Fake Base Station Detection and Link Routing Defense ^†

Abstract

Fake base stations comprise a critical security issue in mobile networking. A fake base station exploits vulnerabilities in the broadcast message announcing a base station’s presence, which is called SIB1 in 4G LTE and 5G NR, to get user equipment to connect to the fake base station. Once connected, the fake base station can deprive the user of connectivity and access to the Internet/cloud. We discovered that a fake base station can disable the victim user equipment’s connectivity for an indefinite period of time, which we validated using our threat prototype against current 4G/5G practices. We designed and built a defense scheme which detects and blacklists a fake base station and then, informed by the detection, avoids it through link routing for connectivity availability. For detection and blacklisting, our scheme uses the real-time information of both the time duration and the number of request transmissions, the features of which are directly impacted by the fake base station’s threat and which have not been studied in previous research. Upon detection, our scheme takes an active measure called link routing, which is a novel concept in mobile/4G/5G networking, where the user equipment routes the connectivity request to another base station. To defend against a Sybil-capable fake base station, we use a history–reputation-based link routing scheme for routing and base station selection. We implemented both the base station and the user on software-defined radios using open-source 5G software (srsRAN v23.10 and Open5GS v2.6.6) for validation. We varied the base station implementation to simulate legitimate vs. faulty but legitimate vs. fake and malicious base stations, where a faulty base station notifies the user of the connectivity disruption and releases the session, while a fake base station continues to hold the session. We empirically analyzed the detection and identification thresholds, which vary with the fake base station’s power and the channel condition. By strategically selecting the threshold parameters, our scheme provides zero errors, including zero false positives, to avoid blacklisting a temporarily faulty base station that cannot provide connectivity at the time. Furthermore, our link routing scheme enables the base station to switch in order to restore the connectivity availability and limit the threat impact. We also discuss future directions to facilitate and encourage R&D in securing telecommunications and base station security.

1. Introduction

User equipment connects to the remote Internet and services through multiple nodes, the first of which is a base station. To support its mobility, user equipment connects to a base station, which serves as a bridge gateway between wireless and wired connection to the switches; the base station communicates to the user equipment in wireless communication and to the routers and servers in wired communication. Wirelessly connected user equipment thus requires a base station as the first hop (i.e., last-mile hop) in its communication path to the remote server and Internet. In telecommunications networking protocol, e.g., 4G and 5G, the base station sets up a wireless communication channel via radio resource control (RRC), which includes a system information block (SIB) broadcasting communication to announce the base station’s presence and deliver the communication-channel control information.

A malicious or fake base station is a well-known security issue in mobile networking. For example, there are open-source tools and tutorials for setting up fake base stations, e.g., Refs. [1,2]. The fake base station exploits the radio signal-based base station selection process and the vulnerability in the broadcasting SIB and RRC messages. Previous research launched a fake base station to manipulate the RRC and SIB communications to downgrade security protection, misdirect the user equipment connection, and transmit fake public warning system messages, among others, as described in Section 2. In contrast to the previous research, we focus on the fake base station’s threat to user equipment availability. The fake base station prevents user equipment from connecting to a legitimate base station and therefore deprives it of its connectivity availability. We first investigate fake base stations and discover that a base station that times the disconnection start among the steps in the connectivity setup process can cause much more availability damage; more specifically, the fake base station will complete the RRC setup but stop after receiving the first digital communication meant for the backend core network to continue to keep the user equipment engaged and to waste its connection time and effort.

To defend against fake base stations, we designed and built a scheme with a passive and an active defense that requires the implementation or changes only at the user equipment level, i.e., does not require any protocol-level changes or changes in any other entities beyond the base station. Our scheme detects and blacklists a fake base station as a passive defense; then, it redirects connectivity to a legitimate base station as an active defense. In passive defense, we specifically design our scheme so that the detection and blacklisting minimize the false positives to avoid blacklisting a legitimate base station that is faulty or has a temporary connection issue. Our scheme and its detection threshold control thus depend on the base station–user equipment channel condition and the fake base station’s transmission power. Our scheme also makes use of real-time observations directly related to the availability impact on the user equipment. Because the fake base station aims to keep the user equipment connected and engaged to itself as long as possible, we use the time duration of the connectivity setup as well as the number of repeated request transmissions to inform and drive our scheme.

Once a fake base station is detected and blacklisted, in active defense, the user equipment has to redirect its connection to a legitimate base station. The detection and blacklisting may not be sufficient to ensure restoring connectivity. A Sybil-capable fake base station can take a new identity to escape the blacklisting and make the user equipment reconnect to it. To address this problem, we introduce a redirection mechanism called link routing, where the user equipment can restore its connectivity to a base station from a list of known base stations stored within the user equipment. After the detection of the fake base station, link routing ensures user equipment availability to establish a control connection with the legitimate network.

We implemented our scheme using software-defined radios and open-source 5G srsRAN software to validate our design. We implemented and simulated the user equipment (implementing the defense) and the base stations, including legitimate and working well vs. faulty and temporarily unable to connect vs. fake and malicious base stations. Because of the lasting impacts of blacklisting, we simulated and analyzed a faulty but legitimate base station, which temporarily cannot provide connectivity; our scheme does not blacklist such a base station.

We validated our design by analyzing the performance of the implemented scheme in detecting a fake base station with zero false positives, which is important because we blacklist the subject base station and avoid using it in the future. Our scheme achieves zero false positives when the detection uses the optimal thresholds for both the time duration and the number of repeated requests. We also implemented the link routing part of the scheme to verify that the user equipment successfully redirects its connectivity to the legitimate base station, and we measured the link routing time duration to measure the overall threat impact after implementing our scheme. We show that our scheme, which consists of passive and active defenses, reduces the availability threat impact from an indefinitely long time to a few seconds.

The rest of this paper is organized as follows. Section 2 discusses the related works that focus on attacks and defenses against fake base stations exploiting radio and wireless communications. We provide relevant background information on the overall 5G architecture with underlying protocols in Section 3. We describe our threat model with a clear distinction between a fake base station and a faulty base station in Section 4. In Section 5, we explain our detection and link routing scheme, while Section 6 describes our scheme incorporation in 5G networking. Section 7 provides a performance analysis of our scheme’s experimental results for detection and link routing. We discuss future directions in Section 8 and conclude our paper in Section 9.

