pith. sign in

arxiv: 2605.19232 · v1 · pith:WXNXX362new · submitted 2026-05-19 · 💻 cs.CR

Devilray: A Systematic Adversarial Model Revealing Blind Spots in Fake Base Station Detection

Taekkyung Oh , Duckwoo Kim , Hansung Bae , Beomseok Oh , CheolJun Park , Tyler Tucker , Nathaniel Bennett , Sangwook Bae
show 3 more authors
Byeongdo Hong Patrick Traynor Yongdae Kim
This is my paper

Pith reviewed 2026-05-20 05:27 UTC · model grok-4.3

classification 💻 cs.CR
keywords fake base stationadversarial modelcellular security3GPP standardsdetection blind spotscommercial FBSDevilraythreat model
0
0 comments X

The pith

Devilray builds a model of 2,592 realistic fake base stations from commercial device data and 3GPP rules, exposing gaps in every detector tested.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes the first direct academic examination of how a commercial fake base station actually operates and then generates a large set of variants allowed by cellular standards. This produces a systematic testbed that previous detectors, built around simpler homemade prototypes, were never evaluated against. If the model holds, many existing detection methods will fail against adversaries who stay within real equipment capabilities and standard-compliant behaviors. The work therefore shifts the field from ad-hoc threat assumptions to a grounded, enumerable adversarial space.

Core claim

Devilray is a reconfigurable adversarial baseline that first records empirical behavior from a commercial fake base station, then expands those observations into all specification-driven operational variants permitted by 3GPP, producing 2,592 feasible instances that are used to evaluate seven representative detectors and reveal coverage gaps in each.

What carries the argument

Devilray, a reconfigurable reference-grade adversarial baseline that enumerates realistic FBS instances by combining measured commercial-device behavior with 3GPP-permitted parameter ranges.

If this is right

  • Current FBS detectors must be redesigned or augmented to handle the full enumerated space of 3GPP-compliant behaviors.
  • Future detector papers should report performance against systematic models such as Devilray rather than isolated prototype attacks.
  • Blind spots traced to assumption-bound design become addressable once the complete adversarial space is enumerated.
  • The community gains a shared reference for rigorous evaluation of new detection mechanisms.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Detector vendors could integrate the Devilray parameter space into automated testing suites to close the identified gaps before deployment.
  • Similar systematic enumeration approaches may be useful for other wireless security problems where regulatory or cost barriers limit direct hardware access.
  • Regulators evaluating cellular security products might require testing against models that cover the full 3GPP-permitted range.

Load-bearing premise

The behaviors observed on one commercial FBS device plus the allowances in 3GPP standards are enough to represent the full range of realistic adversarial operations.

What would settle it

A controlled test in which all seven detectors correctly identify every one of the 2,592 Devilray instances, or in which a real commercial FBS exhibits sustained behavior outside the modeled parameter space, would falsify the reported coverage gaps.

Figures

Figures reproduced from arXiv: 2605.19232 by Beomseok Oh, Byeongdo Hong, CheolJun Park, Duckwoo Kim, Hansung Bae, Nathaniel Bennett, Patrick Traynor, Sangwook Bae, Taekkyung Oh, Tyler Tucker, Yongdae Kim.

Figure 1
Figure 1. Figure 1: LTE architecture and broadcast messages to the UE’s state. UEs without an active radio connection (idle state) apply cell reselection to select the optimal cell. While in idle mode, UEs monitor broadcast messages from nearby cells and also measure their signal quality. Based on the cell reselection priority and the signal quality, UEs select and camp on the optimal cell that meets the requirements. UEs wit… view at source ↗
Figure 2
Figure 2. Figure 2: The Devilray methodology. ①-④ correspond to stages M1-M4 detailed in §4.2. practice, avoiding ad-hoc or hypothetical assumptions while enabling principled expansion of the adversarial design space. M3: Configuration validation. Devilray incorporates a semantics-aware dependency checker that validates protocol compatibility and cross-phase dependencies for each con￾figuration based on empirical and domain k… view at source ↗
Figure 3
Figure 3. Figure 3: Modular and reconfigurable architecture of [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Distribution of IMSI-exposing messages. It shows the [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Cumulative timing misalignment of radio frames. Left [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Dependency checker with example rules. Arrows de [PITH_FULL_IMAGE:figures/full_fig_p022_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Message flow for three connection hijacking methods by FBSs [PITH_FULL_IMAGE:figures/full_fig_p025_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Devilray’s configurations space to explore FBS instances 25 [PITH_FULL_IMAGE:figures/full_fig_p025_9.png] view at source ↗
read the original abstract

