G/5G bands
2Set up fake 2G BTS with strong signal
3Wait for devices to downgrade automatically
4Capture connections on 2G network
5Execute secondary attacks (IMSI catching, interception)
6Maintain downgrade to prevent re-upgrade

Mitigations & Defense

Protective measures and countermeasures

Disable 2G in device settings (LTE-only mode)
Use network selection to prefer 4G/5G
Monitor for unexpected network changes
Implement network-level downgrade detection
Use encrypted communication apps regardless of network
Deploy 2G sunset policies in networks

Real-World Examples

Known incidents and use cases

→IMSI catcher operations forcing 2G connection
→Surveillance operations at public events
→Border control and customs enforcement
→Corporate espionage at conferences
→Government surveillance programs

Related Attacks

2G/3G Attacks

IMSI Catching

IMSI catchers are rogue base stations that trick mobile devices into connecting to them, allowing attackers to capture International Mobile Subscriber Identity (IMSI) numbers and intercept communications.

2G/3G Attacks

A5/1 Encryption Breaking

A5/1 is the encryption algorithm used in 2G GSM networks. Due to its weak 64-bit key and known vulnerabilities, it can be broken in real-time to decrypt voice calls and SMS messages.

2G/3G Attacks

Fake BTS Attacks

Fake Base Transceiver Station (BTS) attacks involve deploying rogue cell towers that impersonate legitimate network infrastructure to intercept communications and perform man-in-the-middle attacks.

References & Further Reading