Fake Base Station Identification and Detection (5G RAN6.1 - Draft A)

5G RAN
Fake Base Station Identification

and Detection Feature Parameter
Description
Issue Draft A
Date 2021-12-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: support@huawei.com
Issue Draft A Copyright © Huawei Technologies Co., Ltd. i

(2021-12-30)
5G RAN
Fake Base Station Identification and Detection
Feature Parameter Description Contents
Contents
1 Change History.........................................................................................................................1
1.1 5G RAN6.1 Draft A (2021-12-30)...................................................................................................................................... 1
2 About This Document.............................................................................................................3

2.1 General Statements................................................................................................................................................................ 3
2.2 Differences Between NR FDD and NR TDD................................................................................................................... 4
2.3 Differences Between NSA and SA..................................................................................................................................... 4
2.4 Differences Between High Frequency Bands and Low Frequency Bands............................................................ 4
3 Overview....................................................................................................................................6
4 Fake Base Station Identification and Detection in SA Networking............................ 7
4.1 Principles.................................................................................................................................................................................... 7
4.1.1 Principles and Procedure of Fake Base Station Detection..................................................................................... 7
4.1.2 Fake Base Station Whitelist Management................................................................................................................11
4.1.3 Geographic Display of Fake Base Stations............................................................................................................... 11
4.1.4 Fake Base Station Detection Results...........................................................................................................................12
4.2 Network Analysis.................................................................................................................................................................. 12
4.2.1 Benefits................................................................................................................................................................................. 12
4.2.2 Impacts.................................................................................................................................................................................. 12
4.3 Requirements......................................................................................................................................................................... 13
4.3.1 Licenses................................................................................................................................................................................. 13
4.3.2 Software................................................................................................................................................................................13
4.3.3 Hardware.............................................................................................................................................................................. 13
4.3.4 Others.................................................................................................................................................................................... 14
4.4 Operation and Maintenance............................................................................................................................................. 14
4.4.1 Data Configuration........................................................................................................................................................... 14
4.4.1.1 Data Preparation............................................................................................................................................................ 14
4.4.1.2 Using MML Commands............................................................................................................................................... 15
4.4.1.3 Using the MAE-Deployment...................................................................................................................................... 15
4.4.2 Activation Verification..................................................................................................................................................... 15
4.4.3 Network Monitoring......................................................................................................................................................... 15
5 Fake Base Station Identification and Detection in NSA Networking....................... 16

6 Glossary................................................................................................................................... 18
Issue Draft A Copyright © Huawei Technologies Co., Ltd. ii

(2021-12-30)
5G RAN
Feature Parameter Description Contents
7 Reference Documents...........................................................................................................19
Issue Draft A Copyright © Huawei Technologies Co., Ltd. iii

(2021-12-30)
5G RAN
Feature Parameter Description 1 Change History
1 Change History
This chapter describes changes not included in the "Parameters", "Counters",

"Glossary", and "Reference Documents" chapters. These changes include:
● Technical changes
Changes in functions and their corresponding parameters
● Editorial changes
Improvements or revisions to the documentation
1.1 5G RAN6.1 Draft A (2021-12-30)

This issue introduces the following changes to 5G RAN5.1 01 (2021-03-05).
Issue Draft A Copyright © Huawei Technologies Co., Ltd. 1

(2021-12-30)
5G RAN
Feature Parameter Description 1 Change History
Technical Changes
Change Parameter RAT Base Station
Description Change Model
Enhanced the None FDD 3900 and 5900

fake base station Low-frequency series base
identification and TDD stations
detection function DBS3900
and added High-frequency
TDD LampSite and
locating and DBS5900
impact LampSite
quantification
functions.
Specifically,
● Comprehensive
spoofed fake
base station
detection
● Fake base
station
locating
● Quantitative
data added to
fake base
station
detection
reports.
For details, see
4.1 Principles.
Editorial Changes
Revised descriptions.