Fake Base Station (FBS) detection has been a critical focus of cellular security research for over two decades. However, significant financial and regulatory barriers to accessing commercial FBS (C-FBS) devices have limited direct visibility into real-world operations, forcing detection systems to be designed and evaluated around self-built prototypes. In this paper, we present Devilray, a reconfigurable and reference-grade adversarial baseline designed to systematically explore the realistic adversarial space and identify adversarial blind spots in current detection -- regions of realistic adversarial behavior excluded by prevailing threat models. We establish an empirical ground truth through the first academic analysis of a C-FBS and extend these observations into specification-driven operational variants permitted by 3GPP standards. Devilray enables the systematic exploration of 2,592 feasible and realistic FBS instances, capturing a wide range of operational possibilities. Using Devilray, we evaluate seven representative accessible FBS detectors and uncover coverage gaps across all seven, revealing blind spots rooted in assumption-bound design and evaluation. Our work provides the first robust adversarial model grounded in real-world behavior and specification analysis, enabling the community to develop and evaluate future detection mechanisms in a rigorous manner.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper presents Devilray, a reconfigurable adversarial model for fake base stations grounded in the first academic empirical analysis of a commercial FBS (C-FBS) device combined with 3GPP specification allowances. It constructs 2,592 feasible operational variants and applies them to evaluate seven representative FBS detectors, claiming to uncover coverage gaps and blind spots arising from assumption-bound designs in prior work.

Significance. If the central claims hold, the work is significant for shifting FBS detection research from prototype-based threat models to one anchored in real commercial device observations and standards-compliant variants. The systematic enumeration of 2,592 instances and the identification of gaps across all seven evaluated detectors could provide a reusable baseline for more rigorous future detector design and testing.

major comments (1)
  1. [Section 4] Section 4: The derivation of the 2,592 instances from observations of a single C-FBS device treats the extracted message fields, timing, and protocol deviations as representative of the full realistic adversarial space permitted by 3GPP. This generalization is load-bearing for the coverage-gap claims; if other commercial units or custom implementations exhibit additional or incompatible behaviors, the reported blind spots in the seven detectors would be incomplete.
minor comments (1)
  1. [Abstract] Abstract and introduction: The repeated emphasis on 'first academic analysis of a C-FBS' should be supported by an explicit comparison table or discussion in related work showing how prior prototype studies differ in observable behaviors.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback and for recognizing the potential significance of grounding FBS detection research in empirical observations from a commercial device combined with 3GPP-compliant variants. We address the single major comment below and outline the revisions we will make.

read point-by-point responses

  1. Referee: [Section 4] Section 4: The derivation of the 2,592 instances from observations of a single C-FBS device treats the extracted message fields, timing, and protocol deviations as representative of the full realistic adversarial space permitted by 3GPP. This generalization is load-bearing for the coverage-gap claims; if other commercial units or custom implementations exhibit additional or incompatible behaviors, the reported blind spots in the seven detectors would be incomplete.

    Authors: We agree that our empirical foundation derives from analysis of a single C-FBS unit and that this constitutes a genuine limitation for claims about the complete realistic adversarial space. The 2,592 variants are produced by enumerating combinations of fields, timing values, and protocol behaviors observed on that device while restricting all variations to ranges and configurations explicitly allowed by the relevant 3GPP specifications. This yields a reproducible, standards-grounded baseline rather than an exhaustive catalog of every possible commercial or custom implementation. We will revise Section 4 and add a dedicated limitations paragraph to explicitly state that (a) the observed parameter set is device-specific, (b) other C-FBS units or bespoke implementations may introduce behaviors outside the current enumeration, and (c) the reported coverage gaps therefore represent lower bounds on detector weaknesses. These changes will preserve the core contribution—an accessible, specification-compliant adversarial model derived from the first academic C-FBS measurement—while clarifying its scope. revision: partial