2. Related Work

A fake base station assumes a base station’s functionality, including its wireless communication capability and its role as a bridge gateway between wireless and wired networking. Therefore, its threats focus on RRC and SIB communications, which distinguishes the fake base station from other threat actors that use injections. In this section, we thus focus on fake base station threats to the RRC and SIB as opposed to generic digital communication injections. While much of the works in the literature focus on threat mechanisms and impacts, our work focuses on defense based on detection and identification to avoid fake base stations and connect to a legitimate base station for availability.

2.1. Threats on SIB and RRC

An attacker exploits the cell selection/reselection process (selecting the highest signal power [3]) and cryptographically insecure (without integrity and authentication protection) broadcast system information messages in radio control communication to launch a fake base station attack in LTE [4,5] and even in 5G-NR [6,7]. Lee et al. [4] and Bitsikas et al. [6] demonstrate that the attacker can craft system information messages (e.g., MIB, SIB1) to set up an RRC connection with the user equipment and dispatch false public warning messages after setup. Moreover, the adversary also has the capability to trigger the handover process by modifying the cell reselection-related information in the system information messages [7]. In such attacks, the prerequisite is transmission of the signal at a higher strength than a legitimate base station [5]; hence, the base station with higher signal strength is always able to lure the user equipment to connect to it.

Previous research also specifically studied the threat impacts after a fake base station makes a connection. Once the benign user equipment connects to the fake base station at the RRC layer, the adversary can launch a protocol downgrade from 5G/4G to 2G (i.e., bidding down) attack [8]; user equipment device identification attack [9]; SMS phishing attack [10,11]; or an attack that drains the user equipment battery [9,12]. Furthermore, as a secondary impact, the fake base station can disrupt user equipment connectivity to a legitimate base station by denial-of-service attacks and control the connection availability [12,13,14].

2.2. Defense against Fake Base Station

While the previous research largely focused on the offensive side of fake base stations, more limited research detected and identified fake base stations using RF fingerprinting in wireless signal processing [15], packet tracing with machine learning [16], and the use of digital spam messages transmitted by the fake base station [10,17]. These previous research studies are highly relevant to our work because they have the same goal of detecting and identifying fake base stations. However, our work uses the user equipment’s behavior caused by connecting to the fake base station for detection and identification and focuses on the RRC control communication to set up the connectivity. Our work focuses on the RRC control communication standardized by 3GPP [18], because the control communication is unique to the cellular base station. Our work is orthogonal to these previous detection/identification works and can be used in conjunction with them to provide a richer detection/identification protocol; we focus on our novel contributions and the detection features of time and number of registration request packets in the RRC in this paper.

Other research works  [19,20,21,22] proposed the digital-signature-based authentication of system information messages by legitimate base stations to prevent the user equipment from connecting to a fake base station. Our defense work is distinguishable from these previous research works in the following ways. First, these previous works offer preventive measures to disable the user equipment from connecting to a fake base station; in contrast, our work detects and identifies the threat after it occurs. Second, these previous works involve greater systematic changes involving protocol and algorithmic changes in the user equipment, base station, and backend core network; for example, 3GPP is in the initial stages of conceptualizing and identifying the requirements of establishing a public key for base stations to enable such a cryptographic approach [23]. In contrast, our work only requires implementation on the user equipment, which is also the beneficiary of the scheme, and thus requires substantially fewer changes in the system implementation and standardization, facilitating practicality and deployability. Our work is therefore orthogonal to these previous works and can be used in conjunction with the previous cryptographic approaches.

In cellular 4G/5G protocol, a limited number of research studies implemented security on cellular base stations against potentially malicious user equipment, e.g., for authentication [24,25]. While the backend core network has traditionally authenticated the user equipment and established security, e.g., 5G authentication and key management (AKA), such an approach of implementing security on the base station on the network edge can enable quicker mitigation and reduce threat impacts. Our work, however, considers malicious base stations (i.e., the threat actor is the base station) in contrast to these previous research studies that defend against malicious user equipment.

2.3. Security Research on Communication Links

Link routing is a novel concept of switching to a legitimate base station to recover from a fake base station threat against availability, but it was inspired by the packet routing in wired networking and by base station handover. Among the previous security research studies in packet routing, particularly relevant are those focusing on the communication links as opposed to the entire forwarding path. These previous research works include link-targeted DoS for more advanced DoS (e.g., Refs. [26,27]) and virtual link protection through moving-target-defense randomization (e.g., Refs. [28,29]). There are also previous security research works on base station handover, including security and vulnerability analysis [7,30,31] and secure handover/mobility management [21,32,33]. Furthermore, related to our link routing technique in that they share the same security objective are the spread spectrum techniques in wireless communication link protection for availability (e.g., Refs. [34,35,36,37]); however, these previous works implement the availability protection via wireless channel control against the jamming threat in general wireless contexts, while our work defends against a fake base station using coded and modulated communications, which follow the standardized protocol, unlike jamming. However, link routing is different from these technologies, as it is specific to the wireless communication link for cellular networking (e.g., 4G/5G) between the user equipment and the base station, which is both the first-hop and the last-hop link. To the best of our knowledge, our link routing is the first to apply routing control (selection and forwarding) of a base station. We better distinguish link routing from packet routing and base station handover in Section 5.2.1.

3. Background and Primer

In this section, we provide a brief overview of the telecommunication architecture and the connectivity setup process. In Section 3.1, we provide an overview of 5G network architecture, as shown in Figure 1. We describe the wireless communication channel setup of the radio resource control (RRC) between the user equipment and the base station in Section 3.2 and the digital non-access stratum (NAS) between the user equipment and core network via a base station in Section 3.3. We borrow the RRC and NAS terms from the 3GPP 5G New Radio standardization and use them in our paper, and we show the protocol in Figure 2a; RRC is shaded in yellow while NAS is shaded in blue. Both the RRC-layer and NAS-layer protocols and interactions are for connectivity setup, i.e., once the NAS completes, the user equipment can use the connectivity service for remote access.

Our scheme design and implementation are based on the standardized 5G protocol. Although our detection and identification can be applied to the earlier generations of telecommunication protocols, e.g., 2G–4G, we focus on the 5G NR protocol because 5G is the most recent and has the strongest security in its authentication and key agreement (AKA).

3.1. 5G Cellular Network Architecture

The 5G cellular telecommunication network has three main components: user equipment, base station, and core network. Figure 1 shows the high-level architecture diagram and the physical connection of these three components. The user equipment consists of a mobile device quipped with a universal subscriber identity module (USIM) that contains the subscriber-specific identity and network access-related identities (network ID, network public key, service type, etc.). The base station acts as a bridge gateway between the user equipment and the core network. The core network provides service connectivity to the user equipment by authentication management, identity management, and mobility management. The user equipment accesses the cellular network using a radio channel to connect with the base station and establishes a logical connection with the core network over the established radio connection to obtain the cellular service. In the 5G cellular networking protocol, the user equipment connects to the base station using radio resource control (RRC)-layer connection and to the core network using non-access stratum (NAS)-layer connection. An intermediary wired backhaul network of routers and switches connects the base station and core network, which is out of this research’s scope.

