The theory of fake BTS and recognition method


The theory of Fake BTS
“Fake BTS”is usually composed of host and SMS group sender,It can search phone SIM
information and send group messages to users by disguising operator’s BTS,the messages include
cheat, advertisement contents etc.
Impact to network!
Normal BTS
1. Get IMSI from UE.
2. Broadcast cheat/advertisement messages to UE(advertisement etc.).
3. Fake BTS imitate real user to access network(Calling , internet etc.)

Stronger signal

LAU to normal BTS

After get
information , send
LAC reject or TAU
reject to UE

LAU to Fake BTS

1. Big power,strong signal
2. Fake LAC/TAC

How to synchronize normal BTS and absorb UE?
GSM reselection rule:
1. Refer to BA1 list : UE listen to broadcast in BA1 list, this only include BCCH(No CI,BSIC,LAC etc.),so same BCCH will be regarded as reselection relation by UE.
2. Better Signal Rule:if UE received one Ncell 's signal with better C2 value than current service cell for 5 seconds continuously , it will reselect to the Ncell with
better C2 value.
Remark: C2=C1+CRO, and C1=Rxlev- RXMIN

Normal BTS

Fake BTS

Fake BTS Work Process Analysis

1.Fake BTS increase power transmission and make mobile reselect to

Fake cell .
Fake BTS Simulation BSC+CN
2. Mobile start Location update message with IMSI/IMEI. to Fake BTS

IP 3. Fake BTS get the Mobile IMSI/IMEI and send spam message and
BTS BSC SMS scammer
Mobile Normal BTS Fake BTS
Normal network

Big Power, different LAC (Most scenario)

Selection to
Fake BTS Location Update(Fake Success)

Fake BTS send SMS to Mobile(Success) Get IMSI

Modify LAC

LAC Update
LAU reject(Cause #12,#13,UE’s LAC become 0 or 65534)
Due to LAU from fake BTS to
LAC Update(Success)
Normal BTS, LAU attempts will
Normal Network
increase significantly.

UE Message tracing in Normal BTS
Start Location Update to fake BTS

Location Update Success

Fake BTS send message success
Fake BTS modify LAC and location update

Fake BTS reject mobile

Mobile reselect to normal BTS

Normal BTS LAU success

Mobile Access Normal BTS Process

The impact of Fake BTS

1、Capture SIM
2、Capture criminal by
information by message
getting IMSI info
Receive/Send machine

3、Use the others’

4、Send rubbish
number by disguising
messages to users
operator’s BTS

5. Impact KPI:Produce many LAU/TAU requests , caused many handover failures.

Why Fake BTS can exist?
GSM Use single direction authentication according to protocol LTE used double direction authentication



Get RAND, Send RAND, Send RAND,



Send SPES, Get SPES, verify UE
Generate KC Compare SPES Verify
Network Better than GSM , but still be
UE verify attached by fake BTS.
AUC Success network


Easy to be attached by Fake BTS Network

Get RES and
Send RES verify UE

AUC Success

According to 3GPP_TS_24.301,after activing complete protection algorithm , NAS will have complete protection,if not passed, will
discard them, but still have several signaling no need have complete protection which include IDENTITYREQUEST (if requested
7 parameter
Huawei is IMSI),so LTE fake BTS use this signaling to collect user sensitive information.
1st Step : Recognize fake BTS by L2G ANR feature
Active L2G ANR function,all of external GSM neighborhood will report in below list:

If the external GSM neighborhood don’t belong to current network , can conclude as fake BTS.

Activation for L2G ANR function
MOD GLOBALPROCSWITCH: ProtocolMsgOptSwitch=GeranAnrMcOptSwitch-1;
MOD ANR: FastAnrRprtAmount=r4, FastAnrRprtInterval=5120ms, FastAnrCheckPeriod=1440, FastAnrInterRatMeasUeNum=5,
FastAnrInterRatUeNumThd=120, OptMode=CONTROLLED, FastAnrRssiThd=-103, FastAnrMode=NCL_NRT_MODE,
MOD ENODEBALGOSWITCH: AnrSwitch=GeranFastAnrSwitch-1&GeranAutoNrtDeleteSwitch-1;
MOD CELLALGOSWITCH: LocalCellId=0, AnrFunctionSwitch=INTER_RAT_ANR_SW-1;

Parameters Explanation:
FastAnrRprtAmount:Indicates the number of periodic measurement reports sent for fast ANR
FastAnrRprtInterval:Indicates the interval at which periodic measurement reports are sent for fast ANR.
FastAnrCheckPeriod: Indicates the fast ANR checking timer. When the timer is expired, the eNodeB automatically checks whether to disable fast ANR.
FastAnrInterRatMeasUeNum:Indicates the maximum allowed number of UEs that perform inter-RAT measurements for fast ANR.
FastAnrInterRatUeNumThd:Indicates the threshold above which the eNodeB enters the monitoring state for inter-RAT fast ANR. The threshold is
expressed as the number of UEs that have performed measurements for inter-RAT fast ANR
FastAnrRssiThd: Indicates the received signal strength indicator (RSSI) threshold for fast ANR with GERAN. If the signal quality in a neighboring GERAN
cell reported by the UE is lower than the threshold, the cell is not automatically added as an external cell of the eNodeB.
FastAnrMode:Indicates the policy based on which fast ANR adds a detected cell to an NCL and adds the neighbor relationship with the detected cell to
an NRT of the source cell. If this parameter is set to NCL_NRT_MODE(NCL and NRT Mode), fast ANR adds a detected cell that meets certain conditions to an
NCL and then adds the neighboring relationship with the detected cell that is in the NCL to the NRT of the source cell

2nd Step : Check the LAU attempts by KPI Monitoring
LAU/TAU attempts increased significantly


Step2 Call attempt , traffic etc. keep stable, only LAU increased.

Step3 Make Single user signaling trace and analyze it, if one cell’s LAC /TAC doesn’t
belong to current network, or equal 0/65534 etc., can confirm it is fake BTS.

Judgement phenomenon from UE perception:

1. The calling interrupted suddenly.
2. Can’t receive SMS or Calling , and can’t make a call in a strong signal cell.
3. Abnormal LAC or CID value.

Workround to avoid fake BTS(GSM Network)

2G Side:Based on fake BTS theory ,the workround is as follow , need implement parameters in whole network(Remark :
forbidden modify parameters on some cells , will cause traffic mode change and user):
1. When PT=0(SET GCELLIDLEAD),Set CRO(SET GCELLIDLEBASIC)adding 50 value base on current
value , If CRO exceed 63,set CRO=63.
2. When PT=31(SET GCELLIDLEAD),Set PT=0,set CRO(SET GCELLIDLEBASIC)as (50-Current Value)
By above parameters adjustment, even fake BTS’s power is very big , normal BTS also can avoid UE reselect to fake BTS.
Can keep whole network’s idle coverage same as before, no change to traffic mode.(Remark : Since CRH also impact the reselection
behavior on LAC border , so don’t modify CRH to avoid fake BTS impact)
Now , many provinces in china already set these parameters to avoid fake BTS impact , can keep the coverage same and no impact to
traffic mode.

Workround to avoid Fake BTS to listen to SMS message scenario
Active 2G Encryption : Now, most network already active the A5-1 encryption as below chart:


How to find fake BTS on site?
As below chart , if we already recognized the red marked cells are suspicious cells from KPI monitoring , we
can go to below suspicious area to scan the fake BTS, once find one cell which has different LAC/TAC with current
network ,track the signaling direction until find the location.

Suspicious Area

Attachment : Multiple types of fake BTS and chart