Circularity Check

0 steps flagged

No circularity in derivation chain

full rationale

The paper constructs its adversarial model by performing the first academic empirical analysis of a commercial FBS device and extending observed behaviors into variants permitted by public 3GPP standards, then enumerating 2,592 instances combinatorially. This chain relies on external hardware observations and specification documents rather than any self-referential fitting, predictions that reduce to fitted parameters, or load-bearing self-citations. No equations or steps in the provided derivation reduce the output to the inputs by construction; the coverage-gap findings are produced by applying the externally grounded model to seven detectors. The work is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim depends on the representativeness of observations from one commercial device and the assumption that 3GPP standards define a complete and realistic set of operational variants.

axioms (1)
  • domain assumption 3GPP standards define feasible and realistic operational variants for fake base stations
    Invoked to extend single-device observations into the 2,592 instances.
invented entities (1)
  • Devilray adversarial model no independent evidence
    purpose: To systematically enumerate and test realistic FBS configurations
    New framework introduced to organize the adversarial space.

pith-pipeline@v0.9.0 · 5769 in / 1268 out tokens · 47124 ms · 2026-05-20T05:27:45.574199+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

103 extracted references · 103 canonical work pages

  1. [1]

    TR 33.809, v18.1.0

    3GPP. TR 33.809, v18.1.0. Study on 5G security en- hancements against False Base Stations (FBS), 2023

    work page 2023

  2. [2]

    TS 24.301, v15.8.0

    3GPP. TS 24.301, v15.8.0. UMTS; LTE; 5G; Non- Access-Stratum (NAS) Protocol for Evolved Packet Sys- tem (EPS), 2019

    work page 2019

  3. [3]

    TS 36.304, v18.3.0

    3GPP. TS 36.304, v18.3.0. LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) Procedures in Idle Mode, 2025

    work page 2025

  4. [4]

    TS 36.321, v18.4.0

    3GPP. TS 36.321, v18.4.0. Evolved Universal Terres- trial Radio Access (E-UTRA); Medium Access Control (MAC) Protocol Specification, 2025

    work page 2025

  5. [5]

    TS 36.331, v18.4.0

    3GPP. TS 36.331, v18.4.0. LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol Specification, 2024

    work page 2024

  6. [6]

    TS 36.401, v18.1.0

    3GPP. TS 36.401, v18.1.0. LTE; Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Archi- tecture Description, 2024

    work page 2024

  7. [7]

    TS 37.340, v18.4.0

    3GPP. TS 37.340, v18.4.0. Universal Mobile Telecom- munications System (UMTS); LTE; 5G; Evolved Uni- versal Terrestrial Radio Access (E-UTRA) and NR; Multi-connectivity; Overall Description; Stage-2, 2025

    work page 2025

  8. [8]

    TS 38.401, v18.4.0

    3GPP. TS 38.401, v18.4.0. 5G; NG-RAN; Architecture Description, 2025

    work page 2025

  9. [9]

    Enabling Fake Base Station Detection through Sample-based Higher Order Noise Statistics

    Arslan Ali and Georg Fischer. Enabling Fake Base Station Detection through Sample-based Higher Order Noise Statistics. InIEEE International Conference on Telecommunications and Signal Processing (TSP), 2019

    work page 2019

  10. [10]

    AMARI Callbox Classic

    Amarisoft. AMARI Callbox Classic. https://www.am arisoft.com/test-and-measurement/device-t esting/device-products/amari-callbox-class ic, n.d

    work page

  11. [11]

    Catch You Cause I Can: Busting Rogue Base Stations using Cellguard and the Apple Cell Location Database

    Lukas Arnold, Matthias Hollick, and Jiska Classen. Catch You Cause I Can: Busting Rogue Base Stations using Cellguard and the Apple Cell Location Database. InProceedings of the International Symposium on Re- search in Attacks, Intrusions and Defenses (RAID), 2024

    work page 2024

  12. [12]

    Stingrays, Simulators, Surveillance, and Silverados

    DAN ATKINSON. Stingrays, Simulators, Surveillance, and Silverados. https://horizonmass.news/2024/ 02/06/stingrays-simulators-surveillance-a nd-silverados/, 2024. Accessed: 2025-09-02

    work page 2024

  13. [13]

    The Menlo Report.IEEE Security & Privacy, 2012

    Michael Bailey, David Dittrich, Erin Kenneally, and Doug Maughan. The Menlo Report.IEEE Security & Privacy, 2012

    work page 2012

  14. [14]