3.2. Radio Resource Control (RRC) for Wireless Communication Channel Control and Setup

Because user equipment connects wirelessly to base stations, RRC establishes the radio resource and the wireless channel, including the medium access control (MAC), between the user equipment and the base station.

The user equipment deterministically selects a base station that has system information messages with the highest received signal power to establish the RRC layer connection using a three-way handshake. As illustrated in Figure 2a (yellow-shaded), the RRC connection process begins with the base station periodically broadcasting system information messages with a specific downlink frequency. The system information messages consist of the master information block (MIB) and system information block messages. Among these messages, the system information block 1 (SIB1) is important for the user equipment to obtain network parameters for initiating the RRC connection with the base station. The system information block 1 (SIB1) contains network access-related information such as network identities (PLMN ID, cell ID), cell selection criteria such as minimum received signal strength/quality, and downlink/uplink frequencies. The PLMN ID is the unique identifier of the cellular network provider, and the cell ID is the unique identifier of the base station broadcasting the SIB1. Before further proceeding with the SIB1, the user equipment selects the cell of the base station if the cell selection criteria are satisfied.

When there are multiple base stations nearby, the user equipment uses a deterministic algorithm while selecting a base station (also known as cell selection/reselection according to 3GPP [3]) to establish the radio connection. After a piece of user equipment is powered on, it scans all radio frequency channels in the 5G NR band to find its surrounding base stations. Then it determines if the base stations qualify for the selection criterion and selects the base station with the highest received signal-to-noise ratio (SNR) among the qualified base stations.

After the radio signal-based base station/cell selection based on SIB1, as shown in Figure 2a, the user equipment proceeds to set up the RRC connection with the base station by sending the RRC setup request. Upon receiving the RRC setup request, the base station accepts the connection request and sends the RRC setup message to the user equipment. The user equipment completes the RRC connection by sending the RRC setup complete message along with the registration request to initiate a NAS-layer connection with the core network. This initial registration request is the first message in the 5G authentication and key agreement protocol (5G-AKA). Section 3.3 discusses the 5G-AKA and NAS-layer connection setup in detail.

3.3. Digital 5G-AKA and Non-Access Stratum (NAS) Setup

In 5G, the user equipment establishes the NAS-layer connection with the core network after the mutual authentication and key agreement (known as 5G-AKA) between them, as shown in Figure 2a (blue-shaded), which uses public key cryptography. 4G does conduct AKA between the user equipment and core network, similar to 5G, but uses symmetric cryptography, unlike 5G. 5G therefore provides stronger security than 4G. The earlier generations before 4G, i.e., 2G and 3G, do not implement or support AKA. In 5G-AKA, the user equipment encrypts its subscriber identity using the core network public key that is installed into its USIM card and sends it to the core network in the registration request message. After receiving the registration request from the user equipment, the core network verifies the user equipment subscriber identity using its private key and sends an authentication request to the user equipment with authentication parameters. The user equipment authenticates the core network using the authentication parameters and sends an authentication response (success or rejection) to the core network. After mutual authentication between the user equipment and the core network, they negotiate ciphering and integrity-protection algorithms for subsequent communication using the security mode procedure. After this procedure, both the RRC- and NAS-layer connections use ciphering and integrity-protected algorithms.

5G and 4G AKA build some resistance against fake base stations. More specifically, even if the fake base station can get the victim user to connect initially, the user can attempt to connect to the backend core network. In 5G AKA, the core network sends a digitally signed message after RRC as a part of the mutual authentication between the core network and the user (including the subscription verification of the user). Once it has received the digitally signed message, the user can verify the digital signature to authenticate the connection. However, such a defense consumes the processing and energy resources of the mobile user in a disproportionately large manner so that the threat impact and the resource consumption (the digital communications after RRC and radio medium access control (MAC) and communicating to the backend, which is multiple hops away) is significantly larger and disproportionate to the attacker effort (SIB1 injection at RRC).

4. Fake Base Station Threat

4.1. Threat Model

An attacker has the knowledge of the cellular 5G networking protocol by Kerckhoff’s principle and can launch a fake base station using software-defined radios and can exploit radio communication between the user equipment and the legitimate base station, e.g., there are even development tools and tutorials for setting up such a fake base station, e.g., Refs. [1,2]. The attacker exploits the deterministic base station selection procedure and the lack of integrity protection of system information messages, as described in Section 3.2, to launch a fake base station attack. In our threat model, we consider such an attacker with a fake base station that can broadcast fabricated system information messages with the highest signal power so that benign user equipment selects the cell of the fake base station over a legitimate base station that meets cell selection criteria. The adversary can adaptively choose signal transmission power gain to take control of the radio channel between the base station and the user equipment. Afterward, the fake base station can establish a radio resource control (RRC) connection with the user equipment and drop, modify, or inject upper-layer communication (e.g., NAS layer) from the user equipment to the core of the network later on. We also consider that the attacker’s fake base station is Sybil-capable, meaning it can take multiple false identities and system parameters. The attacker can use this Sybil capability, for example, to avoid being blacklisted.

4.2. Fake Base Station Threat against Availability

In our work, the attacker has the goal of depriving and disabling the connectivity availability of the user equipment. As described in Section 3.3, 5G AKA provides some resistance against fake base stations. The core network authentication verification using the USIM equipped within the user equipment device can serve to indicate the legitimacy of the base station; the base station legitimacy check fails if the authentication fails.

Our threat occurs before the NAS and before AKA. In our threat, the fake base station injects the fake SIB1 message to establish the RRC and wireless communication channel with the user equipment. The fake base station increases the transmission signal power to transmit the SIB1 with the highest signal power on the user equipment, which causes the user equipment to connect to the fake base station as described in Section 3.2. The fake base station continues with the RRC setup as depicted in the yellow-shaded region in Figure 2a. Once the RRC setup is complete, when the user equipment continues with the NAS-layer process and sends the registration request, the fake base station refrains from sending it to the core network and stops the rest of the process. The fake base station does not comply with the protocol and ceases transmitting any transmissions following/after receiving the user equipment’s registration request, as described in Figure 2b. In Figure 3, we show a proof-of-concept fake base station attack on an Android user equipment device connected to a real-world 4G LTE using our threat prototype described in Section 7. The fake base station establishes the RRC connection by sending system information messages with higher signal strength, and it maintains the connection with the user equipment as long as it wants. As a consequence, the user equipment is deprived of cellular services from legitimate base stations.