(2021-12-30)
5G RAN
Feature Parameter Description 2 About This Document
2 About This Document
2.1 General Statements

Purpose
Feature Parameter Description documents are intended to acquaint readers with:
● The technical principles of features and their related parameters
● The scenarios where these features are used, the benefits they provide, and
the impact they have on networks and functions
● Requirements of the operating environment that must be met before feature
activation
● Parameter configuration required for feature activation, verification of feature
activation, and monitoring of feature performance
NOTE
This document only provides guidance for feature activation. Feature deployment and
feature gains depend on the specifics of the network scenario where the feature is
deployed. To achieve optimal gains, contact Huawei professional service engineers.
Software Interfaces
Any parameters, alarms, counters, or managed objects (MOs) described in Feature
Parameter Description documents apply only to the corresponding software
release. For future software releases, refer to the corresponding updated product
documentation.

(2021-12-30)
5G RAN
2.2 Differences Between NR FDD and NR TDD

Function Name Difference Chapter/Section
Fake base station None 4 Fake Base

identification and Station
detection in SA Identification and
networking Detection in SA
Networking

detection in NSA Identification and
networking Detection in NSA
Networking
2.3 Differences Between NSA and SA

Fake base station Supported only in SA networking 4 Fake Base

Networking
Fake base station Supported only in NSA networking 5 Fake Base

Networking
2.4 Differences Between High Frequency Bands and

Low Frequency Bands
This document refers to frequency bands belonging to FR1 (410–7125 MHz) as
low frequency bands, and those belonging to FR2 (24250–52600 MHz) as high
frequency bands. For details about FR1 and FR2, see section 5.1 "General" in 3GPP
TS 38.104 V15.5.0.

(2021-12-30)
5G RAN

Networking

Networking

(2021-12-30)
5G RAN
Feature Parameter Description 3 Overview
3 Overview
Attackers use simple wireless devices and dedicated open-source software to

disguise these devices as base stations on the live network. These devices are
called fake base stations. A fake base station attracts surrounding UEs to camp on
its served cells through strong signals. It launches spoofing attacks on UEs and
interferes with normal communications between the network and UEs, affecting
network performance and causing exceptions, such as handover failures and
abnormal service drops. In addition, this may disconnect the UEs from operators'
networks and attach these disconnected UEs to fake base stations.
When a UE accesses an operator's network, its international mobile subscriber
identity (IMSI) is transmitted in plaintext and this information will be ciphered
only after the UE passes access authentication and an air interface security
context is established. This vulnerability allows an attacker to eavesdrop on the
IMSI of a UE over the air interface by using a fake base station, leading to privacy
leakage.
In SA or NSA networking, UEs whose SIM cards are not changed are exposed to
this vulnerability. This version supports the identification and detection of fake
base stations in SA networking and NSA networking.

(2021-12-30)
5G RAN
Fake Base Station Identification and Detection 4 Fake Base Station Identification and Detection in
Feature Parameter Description SA Networking
4 Fake Base Station Identification and

Detection in SA Networking
4.1 Principles
4.1.1 Principles and Procedure of Fake Base Station Detection

An attacker can use a fake base station to attack a UE only after the UE is
attached to a cell served by the fake base station. Then, the attacker can initiate
attacks such as message spoofing, tampering, and eavesdropping on the UE. A
fake base station absorbs a UE, which interferes with normal communication
between the UE and network, resulting in handover failures, interference-induced
service drops, and cell reselection.
Principles of Fake Base Station Identification and Detection

The fake base station identification and detection function collects and analyzes
statistics based on handover failure (HO) events and cell global identifier (CGI)
measurement events reported by UEs, and identifies abnormal cells that are not
within the network planning scope, as shown in Figure 4-1.