    Long-Secret Stingray Manuals Detail How Police Can Spy on Phones

    Sam Biddle. Long-Secret Stingray Manuals Detail How Police Can Spy on Phones. https://theinterce pt.com/2016/09/12/long-secret-stingray-man uals-detail-how-police-can-spy-on-phones/ ,

    work page 2016

  15. [15]

    Accessed: 2025-04-02

    work page 2025

  16. [16]

    Don’t Hand It Over: Vulnerabilities in the Handover Procedure of Cel- lular Telecommunications

    Evangelos Bitsikas and Christina Pöpper. Don’t Hand It Over: Vulnerabilities in the Handover Procedure of Cel- lular Telecommunications. InProceedings of the Annual Computer Security Applications Conference (ACSAC), 2021

    work page 2021

  17. [17]

    Detection of a Rogue Base Station, 2018

    Elliot Briggs and Zhu Ji. Detection of a Rogue Base Station, 2018. US Patent 10,129,283

    work page 2018

  18. [18]

    Someone is Spying on Cellphones in the Nation’s Capital

    CBC News. Someone is Spying on Cellphones in the Nation’s Capital. https://www.cbc.ca/news/poli tics/imsi-cellphones-spying-ottawa-1.40500 49, 2017. Accessed: 2025-04-15

    work page 2017

  19. [19]

    iDEN 2.4 Operator Manual

    Harris Communications. iDEN 2.4 Operator Manual. https://embed.documentcloud.org/document s/3105641-iDEN-2-4-Operator-Manual/ , 2013. Accessed: 2025-04-02

    work page arXiv 2013

  20. [20]

    Gemini 3.3 Quick Start Guide

    Harris Communications. Gemini 3.3 Quick Start Guide. https://embed.documentcloud.org/documents/ 3105793-Gemini-3-3-Quick-Start-Guide/ , 2014. Accessed: 2025-04-02

    work page 2014

  21. [21]

    Arrowhead 1.0.1 Release Notes

    Harris Communications. Arrowhead 1.0.1 Release Notes. https://embed.documentcloud.org/do cuments/3105805-Arrowhead-1-0-1-Release-N otes/, n.d. Accessed: 2025-04-02

    work page arXiv 2025

  22. [22]

    Gemini RayFish Controller R3.3.1 Release Notes

    Harris Communications. Gemini RayFish Controller R3.3.1 Release Notes. https://embed.document cloud.org/documents/3105849-Gemini-RayFish -Controller-R3-3-1-Release-Notes/ , n.d. Ac- cessed: 2025-04-02

    work page arXiv 2025

  23. [23]

    iDEN 2.4 Release Notes

    Harris Communications. iDEN 2.4 Release Notes. ht tps://embed.documentcloud.org/documents/31 05806-iDEN-2-4-Release-Notes/ , n.d. Accessed: 2025-04-02

    work page 2025

  24. [24]

    IMSI-Catch Me If You Can: IMSI-Catcher-Catchers

    Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Mar- tin Mulazzani, and Edgar Weippl. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. InProceedings of the Annual Computer Security Applications Conference (ACSAC), 2014

    work page 2014

  25. [25]

    Mass Surveillance: Cell Tower Simulator Coming to a Silverado Near You

    Dan Atkinson. Mass Surveillance: Cell Tower Simulator Coming to a Silverado Near You. https://theshoes tring.org/2024/04/05/mass-surveillance-cel l-tower-simulator-coming-to-a-silverado-n ear-you/, 2024. Accessed: 2025-04-19. 15

    work page 2024

  26. [26]

    Our public website about Reconfigurable and Reference-grade Fake Base Station

    Devilray. Our public website about Reconfigurable and Reference-grade Fake Base Station. https://sites. google.com/view/devilray

    work page

  27. [27]

    We Hunted Hidden Police Signals at the DNC

    Dhruv Mehrotra. We Hunted Hidden Police Signals at the DNC. https://www.wired.com/story/dnc-h idden-signal-hunt, 2024. Accessed: 2025-04-15

    work page 2024

  28. [28]

    Cybercriminals Have a Weird New Way to Target You With Scam Texts.https: //www.wired.com/story/sms-blasters-scam-t exts/, 2025

    Dhruv Mehrotra, Matt Burgess. Cybercriminals Have a Weird New Way to Target You With Scam Texts.https: //www.wired.com/story/sms-blasters-scam-t exts/, 2025. Accessed: 2026-01-17

    work page 2025

  29. [29]