The timing of the fake base station threat in stopping the RRC/NAS process of setting up connectivity is critical for impacting availability. If the fake base station stops the RRC/NAS before the registration request, then the user equipment gets disconnected as soon as the process stops. Furthermore, the fake base station cannot proceed with the authentication request because it does not hold the core network’s private key (or, if using 4G, the symmetric key) and cannot generate the correct digital signature; the user equipment can check the legitimacy of the core network/base station and disconnect the NAS/RRC immediately. However, the user equipment is persistent with the registration request by 5G design because there can actually be accidental connectivity availability issues due to a failure in the base station and the farther away core network.

4.3. Faulty but Legitimate Base Station

Our blacklisting identification focuses on the attacker (fake base station) and not on accidental/unintentional failures (faulty base station). We therefore distinguish between fake and faulty but unintentional, the latter of which can be caused by the lack of connectivity services at the time of the user equipment access. The base station cannot provide connectivity at some times, which is often temporary, i.e., the faulty base station operates correctly at other times. The 3GPP 5G NR supports such temporary faulty cases not having connectivity, and our work builds on the protocol for such faulty cases. For an accidentally faulty base station, we continue with the NAS process for the connectivity setup, but if it fails, the base station sends an RRC release message to the user equipment along with the rejection cause, e.g., authentication reject. The accidentally faulty base station thus releases the RRC connection with the user equipment, while the adversarial fake base station continues to hold on to the RRC connection, depriving its availability further. The faulty base station differs from the fake base station in that it explicitly releases and ends the connectivity setup. The faulty (and legitimate) base station operation is described in Figure 2c (in contrast, the legitimate and working-well base station operation is depicted in Figure 2a).

5. Our Scheme

Our design scheme aims to detect a fake base station and uses link routing upon detection to recover from the threats described in Section 4. We divide our defense scheme against fake base stations into two parts: fake base station detection for passive defense and link routing for switching to a known legitimate base station as an active defense. We deploy a passive defense to sense the abnormality in networking (detection) before applying the active defense (recovery). In passive defense, we detect the fake base station attacks on availability, and in active defense, link routing addresses the Sybil threat.

5.1. Detection Scheme for Passive Intelligence and Awareness

In our scheme, the user equipment adds a timer-counter-based detection and a blacklisting identification to defend against the fake base station threat described in Section 4. To make the detection/blacklisting decision, our scheme uses sensing measures that are directly from the impact on the user equipment’s availability experience, which results from the base station’s connectivity behavior. More specifically, our scheme uses the time duration for the connectivity setup (T) and the repeat transmissions count to set up the connectivity (N). Because our objective is to reduce the availability threat impact, we use T and N, which are inherently impacted by the threat. Our scheme also implements the sensing and computing/logic only on the user equipment and does not require any additional changes in the protocol, facilitating the practicality and deployment of our scheme.

For detection, the user equipment tracks both the time duration, starting from the initial registration request in the NAS layer (T), and the number of registration request transmissions it repeats (N). N is equal to one or is a small number when the user equipment connects to a legitimate base station, as the legitimate base station has the connectivity to the core network and can provide the connectivity, as shown in Figure 2a; in our experimentation, which we describe in Section 7, $N=1$ without needing to send another registration request. In contrast, N is larger if the user equipment connects to a faulty base station and when there is no connectivity to the core network (Figure 2c), and N is infinite and unbounded if it connects to a fake base station (Figure 2b).

The registration request corresponds to the first transmission in the NAS in Figure 2a. The user equipment is persistent in sending the registration request message until it receives the authentication request/reject message from the network. When the user equipment receives the message from the network, it then proceeds to complete the NAS connection setup. However, when it does not receive any message from the network, it keeps sending a registration request message and measures T and N. In this case, if T exceeds ${\tau }_T$ and N exceeds ${\tau }_N$, i.e., $T>{\tau }_T$ and $N>{\tau }_N$, then our scheme detects the fake base station. In our scheme, ${\tau }_T$ is the threshold for the time duration ($T)$ and ${\tau }_N$ is the threshold for the number of registration requests (N) that our detection algorithm takes as inputs. Because the registration request and the connectivity setup are specific to one base station, which is identified by the cell ID, the user equipment further blacklists the cell ID of the fake base station.

We select the ${\tau }_T$ and ${\tau }_N$ to detect and identify the fake base station. We focus on identifying the fake base station as opposed to the accidentally faulty base station, as described in Section 4.2, and therefore design our scheme to detect and identify the fake base station only. ${\tau }_T$ and ${\tau }_N$ increase as the communication channel between the user equipment and base station worsens, although the user equipment selects the base station with the greatest signal SNR, as described in Section 3.2. ${\tau }_T$ and ${\tau }_N$, therefore, vary depending on the user equipment’s observed channel state information (channel state information, or CSI, is commonly used in modern communication signal processing, for example, MIMO).

After the detection and blacklisting, the user equipment uses the novel link routing as an active defense measurement to restore the radio connection from the fake base station to the legitimate base station. We describe the link routing concept and scheme in the next section (Section 5.2).

5.2. Our Link Routing Scheme for Active Defense

We design the link routing part of our scheme as an active defense to recover the user equipment from the fake base station after it builds awareness from the detection discussed previously in Section 5.1.

5.2.1. Link Routing Concept

We introduce the concept of link routing, which switches to another base station in mobile cellular networking. Link routing involves a trigger/condition for link routing (e.g., bad channel condition in SNR or payload experience), the selection of the base station (e.g., the core network’s assignment, local algorithm based selection), and the communication protocol interactions with that base station (starting from the RRC protocol to establish the wireless channel). While this section focuses on these functionality concepts, which can be implemented in many ways, the following Section 5.2.2 provides the concrete implementation instances of our link routing prototype; more specifically, link routing is triggered by fake base station detection, and the base station selection is based on reputation, which is based on the user’s previous connectivity experiences. Link routing is conceptually different from networking packet routing and cellular handover in triggering conditions, route selection, and protocol interactions. In the following paragraphs, we describe these differences, which make them incompatible with an active defense after fake base station detection. The packet routing and cellular handover are orthogonal to our scheme, e.g., we can use our scheme with or without them, and they occur at different stages of the cellular connectivity provision.