(2021-12-30)
5G RAN
Figure 4-1 Principles of fake base station identification and detection
The fake base station identification and detection function performs:

● Handover event analysis, by collecting statistics on inter-cell handover
exceptions to detect abnormal neighboring cells.
● ANR analysis, by comparing neighboring cell parameters (including PCIs, CGIs,
TACs, and frequencies) in CGI measurement reports (MRs) with NE
configuration and network engineering parameters to identify abnormal cells
that are not within the network planning scope. PCI, CGI, and TAC stand for
physical cell identifier, cell global identifier, and tracking area code,
respectively.
● Additional analysis for fake base stations with spoofed base station
parameters on the live network, to determine that a base station is a fake
base station if:
– The TAC of the target neighboring cell is different from that of the
serving cell.
– The inter-site distance meets the requirements illustrated in Figure 4-2.

(2021-12-30)
5G RAN
Figure 4-2 Requirements for the inter-site distance of fake base stations
Procedure of Fake Base Station Identification and Detection

Figure 4-3 illustrates the process of fake base station identification and detection.

(2021-12-30)
5G RAN
Figure 4-3 Function process
1. On the MAE-Evaluation, an operator subscribes to related NE information.

2. The operator imports the complete network engineering parameters to the
MAE-Evaluation.
3. On the MAE-Evaluation, the operator specifies the target region for fake base
station identification and detection.
4. On the MAE-Evaluation, the operator checks whether ANR-related functions
are enabled in the target region. If the ANR-related functions are disabled, the
operator is advised to enable them first. Otherwise, the accuracy of fake base
station identification and detection results will be affected. For details about
the ANR-related functions, see Prerequisite Functions.
5. On the MAE-Evaluation, the operator manages the fake base station whitelist.
The operator can add known fake base stations that do not need to be
displayed in the results to the whitelist. For details, see 4.1.2 Fake Base
Station Whitelist Management.
6. On the MAE-Evaluation, the operator views the fake base station
identification and detection results. The MAE-Evaluation allows queries on
hourly and daily results. The result output includes the following information:

(2021-12-30)
5G RAN
– Fake base station information list

– Geographic display of fake base stations (For details, see 4.1.3
Geographic Display of Fake Base Stations.)
– Fake base station detection results (For details, see 4.1.4 Fake Base
Station Detection Results.)
7. The operator checks the fake base stations on the live network.
NOTE
For details about how to handle fake base station detection results and how to use
the MAE, see MAE-Evaluation Operation and Maintenance in iMaster MAE Product
Documentation (EulerOS, TaiShan).
Application Constraints of Fake Base Station Identification and Detection

Application constraints of fake base station identification and detection are as
follows:
● This function can identify intra-frequency stationary fake base stations.
● This function can identify inter-frequency stationary fake base stations.
● This function can identify cells with abnormal PCIs, CGIs, or TACs served by
fake base stations.
● Cells with spoofed PCIs, CGIs, and TACs served by fake base stations can be
identified through remote rather than local detection of comprehensive
spoofed fake base stations.
● For network border areas, such as areas on the cross-vendor, cross-city, and
cross-management-domain network borders, it is recommended that
operators import network engineering parameters of neighboring networks to
reduce false identification of fake base stations.
● A base station that is disconnected from the OSS and has incorrect
configurations may be incorrectly identified as a fake base station if its service
interaction with its surrounding base stations is abnormal.
● The fake base station identification and detection function allows queries on
hourly and daily results. Therefore, fake base stations can be detected by this
function at least one hour after they appear.
4.1.2 Fake Base Station Whitelist Management

Operators can add known fake base stations that have been processed to the
whitelist. In the query results of fake base station detection, whitelisted fake base
stations are filtered out and not displayed. The fake base station whitelist can be
imported, exported, or deleted.
NOTE
For details, see MAE-Evaluation Operation and Maintenance in iMaster MAE Product
4.1.3 Geographic Display of Fake Base Stations

The geographic display of fake base stations involves:
● The grid locations of UEs affected by fake base stations, which reflect the
coverage of fake base stations.