    Phoenix: Device-centric Cellular Network Proto- col Monitoring using Runtime Verification

    Mitziu Echeverria, Zeeshan Ahmed, Bincheng Wang, M Fareed Arif, Syed Rafiul Hussain, and Omar Chowd- hury. Phoenix: Device-centric Cellular Network Proto- col Monitoring using Runtime Verification. InProceed- ings of the Network and Distributed System Security Symposium (NDSS), 2021

    work page 2021

  30. [30]

    Gotta Catch ’Em All: Understanding How IMSI-Catchers Exploit Cell Net- works

    Electronic Frontier Foundation. Gotta Catch ’Em All: Understanding How IMSI-Catchers Exploit Cell Net- works. https://www.eff.org/wp/gotta-catch-e m-all-understanding-how-imsi-catchers-exp loit-cell-networks, 2019. Accessed: 2025-04-02

    work page 2019

  31. [31]

    Electronic Frontier Foundation. Apple and Google are Introducing New Ways to Defeat Cell Site Simulators, but is it Enough? https://www.eff.org/deeplink s/2023/09/apple-and-google-are-introducing -new-ways-defeat-cell-site-simulators-it-e nough, 2023. Accessed: 2025-04-19

    work page 2023

  32. [32]

    Street Level Surveil- lance

    Electronic Frontier Foundation. Street Level Surveil- lance. https://sls.eff.org/technologies/cel l-site-simulators-imsi-catchers , 2023. Ac- cessed: 2025-04-19

    work page 2023

  33. [33]

    Minister Refuses to Answer Questions about Chinese Scam SMS Blasters Circling Japan

    Eric Priezkalns. Minister Refuses to Answer Questions about Chinese Scam SMS Blasters Circling Japan. http s://commsrisk.com/minister-refuses-to-ans wer-questions-about-chinese-scam-sms-blast ers-circling-japan/, 2025. Accessed: 2026-01-17

    work page 2025

  34. [34]

    AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks

    Simon Erni, Martin Kotuliak, Patrick Leu, Marc Roeschlin, and Srdjan Capkun. AdaptOver: Adaptive Overshadowing Attacks in Cellular Networks. InIn- ternational Conference on Mobile Computing And Net- working (MobiCom), 2022

    work page 2022

  35. [35]

    GSM Spy Finder

    GALAN. GSM Spy Finder. https://apk.support/ app/kz.galan.antispy. Accessed: 2025-04-18

    work page 2025

  36. [36]

    IMSI Catcher

    Gesellschaft für Freiheitsrechte. IMSI Catcher. https: //freiheitsrechte.org/en/themen/digitale-g rundrechte/ismi-cathcer , 2020. Accessed: 2025- 04-15

    work page 2020

  37. [37]

    Gomez-Miguelez, A

    I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano, C. Cano, and D. J.Leith. srsRAN: An Open- Source Platform for LTE Evolution and Experimenta- tion. https://github.com/srsran/srsRAN , 2019. Accessed: 2025-04-19

    work page 2019

  38. [38]

    The attacks aren’t alright: Large-Scale Simula- tion of Fake Base Station Attacks and Detections

    Thijs Heijligenberg, David Rupprecht, and Katharina Kohls. The attacks aren’t alright: Large-Scale Simula- tion of Fake Base Station Attacks and Detections. In Proceedings of the 17th Cyber Security Experimentation and Test Workshop, 2024

    work page 2024

  39. [39]

    LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper

    Tuan Dinh Hoang, CheolJun Park, Mincheol Son, Taekkyung Oh, Sangwook Bae, Junho Ahn, Beomseok Oh, and Yongdae Kim. LTESniffer: An Open-source LTE Downlink/Uplink Eavesdropper. InProceedings of the ACM Conference on Security and Privacy in Wire- less and Mobile Networks (WiSec), 2023

    work page 2023

  40. [40]

    Peeking over the cellular walled gardens-a method for closed network diagnosis.IEEE Transactions on Mobile Computing, 2018

    Byeongdo Hong, Shinjo Park, Hongil Kim, Dongkwan Kim, Hyunwook Hong, Hyunwoo Choi, Jean-Pierre Seifert, Sung-Ju Lee, and Yongdae Kim. Peeking over the cellular walled gardens-a method for closed network diagnosis.IEEE Transactions on Mobile Computing, 2018

    work page 2018

  41. [41]