• Link routing vs. networking packet routing

Our link routing is different from networking packet routing in terms of the triggering condition, routing decision maker, and route selection procedure. In networking packet routing, intermediary devices such as routers and switches take part in route selection decisions during an event of change in communication links such as link discontinuation, link cost change, etc. On the other hand, in link routing, the user equipment, i.e., the end device, decides which route or path to select for connection switching after a fake base station detection. For the route selection procedure in link routing, the user equipment selects the best route (more specifically a base station) from a reputation vector containing known legitimate base stations for connection switching. However, in networking packet routing, the routers and switches use different metrics such as the shortest distance, lowest delay, or greater bandwidth along a path to select the best route to switch the data packets.

• Link routing vs. handover

Our proposed link routing is also different from the cellular handover procedure in that it enables the user equipment to redirect the radio connection in the event of a fake base station detection, whereas in a handover, the radio connection redirects during the user mobility. In a handover, the currently serving base station decides to which base station the user equipment connection will be redirected based on the radio signal measurement given by the user equipment. In link routing, the user equipment decides which base station to select, although the fake base station may have the highest radio signal power. The user equipment may utilize a handover procedure to switch connections to a legitimate base station after the detection of a fake base station, but it is not possible. This is because the currently serving base station, i.e., the fake base station, will not transfer its connectivity to a legitimate base station, or else, even though it wants to, the fake base station cannot make this transfer because it does not have any connectivity with the legitimate network.

5.2.2. Link Routing Scheme Design

Because the fake base station can launch a Sybil attack by taking a new identity and exploiting the deterministic base station selection algorithm to launch a denial-of-service attack, we design our link routing scheme as an active defense for the user equipment to select a base station from a reputation vector, $\overrightarrow{R}$ (e.g., the base stations it was connected to before). $\overrightarrow{R}$ contains IDs of the legitimate base station identities that the user equipment was previously connected to and received services from, and the attacker cannot manipulate the vector. As we mentioned in Section 3.3, 5G-AKA protects against fake base stations at the NAS layer; therefore, the user equipment can identify a base station as legitimate and add it to $\overrightarrow{R}$ after the successful NAS connection setup procedure. The user equipment can also obtain the legitimate base station identities from the core network as well. However, we take the former approach for building $\overrightarrow{R}$ (as shown in Step 5 of Algorithm 1) because the $\overrightarrow{R}$ is based on the user equipment experience, and it can be different for different user equipment, which is effective in preventing fake base station attacks on a large scale. In link routing, we improve the current base station selection process by incorporating $\overrightarrow{R}$ so that the user equipment connects to a known base station. In contrast, in the current base station selection procedure, the user equipment does not use any connection history but blindly selects a base station that has the highest SNR and connects to it as described in Section 3.2.

Algorithm 1: Fake Base Station Detection by User Equipment

We include our link routing scheme before the RRC connection setup procedure as illustrated in Figure 4. After the detection of a fake base station, the user equipment scans for the candidate base stations around it. Then it performs a lookup in the reputation vector, $\overrightarrow{R}$, to verify if the base station is known and legitimate. After a successful lookup with $\overrightarrow{R}$, it performs the radio connection switching and proceeds with the RRC connection setup procedure with the base station.

6. The Incorporation of Our Scheme in 5G Mobile Networking

We build our overall defense scheme based on the current 3GPP standard that is illustrated in Figure 4 as a flowchart. We show the current 3GPP standardized connection procedures in black-colored blocks in the flowchart whereas our scheme additions are in blue-colored blocks. Our detection scheme does not require any protocol changes but implements the scheme only on the user equipment, which allows efficient deployment.

As shown in Figure 4, in the initial state during the device powering on, if the user equipment does not detect any fake base stations, i.e., $D=0$, then it proceeds with the RRC connection setup with a base station as described in Section 3.2. Our detection algorithm begins after setting up the RRC connection with the base station. We show the step-by-step procedure for the fake base station detection in Algorithm 1. After completing the RRC connection with the base station, the user equipment measures the elapsed time duration, T, and the number of transmitted registration request messages, N, before receiving the authentication request or reject message (the expected next message as illustrated in Figure 2a,c). If the measured time duration and the number of messages exceed its corresponding thresholds, ${\tau }_T$ and ${\tau }_N$ (discussed in Section 5.1), then our scheme detects the base station as fake. After detection, the user equipment disconnects from the base station, blacklists the base station as fake, and reinitiates the base station selection procedure. However, in current practice, the user equipment again establishes an RRC connection with the fake base station if the base station takes a new identity and transmits a system information message with a higher signal strength because of the deterministic base station selection procedure described in Section 3.2. To address this problem, we use link routing for the user equipment to switch its connection to a base station that has a previous connection history with it (known legitimate base stations). Link routing is in effect only if the user equipment detects any fake base stations; otherwise, it uses the current base station selection procedure. The connection history is stored in the reputation vector ($\overrightarrow{R}$), which is generated as a part of a legitimate base station connection and contains the legitimate base station identities. When the user equipment does not detect a fake base station, it continues with the base station with a NAS connection setup and stores the base station identity in $\overrightarrow{R}$. However, if the user equipment receives an authentication reject message, then it does not continue with NAS connection setup but reinitiates the base station scanning procedure, which we omitted in the flowchart for simplicity (Figure 4).

7. Implementation and Experimental Results

We simulate the base station (and the backend core network) using a computer and the user equipment using a MiniPC, both of which include USRP B210 software-defined radios for the radio frontend. We use srsRAN v23.10 [38] for implementing the fake base station and the user equipment. To implement the backend 5G standalone core network, we use Open5GS v2.6.6 [39]. We modify the NAS- and RRC-layer source codes in srsRAN v23.10 at the base station and the user equipment to implement our attacks and defense mechanisms, respectively. Figure 5 shows our hardware setup for the implementation and experimentation.

This section mainly focuses on our experimental results with the faulty vs. fake base stations, except as shown in Section 7.6. We verify that the connection works well with the legitimate base station (demonstrating the correctness of the 5G implementation) and that the fake base station can deprive the user equipment for an indefinitely long time. The faulty base station experiment in Section 7.3 informs the ${\tau }_T$ and ${\tau }_N$ selections. We vary and analyze the ${\tau }_T$ and ${\tau }_N$ parameters of our scheme for detecting and blacklisting a fake base station in Section 7.5; we also experimentally show how the use of both T and N measurements outperforms using either in our scheme.