(2021-12-30)
5G RAN
● Fake base station locating results, which indicate the locations of fake base
stations that are calculated based on UE-reported measurement results
related to fake base stations.
– Prerequisites for viewing fake base station locating results: A fake base
station locating task has been started for a specified region on the MAE-
Evaluation.
– Dependency of fake-base station locating: Intra- and inter-frequency MR
sampling has been enabled on NEs.
– Impacts of fake base station locating: As inter-frequency MR sampling
needs to be enabled on the NE side, the service traffic volume may
decrease by approximately 6.5% in heavy-load scenarios.
– Errors of fake base station locating: There is a 70% probability that the
locating error ranges from 100 m to 200 m, only for stationary fake base
stations in dense urban areas.
– Restrictions on fake base station locating: This function applies only in
dense urban areas with an inter-site distance of approximately 500 m.
NOTE
4.1.4 Fake Base Station Detection Results

The following fake base station detection results can be exported:
● Fake base station information list
● Statistics on the impacts of fake base stations on the live network, including
the number of affected cells, number of handover failures, and number of
abnormal service drops
● Information about cells affected by each fake base station, including the
impacts on handover-related Indicators
NOTE
4.2 Network Analysis
4.2.1 Benefits
None
4.2.2 Impacts
Network Impacts
When fake base station locating is enabled, inter-frequency MR subscription tasks
must be delivered to NEs in the selected area. When NEs are heavily loaded,
subscribing to inter-frequency MRs may decrease the service traffic volume by
approximately 6.5%.

(2021-12-30)
5G RAN
Function Impacts
None
4.3 Requirements
4.3.1 Licenses
To enable fake base station detection on the MAE-Evaluation, the license for fake
base station detection must be activated. For details, see MAE-Evaluation
Operation and Maintenance in iMaster MAE Product Documentation (EulerOS,
TaiShan).
4.3.2 Software
Before activating this function, ensure that its prerequisite functions have been
activated and mutually exclusive functions have been deactivated. For detailed
operations, see the relevant feature documents.
Prerequisite Functions
RAT Function Name Function Switch Reference
FDD Intra-RAT ANR NR_NR_ANR_SW option of ANR

Low- the
frequency NRCellAlgoSwitch.AnrSwitch
TDD parameter
High-
frequency
TDD
FDD PCI collision PCI_COLLISION_DETECT_SW ANR

Low- detection option of the
frequency NRCellAlgoSwitch.AnrSwitch
TDD parameter
High-
frequency
TDD
Mutually Exclusive Functions

None
4.3.3 Hardware
Base Station Models
3900 and 5900 series base stations. 3900 series base stations must be configured
with the BBU3910.

(2021-12-30)
5G RAN
DBS3900 LampSite and DBS5900 LampSite. DBS3900 LampSite must be

configured with the BBU3910.
Boards
All NR-capable main control boards and baseband processing units support this
function. For details, see the BBU technical specifications in 3900 & 5900 Series
Base Station Product Documentation.
RF Modules
All NR-capable RF modules support this function. For details, see the technical
specifications of RF modules in 3900 & 5900 Series Base Station Product
Documentation.
4.3.4 Others
None
4.4 Operation and Maintenance

Operation and maintenance of this function is performed on the MAE.
4.4.1 Data Configuration
4.4.1.1 Data Preparation

After logging in to the MAE-Client, operators can perform the following three
steps to enable fake base station identification and detection in SA networking:
1. Create a customized analysis region for fake base station identification and
detection in SA networking. For details, see section "Managing Customized
Regions" by choosing "Operation and Maintenance" > "MAE-Evaluation
Operation and Maintenance" > "Topic" in MAE Product Documentation
(EulerOS, TaiShan).
2. Check whether the prerequisite functions of fake base station identification
and detection in SA networking are enabled for cells in the created analysis
region. For details about the prerequisite functions, see Prerequisite
Functions.
If the prerequisite functions are disabled, it is recommended that the
prerequisite functions be enabled before the fake base station identification
and detection in SA networking is enabled. Otherwise, the accuracy of the
detection results will be affected.
3. Enable the fake base station identification and detection in SA networking for
the created analysis region. For details, see "How Do I Turn on the Fake BTS
Detection Switch?" by choosing "Operation and Maintenance" > "MAE-
Evaluation Operation and Maintenance"> "Topic" > "Coverage Report" in MAE
Product Documentation (EulerOS, TaiShan).