    Identifying the Fake Base Station: A Location Based Approach.IEEE Communications Letters, 2018

    Ke-Wen Huang and Hui-Ming Wang. Identifying the Fake Base Station: A Location Based Approach.IEEE Communications Letters, 2018

    work page 2018

  42. [42]

    Proposal Response for Cell Site Simulator (CSS) Program for the Massachusetts StatePolice (MSP)

    Jacobs Technology Inc. Proposal Response for Cell Site Simulator (CSS) Program for the Massachusetts StatePolice (MSP). https://www.documentclou d.org/documents/24733508-2024_ma-state-p olice_css-proposal_jacobs/ , 2024. Accessed: 2026-01-21

    work page arXiv 2024

  43. [43]

    EAGLE Security

    Int64 Team. EAGLE Security. https://play.googl e.com/store/apps/details?id=com.integer.ea glesecurity_free, 2014. Accessed: 2025-08-09

    work page 2014

  44. [44]

    A Network-Based Posi- tioning Method to Locate False Base Stations.IEEE Access, 2021

    Leyli Karaçay, Zeki Bilgin, Ay¸ se Bilge Gündüz, Pinar Çomak, Emrah Tomur, Elif Ustundag Soykan, Utku Gülen, and Ferhat Karakoç. A Network-Based Posi- tioning Method to Locate False Base Stations.IEEE Access, 2021

    work page 2021

  45. [45]

    Never Let Me Down Again: Bidding- Down Attacks and Mitigations in 5G and 4G

    Bedran Karakoc, Nils Fürste, David Rupprecht, and Katharina Kohls. Never Let Me Down Again: Bidding- Down Attacks and Mitigations in 5G and 4G. InPro- ceedings of the ACM Conference on Security and Pri- vacy in Wireless and Mobile Networks (WiSec), 2023

    work page 2023

  46. [46]

    Feds Say They’ve Detected Apparent Rogue Spy Devices In D.C

    Merrit Kennedy. Feds Say They’ve Detected Apparent Rogue Spy Devices In D.C. https://www.npr.org/ sections/thetwo-way/2018/04/04/599428495/ feds-say-theyve-detected-apparent-rogue-s py-devices-in-d-c, 2018. 16

    work page 2018

  47. [47]

    LTrack: Stealthy Track- ing of Mobile Phones in LTE

    Martin Kotuliak, Simon Erni, Patrick Leu, Marc Roeschlin, and Srdjan Capkun. LTrack: Stealthy Track- ing of Mobile Phones in LTE. InUSENIX Security Symposium, 2022

    work page 2022

  48. [48]

    LTE Radio Analytics Made Easy and Accessible

    Swarun Kumar, Ezzeldin Hamed, Dina Katabi, and Li Erran Li. LTE Radio Analytics Made Easy and Accessible. InProceedings of the ACM SIGCOMM, 2014

    work page 2014

  49. [49]

    FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild

    Zhenhua Li, Weiwei Wang, Christo Wilson, Jian Chen, Chen Qian, Taeho Jung, Lan Zhang, Kebin Liu, Xi- angyang Li, and Yunhao Liu. FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. InProceed- ings of the Network and Distributed System Security Symposium (NDSS), 2017

    work page 2017

  50. [50]

    The Next Generation of Cell-Site Simulators is Here

    Beryl Lipton and Cooper Quintin. The Next Generation of Cell-Site Simulators is Here. Here’s What We Know. https://www.eff.org/deeplinks/2024/06/next -generation-cell-site-simulators-here-her es-what-we-know, 2024. Accessed: 2025-04-19

    work page 2024

  51. [51]

    The Dark Side of Scale: Insecurity of Direct- to-Cell Satellite Mega-Constellations

    Wei Liu, Yuanjie Li, Hewu Li, Yimei Chen, Yufeng Wang, Jingyi Lan, Jianping Wu, Qian Wu, Jun Liu, and Zeqi Lai. The Dark Side of Scale: Insecurity of Direct- to-Cell Satellite Mega-Constellations. InIEEE Sympo- sium on Security and Privacy (S&P), 2024

    work page 2024

  52. [52]