In addition to the faulty vs. fake base station experiment, we also implement link routing in the user equipment and experiment with a fake and a legitimate base station. In the experimentation, we set up a fake base station along with a legitimate base station to demonstrate a Sybil attack, where the fake base station changes its identity after being blacklisted by the user equipment. We show that link routing enables the user equipment to recover from the fake base station and connect to the legitimate base station given that the fake base station still has the highest SNR compare with the legitimate base station. We analyze the performance of the link routing by measuring the time duration overhead in Section 7.6.

7.1. Implementation and Experimental Setup and Optimality for Threshold Selection

• Legitimate vs. faulty vs. fake base stations

We implement the base station and the user equipment along with the connectivity setup between them described in Section 3.2, including RRC and NAS. We conduct three experimental scenarios where the base station is legitimate vs. faulty vs. fake. The legitimate base station operation is described in Section 3.2, while the faulty (accidental) and fake operations are described in Section 4.2 and Section 4.3, respectively. The faulty but legitimate base station ends the connectivity setup of NAS via connection release; in contrast, the fake base station continues to hold on to the NAS communication without explicitly ending the RRC/NAS connectivity setup.

• Our scheme variants using different observations

Our scheme uses both the time duration T (the detector threshold is ${\tau }_T$) and the number of registration requests N (the detector threshold is ${\tau }_N$) as described in Section 5.1. In this section, we compare our scheme with our scheme variants of using T only and using N only to better showcase the use of both T and N. Our scheme using both T and N for the detection and blacklisting outperforms the variants using T only or using N only.

• Optimality for threshold selection.

We define optimality with respect to the error performance. More specifically, we achieve optimal accuracy performance if the false-positive error is minimized and then the false-negative error is minimized. If we can achieve a zero false-positives rate, we then minimize the false-negative rate. The false-positive error is prioritized because we design blacklisting and prioritize avoiding blacklisting legitimate base stations, which can be faulty (accidentally cannot provide connectivity at the time). The threshold achieving optimality does not need to be unique, i.e., there can be multiple thresholds which achieve minimum error performances. In fact, in our experiment, we have multiple thresholds achieving zero errors (zero false positives and zero false negatives), and we choose the lowest threshold values to make the detection more sensitive.

7.2. Testing without Our Scheme: No Availability against Fake Base Station

We empirically validate that the 5G connection works well when the base station is the legitimate base station. Against a fake base station, we implement enabling vs. disabling our scheme. This section focuses on the case when our scheme is disabled, while Section 7.5 analyzes when our scheme is enabled against fake base stations (as well as legitimate and faulty base stations). The fake base station when our scheme is disabled can engage and hold the user equipment as much as it wishes. We implement the duration control for such withholding, and the user equipment attempts to connect to the fake base station by transmitting the registration request packets until the fake base station responds. If the fake base station chooses to continue to withhold, the user equipment continues with the connectivity setup protocol without trying another base station, depriving it of its connectivity availability.

7.3. Faulty (but Legitimate) Base Station Experiment: Varying the Signal Power

We validate the RRC- and NAS-layer setup measurements from faulty (but legitimate) base station experiments while varying the base station transmission power gain as shown in Figure 6. We select three different transmission powers (80, 85, and 90 dBm) of the base station to simulate the different channel conditions between the user equipment and the base station to measure the impact of received signal power on the RRC setup and NAS setup for the worst case of a faulty but legitimate base station. In this experiment, the user equipment connects to the base station only when the base station transmission power is greater than or equal to 80 dBm.

Figure 6a shows the RRC setup and NAS setup time duration when varying base station signal transmit power. The RRC setup time stays relatively consistent and only varies from 49 ms to 61 ms for three different transmission power gains of the base station. However, the NAS setup time duration decreases as the signal power gain increases, which indicates that the NAS connection setup time depends on the received signal power at the user equipment level, i.e., radio channel conditions. As compared to the RRC setup time, the NAS setup connection time at 80 dBm power level is $822.42$ ms, while it is $474.94$ ms at the highest power gain. Hence, within this time duration, the user equipment keeps sending registration requests to the core network until it obtains an RRC release message from the faulty base station, as discussed in Section 4.3.

We also validate the number of registration requests sent by the user equipment during NAS setup in the experimentation while varying the base station transmission power, as illustrated in Figure 6b. The figure shows the number of registration requests also depends on base station transmission power, i.e., received signal power at the user equipment level. The number of requests is 60 at the lowest transmission power, whereas it is 11 at the highest signal power. We also observe that the user equipment sends the registration request with an interval of 11 ms, approximately.

While we vary the transmitter power from the base station, this is equivalent to varying the transmitter–receiver distance and changing the channel state at the receiver user equipment level. In different channels, the T and N measurements change. We make our scheme generalizable across different communication channels (i.e., effectively working in different channels) by using the control parameters, which are threshold variables. The threshold values change in different channel scenarios.

7.4. Faulty Experiment Informs Threshold Control

We use fake base station detection and blacklisting while ensuring that faulty base stations are not detected as fake base stations and blacklisted. Blacklisting a temporarily faulty base station, e.g., no connectivity at the time, can have a lasting impact on the base station and deprive the user equipment of options when trying to access cellular service in the future. Because of this importance, our analyses focus on the false-positive probability/rate, corresponding to when the base station is actually legitimate but faulty but our scheme detects it as a fake base station and blacklists it.

To achieve a minimum false-positive rate, our scheme selects the optimal threshold by using reference values that are informed by the faulty base station experiment. The reference values for obtaining the optimum thresholds can be derived at the user equipment level under the worst radio channel condition with the faulty base station. The faulty base station establishes a radio connection with the user equipment and releases the connection afterward due to the worst channel conditions. Because our reference values come from the worst channel conditions, the optimal thresholds hence ensure fake base station detection with zero false positives under varying network conditions. The concrete analyses for our detection threshold control are described in the next section, Section 7.5.

7.5. Detection Accuracy Performance against Fake Base Station

We test our scheme against a legitimate base station, a faulty (but legitimate) base station, and a fake base station while varying ${\tau }_T$ ($494\mathrm{ms}<{\tau }_T<1893$ms) while varying ${\tau }_N$ ($36<{\tau }_N<138$). Our scheme correctly decides the legitimate base station and the fake base station with 100% accuracy, i.e., our scheme yields 0 (no fake base station) for all of the legitimate base station experiments, and it yields 1 (yes base station) for all of the fake base stations. Against a legitimate base station, our scheme correctly does not detect and blacklist the base station. Against a fake base station persistently withholding the connection, our scheme correctly decides that it is a fake base station, and the false-negative rate is zero.

