2G/3G Attacks

Fake BTS Attacks

CRITICAL SEVERITY

Legal Warning

Performing these attacks without proper authorization is illegal in most jurisdictions. This information is for educational and authorized security testing only.

Overview

Fake Base Transceiver Station (BTS) attacks involve deploying rogue cell towers that impersonate legitimate network infrastructure to intercept communications and perform man-in-the-middle attacks.

Technical Overview

A fake BTS operates by broadcasting with higher signal strength than legitimate towers, causing devices to connect to it. Once connected, the attacker can intercept all communications, inject malicious traffic, or relay traffic to the legitimate network while monitoring.

Impact

Potential consequences of this attack

•Complete interception of voice and data
•Man-in-the-middle attacks on all communications
•Injection of malicious SMS or data
•Denial of service to targeted devices
•Credential harvesting from unencrypted protocols

Attack Vectors

Methods used to execute this attack

•Deploy rogue BTS with higher signal strength
•Force device connection through jamming legitimate towers
•Intercept authentication credentials
•Perform active man-in-the-middle attacks
•Inject malicious content into communications

Attack Methodology

Step-by-step attack execution process

1Set up fake BTS using OpenBTS or commercial equipment
2Configure to mimic legitimate network parameters
3Broadcast with higher power than legitimate towers
4Capture device connections and authentication
5Relay traffic to legitimate network or terminate locally
6Monitor and manipulate communications as needed

Mitigations & Defense

Protective measures and countermeasures

Use IMSI catcher detection applications
Monitor for unexpected network changes
Enable network authentication verification
Use VPN for all data communications
Implement certificate pinning in applications
Deploy network-level anomaly detection

Real-World Examples

Known incidents and use cases

→Government surveillance operations
→Corporate espionage at business events
→Criminal interception for fraud
→Targeted attacks on high-value individuals
→Border control and immigration enforcement

Related Attacks

2G/3G Attacks

IMSI Catching

IMSI catchers are rogue base stations that trick mobile devices into connecting to them, allowing attackers to capture International Mobile Subscriber Identity (IMSI) numbers and intercept communications.

2G/3G Attacks

A5/1 Encryption Breaking

A5/1 is the encryption algorithm used in 2G GSM networks. Due to its weak 64-bit key and known vulnerabilities, it can be broken in real-time to decrypt voice calls and SMS messages.

2G/3G Attacks

SMS Interception

SMS interception attacks allow attackers to capture, read, and potentially modify text messages sent between mobile devices, compromising the confidentiality and integrity of SMS communications.

References & Further Reading