    A Man-in-the- Middle Attack on UMTS

    Ulrike Meyer and Susanne Wetzel. A Man-in-the- Middle Attack on UMTS. InProceedings of the 3rd ACM workshop on Wireless security, 2004

    work page 2004

  53. [53]

    Murat: Multi- RAT False Base Station Detector.arXiv preprint arXiv:2102.08780, 2021

    Prajwol Kumar Nakarmi, Mehmet Akif Ersoy, Elif Us- tundag Soykan, and Karl Norrman. Murat: Multi- RAT False Base Station Detector.arXiv preprint arXiv:2102.08780, 2021

    work page arXiv 2021

  54. [54]

    Applying Machine Learning on RSRP-Based Fea- tures for False Base Station Detection

    Prajwol Kumar Nakarmi, Jakob Sternby, and Ikram Ul- lah. Applying Machine Learning on RSRP-Based Fea- tures for False Base Station Detection. InProceedings of the International Conference on Availability, Reliability and Security (ARES), 2022

    work page 2022

  55. [55]

    SeaGlass: Enabling City-Wide IMSI-catcher Detection.Proceedings on Privacy Enhancing Tech- nologies, 2017

    Peter Ney, Ian Smith, Gabriel Cadamuro, and Tadayoshi Kohno. SeaGlass: Enabling City-Wide IMSI-catcher Detection.Proceedings on Privacy Enhancing Tech- nologies, 2017

    work page 2017

  56. [56]

    Enabling Physical Localiza- tion of Uncooperative Cellular Devices

    Taekkyung Oh, Sangwook Bae, Junho Ahn, Yonghwa Lee, Tuan Dinh Hoang, Min Suk Kang, Nils Ole Tippen- hauer, and Yongdae Kim. Enabling Physical Localiza- tion of Uncooperative Cellular Devices. InProceedings of the Annual International Conference on Mobile Com- puting and Networking (MobiCom), 2024

    work page 2024

  57. [57]

    Police warn of SMS scams as ‘blaster’ is used to send thousands of texts

    Hilary Osborne. Police warn of SMS scams as ‘blaster’ is used to send thousands of texts. https://www.th eguardian.com/money/2025/jun/24/police-sms -scams-blaster-texts-smishing , 2025. Accessed: 2025-08-25

    work page 2025

  58. [58]

    FlashCatch: Minimizing Disrup- tion in IMSI Catcher Operations

    Andrea Paci, Gabriele Bologna, Ivan Palamà, and Giuseppe Bianchi. FlashCatch: Minimizing Disrup- tion in IMSI Catcher Operations. InProceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2025

    work page 2025

  59. [59]

    Cellphone Surveillance: The Secret Arsenal

    Pierluigi Paganini. Cellphone Surveillance: The Secret Arsenal. https://www.infosecinstitute.com/r esources/general-security/cellphone-surve illance-the-secret-arsenal/ , 2016. Accessed: 2025-09-02

    work page 2016

  60. [60]

    Technische Univer- sitaet Berlin (Germany), 2023

    Shinjo Park.Why We Cannot Win: On Fake Base Sta- tions and Their Detection Methods. Technische Univer- sitaet Berlin (Germany), 2023

    work page 2023

  61. [61]

    LeopardSeal: Detecting Call Interception via Audio Rogue Base Stations

    Christian Peeters, Tyler Tucker, Anushri Jain, Kevin But- ler, and Patrick Traynor. LeopardSeal: Detecting Call Interception via Audio Rogue Base Stations. InProceed- ings of the International Conference on Mobile Systems, Applications and Services (MobiSys), 2023

    work page 2023

  62. [62]

    PentHertz. OpenBTS. https://github.com/PentH ertz/OpenBTS, 2014. Accessed: 2025-09-01

    work page 2014

  63. [63]

    IMSI catchers legal analysis

    Privacy International. IMSI catchers legal analysis. ht tps://privacyinternational.org/sites/defau lt/files/2020-06/IMSI%20catchers%20legal% 20analysis.pdf, 2020. Accessed: 2025-04-18

    work page 2020

  64. [64]

    Detecting Fake 4G LTE Base Stations in Real Time

    Cooper Quinti. Detecting Fake 4G LTE Base Stations in Real Time. https://www.usenix.org/confere nce/enigma2021/presentation/quintin, 2021

    work page 2021

  65. [65]