In the faulty (but legitimate) base station experiments, i.e., when testing our scheme against a faulty base station, we observe errors when varying ${\tau }_T$ and ${\tau }_N$. Because the faulty base station is still legitimate, it is incorrect to detect, classify, and blacklist it as a fake base station. Varying $\tau$ can yield false positives, where a faulty base station’s connectivity setup (RRC/NAS) is detected and blacklisted as a fake base station. We analyze such errors because we want to reduce and avoid blacklisting a faulty but legitimate base station.

We vary the $\tau$ thresholds (${\tau }_T$ and ${\tau }_N$) and compare our scheme using both T and N observations vs. our scheme variant using only T vs. our scheme variant using only N. We first jointly vary ${\tau }_T$ and ${\tau }_N$ and show our results. To jointly vary the $\tau$s, we introduce the τ ratio, which is the ratio between the $\tau$ value and some reference value ${\tau }_0$. The ${\tau }_T$ ratio is equal to ${\displaystyle \frac{{\tau }_T}{{\tau }_{T,0}}}$ where ${\tau }_{T,0}$ = 823 ms; the ${\tau }_N$ ratio is equal to ${\displaystyle \frac{{\tau }_N}{{\tau }_{N,0}}}$ where ${\tau }_{N,0}$ = 60 requests. For example, if the ${\tau }_N$ ratio is equal to two, ${\tau }_T$ = 1646 ms, which is doubled from ${\tau }_{T,0}$ = 823 ms. While the reference values (the denominators of the $\tau$ ratio) can be chosen differently, we choose ${\tau }_{T,0}$ = 823 ms and ${\tau }_{N,0}$ = 60 requests, as these are the average values (rounded) of the faulty base station experiments when the base station’s transmission power is the lowest and thus the values are the highest, which is describe in Section 7.3. In Section 7.3, we observe that the 95% confidence interval is small, so we expect ${\tau }_T={\tau }_{T,0}$ = 823 ms and ${\tau }_N={\tau }_{N,0}$ = 60 to have a relatively small number of false-positive errors.

Figure 7a shows the results of the joint varying of ${\tau }_T$ and ${\tau }_N$ while fixing the ${\tau }_T$ ratio and ${\tau }_N$ ratio to be equal, i.e., ${\tau }_T$ ratio = ${\tau }_N$ ratio. The false positive rate/probability decreases as we increase $\tau$ for both T and N, because increasing $\tau$ reduces the detection sensitivity and the occurrences of detecting 1 (deciding that it is a fake base station). We also see that our scheme using both T and N observed information outperforms our scheme variants using either. For example, when the ${\tau }_T$ ratio and ${\tau }_N$ ratio are both equal to one (i.e., ${\tau }_T$ = 823 ms and ${\tau }_N$ = 60), our scheme’s false-positive rate is 0.0053, while using T only has a false-positive rate of 0.1467 and using N only has a false-positive rate of 0.0213. Using both pieces of information provides better/lower error rates; while our scheme using both T and N provides a very small false-positive rate of 0.0053, it still provides errors and blacklists the faulty but legitimate base station with a probability of 0.0053.

Our threshold selection is based on the optimality definition in Section 7.1, e.g., to minimize the error performance. Because we already achieved a zero false-negative rate, i.e., all the fake base station experimental samples are detected, our threshold selections achieve optimality by yielding a zero false-positive rate. In Figure 7a, the optimal $\tau$ ratio is equal to 1.09 if ${\tau }_T$ ratio = ${\tau }_N$-ratio, i.e., ${\tau }_T$ is equal to 897 ms while the optimal ${\tau }_N$ is equal to 66.

Figure 7b,c vary the two threshold parameters unilaterally without the constraint of ${\tau }_T$ ratio = ${\tau }_N$ ratio, i.e., we fix one threshold while varying the other. The fixed values are the optimal values in Figure 7a when we jointly vary the detection threshold parameters, i.e., ${\tau }_T=897$ ms and ${\tau }_N=66$. Figure 7b varies ${\tau }_N$ while fixing ${\tau }_T$ = 897 ms. Our scheme variant using T only has a constant error performance value because that scheme only uses T compared to ${\tau }_T=$ 897 ms; N is not used, and varying ${\tau }_N$ has no effect on this scheme variant. Because ${\tau }_T=$ 897 ms, our scheme using both T and N provides better results than jointly varying ${\tau }_T$ and ${\tau }_N$ when ${\tau }_N$ is less than ${\tau }_{N,0}$ = 60. Fixing ${\tau }_T=$ 897 ms, the optimal ${\tau }_N$ is equal to 66.

When varying ${\tau }_T$ while fixing ${\tau }_N=66$ in Figure 7c, the optimal ${\tau }_T$ is equal to 840 ms. This optimal ${\tau }_T$ is different from and lower than 897, the optimal ${\tau }_T$ threshold value when jointly varying the detection thresholds with the constraint of having equal ${\tau }_T$ ratio and ${\tau }_N$ ratio in Figure 7a. Based on these results, our scheme uses ${\tau }_T=897$ ms and ${\tau }_N=66$ to provide zero errors in our experiment involving legitimate, faulty but legitimate, and fake base stations.

7.6. Link Routing Performance Analysis

We implement a proof of concept of our link routing scheme, and it works correctly, e.g., the next base station is chosen among those that have been seen and used before, i.e., which has provided connectivity before. Unlike the current practice, which has the victim UE stay with the fake base station, our link routing scheme enables recovery from the fake base station by dropping the connection to it and rerouting the RRC connection to a legitimate base station.

In this section, we focus on the performance overheads of our link routing scheme. For the performance overhead, we measure the switching time duration overhead, i.e., time required for the user equipment to recover from the fake base station after detection. We also measure the overhead of storing and looking up a base station in the reputation vector ($\overrightarrow{R}$) with 150 known base stations within the vector. Figure 8 shows the link routing overheads. We use a $95\%$ confidence interval for “switching” time duration overhead only because we measure it for 600 samples. For “storing” and “lookup”, we take the average of $100,000$ instances of storing and looking up. For the proof-of-concept implementation of our link routing, the user equipment requires $2029.11$ ms, i.e., $2.03$ s to redirect its RRC connection from the fake base station to the legitimate base station. It is ${\displaystyle \frac{2029.11}{897}}=2.26$ times more than base station detection. The time duration for storing the base station in $\overrightarrow{R}$ and looking up in $\overrightarrow{R}$ to check if any base station is within the list are $0.06$ ms and $0.04$ ms, respectively, which are of a magnitude of five times lower than the switching time duration.