    Recording PCAPs from Stingrays With a $20 Hotspot

    Cooper Quintin and Will Greenberg. Recording PCAPs from Stingrays With a $20 Hotspot. https://www.yo utube.com/watch?v=meC2JqNAbCA, 2025

    work page 2025

  66. [66]

    USRP B210, 2013

    Ettus Research. USRP B210, 2013

    work page 2013

  67. [67]

    USRP X310, 2014

    Ettus Research. USRP X310, 2014

    work page 2014

  68. [68]

    Gotta Detect ’Em All: Fake Base Station and Multi-Step Attack Detection in Cellular Networks.arXiv e-prints, 2024

    Kazi Samin Mubasshir, Imtiaz Karim, and Elisa Bertino. Gotta Detect ’Em All: Fake Base Station and Multi-Step Attack Detection in Cellular Networks.arXiv e-prints, 2024

    work page 2024

  69. [69]

    AIMSCD: Android IMSI-Catcher Detector

    SecUpwN. AIMSCD: Android IMSI-Catcher Detector. https://github.com/CellularPrivacy/Android -IMSI-Catcher-Detector , n.d. Accessed: 2025-04- 18. 17

    work page 2025

  70. [70]

    On the Impact of Rogue Base Sta- tions in 4G/LTE Self Organizing Networks

    Altaf Shaik, Ravishankar Borgaonkar, Shinjo Park, and Jean-Pierre Seifert. On the Impact of Rogue Base Sta- tions in 4G/LTE Self Organizing Networks. InProceed- ings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2018

    work page 2018

  71. [71]

    Cell Spy Catcher

    Skibapps. Cell Spy Catcher. https://www.appbrain .com/app/cell-spy-catcher-anti-spy/com.ski bapps.cellspycatcher, n.d. Accessed: 2026-02-01

    work page 2026

  72. [72]

    SnoopSnitch

    SRLabs. SnoopSnitch. https://github.com/srlab s/snoopsnitch, 2014. Accessed: 2025-04-18

    work page 2014

  73. [73]

    Keeping Your Android Device Safe from Text Message Fraud

    Nataliya Stanetsky and Roger Piqueras Jover. Keeping Your Android Device Safe from Text Message Fraud. https://security.googleblog.com/2024/08/ke eping-your-android-device-safe-from.html , 2024

    work page 2024

  74. [74]

    A Network-Based IMSI Catcher Detection

    Simen Steig, Andre Aarnes, Thanh Van Do, and Hai Thanh Nguyen. A Network-Based IMSI Catcher Detection. InIEEE International Conference on IT Convergence and Security (ICITCS), 2016

    work page 2016

  75. [75]

    Swapnil Udar, Ravishankar Borgaonkar. Darshak. ht tps://github.com/darshakframework/darshak ,

    work page

  76. [76]

    Accessed: 2025-04-18

    work page 2025

  77. [77]

    Week 36: New risk from SMS blasters

    Swiss National Cyber Security Centre. Week 36: New risk from SMS blasters. https://www.ncsc.admin .ch/ncsc/en/home/aktuell/im-fokus/2025/wo chenrueckblick_36.html, 2025. Accessed: 2026-01- 17

    work page 2025

  78. [78]

    Serbia Imports Wireless Equipment Ca- pable of Indiscriminate Mass Surveillance

    Aleksa Tesic. Serbia Imports Wireless Equipment Ca- pable of Indiscriminate Mass Surveillance. https: //balkaninsight.com/2024/12/12/serbia-imp orts-wireless-equipment-capable-of-indis criminate-mass-surveillance , 2024. Accessed: 2025-04-19

    work page 2024

  79. [79]

    Exclusive: Evidence of Cell Phone Surveillance Detected at Anti- ICE Protest

    Mikael Thalen and Simone Del Rosario. Exclusive: Evidence of Cell Phone Surveillance Detected at Anti- ICE Protest. https://san.com/cc/exclusive-e vidence-of-cell-phone-surveillance-detecte d-at-anti-ice-protest/ , 2025. Accessed: 2025- 08-29

    work page 2025

  80. [80]

    Revealed: Bristol’s police and mass mobile phone surveillance

    The Bristol Cable. Revealed: Bristol’s police and mass mobile phone surveillance. https://thebristolca ble.org/2016/10/imsi , 2016. Accessed: 2025-04- 15

    work page 2016

Showing first 80 references.