7.7. Threat Impact Analyses

With our detection and link routing scheme, we can minimize the availability threat impact from an indefinitely long time to a few seconds. Without our defense scheme, the fake base station can deprive the user equipment of cellular services from the legitimate base station for an indefinitely long time, as we describe in Section 4.1. However, with our scheme implemented, the threat impact is significantly less in time duration. The user equipment can restore its RRC connection from the fake base station to the legitimate base station within $2029.11+897=2926.11$ ms $=2.93$ s. The restoration time is the sum of detection time duration (${\tau }_T=897$ ms, discussed in Section 7.5) and link routing switching time duration ($2029.11$ ms, discussed in Section 7.6). The detection contributes around $30\%$ and the link routing contributes around $70\%$ of the restoration time since the attack launches in our implementation. The threat impact time duration can be minimized further by reducing the switching time duration because the detection time duration depends on radio channel conditions and faulty base station approximation. The switching time duration can be minimized further with engineering effort because, in our implementation, we reset the software radio to start the base station scanning process, which takes a significant amount of time.

8. Future Directions Discussion

8.1. More Advanced Threats

Similar to many other detection-based schemes, there can be a fake base station that can avoid detection, i.e., it is not detected as a faulty base station, but that would result in the attacker reducing its availability threat impact and releasing the connectivity setup. This effectively reduces fake base station behavior to faulty base station behavior, i.e., the attacker behaves like a faulty base station. We consider our detection to be successful because, in such a case, the attacker behavior reduces to a legitimate but faulty base station, and it explicitly releases the connection. While our scheme does not raise the flag for detection/blacklisting, it effectively reduces the threat impact on availability.

If the fake base station takes an identity that is listed as a known base station in the user equipment reputation list, then the user equipment can connect to the fake base station. In that case, the detection scheme blacklists the base station, and as a consequence, the fake base station defames a legitimate base station. It can include randomized base station selection in the link routing in addition to the reputation list. This randomized base station selection can also be useful in a situation where the user equipment enters a location where there is no base station within its reputation list. In such a scenario, if the user equipment detects a fake base station, then it cannot switch its connectivity to a legitimate base station because the legitimate base stations around it are not in its reputation list. In such a situation, the user equipment can use a randomized algorithm to select a base station rather than selecting a base station around it that has the highest signal strength. The fake base station cannot exploit the randomized selection to make the user equipment connect to it with $100\%$ probability.

An attacker can attempt to launch a threat beyond just availability and disrupting the connectivity, such as attempting to make the victim user equipment connect to a fake server. However, due to the core network’s public key in the user equipment’s physical USIM, as described in Section 3.3, such a threat requires breaking public-key cryptography (public-key key exchange) and is thus infeasible.

8.2. Advancing Detection

Our work focuses on threat detection and blacklisting, focusing on fake base stations with malicious intent. Our work can extend to a multiclass detection scheme to have distinct layers and levels for different classes, including the anomaly of faulty. For example, instead of the binary classification of fake vs. legitimate, we can combine anomaly and threat detection and introduce three classes of fake vs. faulty vs. legitimate.

For richer detection, we can combine our information features for detection and blacklisting with those from the previous research described in Section 2.2. However, we focus on our research/novel contributions (the observations of the time and number of request transmissions, which have not been analyzed in the previous research in fake base station detection) and their performances and analyses in this paper.

Another future direction will be to design and implement dynamic and adaptive schemes. Such dynamic control and adaptability can be applied to detection, including controlling and varying the threshold values.

Machine learning, for example, reinforcement learning based on a connectivity service reward or anomaly detection based on the deviations from the set protocol, can be used as an alternative mechanism for detection.

8.3. Advancing Blacklisting and Active Control

While our current work focuses on blacklisting, how such blacklisting is used for active control remains as future work. We expect our blacklisting to inform the base station selection, but the concrete mechanisms to address how to inform and utilize the blacklisting remains as future work.

8.4. Generalizability across Different Channels and Scenarios

We plan to implement our scheme and evaluate its effectiveness and performances in different channel scenarios, including the cases when the surrounding base stations vary, the handover case, and the high-fading cases (e.g., urban environment with moving objects between the transmitter and the receiver). Section 7.3 varies the channel state by varying the transmission power and thus the received signal strength, but there can be even more channel scenarios which change the surrounding base stations beyond just the transmitter–receiver relationship.

8.5. Impacts on Multimedia, Teleinformatics, and IoT Communications

Cellular networking based on base stations, such as 4G LTE and 5G NR, is popularly used for multimedia, teleinformatics, and IoT communications. In urban and developed communities, in contrast to wireless local area network (WLAN) or Wi-Fi based on access points, cellular networking coverage is not limited to local areas and therefore supports communication applications across larger geographical regions, for example, across towns and cities. In some underdeveloped communities lacking the WLAN infrastructure, cellular networking provides the dominant communication infrastructure to support multimedia and IoT applications.

The disruption of the connectivity provision and availability by fake base stations, our subject threat in this paper, disables the communication infrastructure operations and thus disables the applications building and relying on the infrastructure. Therefore, against successful fake base station threats, there is no data handling or services for any communication applications, including multimedia and IoT applications. Our work enables the recovery against such threats by detecting, blacklisting, and avoiding fake base stations, i.e., detection triggers reconnection and link routing to avoid fake base stations. As a result, the user equipment can recover from a fake base station attack and connect to a different, legitimate base station to enable connectivity provision and multimedia, teleinformatics, and IoT applications. Future directions include the impact of investigations of our defense scheme implementation on such applications (especially those with mission-critical or low-latency requirements, c.f., 5G Ultra-Reliable Low-Latency Communication, or URLLC) and the design and implementation advancements to fulfill the application requirements in availability, reliability, latency, or bandwidth.

9. Conclusions

We designed and built a fake base station detection, blacklisting, and link routing scheme against fake base stations for user equipment. We implemented and validated different base station scenarios (legitimate, fake, and faulty) using software-defined radios and the open-source software srsRAN. We empirically implemented the faulty base station scenario and measured the time duration for the RRC and NAS to evaluate the performance of our scheme. We analyzed the performance of our scheme by varying the threshold values to obtain the optimal thresholds so that our scheme detects and blacklists only fake base stations instead of unintentionally faulty base stations, i.e., zero false positives. To achieve zero false positives, we found that using both NAS-layer connection time and the number of registration requests as thresholds rather than using either one of them alone provides better performance in terms of faster and more accurate detection of fake base stations. We also implemented and validated link routing to show that the user equipment can evade a fake base station attack after detection. In the implementation, we showed that our scheme reduces the fake base station availability threat impact from an infinite time duration (without our scheme defense) to only $2.93$ s (with our scheme defense).