(2021-12-30)
5G RAN
4.4.1.2 Using MML Commands

None
4.4.1.3 Using the MAE-Deployment

For detailed operations, see Feature Configuration Using the MAE-Deployment.
4.4.2 Activation Verification

After this function is enabled, check whether this function has taken effect by
following the instructions provided in "How Do I Turn on the Fake BTS Detection
Switch?" by choosing "Operation and Maintenance" > "MAE-Evaluation Operation
and Maintenance"> "Topic" > "Coverage Report" in MAE Product Documentation
(EulerOS, TaiShan).
4.4.3 Network Monitoring

None

(2021-12-30)
5G RAN
Feature Parameter Description NSA Networking
5 Fake Base Station Identification and

Detection in NSA Networking
Fake base station identification and detection in NSA networking is implemented

on the MAE-Evaluation of the OSS, as shown in Figure 5-1. The network areas for
fake base station identification and detection can be selected as required. Base
stations collect data such as NE configuration data, abnormal events, and
measurement reports, and report them to the MAE-Evaluation. The MAE-
Evaluation analyzes the reported data to determine whether fake base stations
perform IMSI capture attacks over the air interface and generates information
about possible fake base stations in the area.

(2021-12-30)
5G RAN
Feature Parameter Description NSA Networking
Figure 5-1 Fake base station identification and detection in NSA networking
In NSA networking, IMSI-related access messages over the air interface are
processed or forwarded by eNodeBs, but not gNodeBs. Signal interference and
simulation in fake base station attacks are also targeted at eNodeBs. Therefore,
the eNodeBs are the real victims. In fake base station identification and detection
in NSA networking, eNodeBs collect and report data to the MAE-Evaluation. For
details about related requirements and operations, see Fake Base Station
Identification and Detection in eRAN Feature Documentation.

(2021-12-30)
5G RAN
Feature Parameter Description 6 Glossary
6 Glossary
For the acronyms, abbreviations, terms, and definitions, see Glossary.

(2021-12-30)
5G RAN
Feature Parameter Description 7 Reference Documents
7 Reference Documents
● 3GPP TS 38.104: "NR; Base Station (BS) radio transmission and reception"
● ANR
● MAE-Evaluation Operation and Maintenance in MAE Product Documentation
(EulerOS, TaiShan)
● Fake Base Station Identification and Detection in eRAN Feature
Documentation
● "Technical Specifications" in 3900 & 5900 Series Base Station Product
Documentation

(2021-12-30)

Fake Base Station Identification and Detection (5G RAN6.1 - Draft A)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fake Base Station Identification and Detection (5G RAN6.1 - Draft A)

Uploaded by

Copyright:

Available Formats

5G RAN

Fake Base Station Identification

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue Draft A Copyright © Huawei Technologies Co., Ltd. i

2 About This Document.............................................................................................................3

5 Fake Base Station Identification and Detection in NSA Networking....................... 16

Issue Draft A Copyright © Huawei Technologies Co., Ltd. ii

Issue Draft A Copyright © Huawei Technologies Co., Ltd. iii

This chapter describes changes not included in the "Parameters", "Counters",

1.1 5G RAN6.1 Draft A (2021-12-30)

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 1

Enhanced the None FDD 3900 and 5900

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 2

2 About This Document

2.1 General Statements

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 3

2.2 Differences Between NR FDD and NR TDD

Fake base station None 4 Fake Base

Fake base station None 5 Fake Base

2.3 Differences Between NSA and SA

Fake base station Supported only in SA networking 4 Fake Base

Fake base station Supported only in NSA networking 5 Fake Base

2.4 Differences Between High Frequency Bands and

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 4

Function Name Difference Chapter/Section

Fake base station None 4 Fake Base

Fake base station None 5 Fake Base

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 5

Attackers use simple wireless devices and dedicated open-source software to

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 6

4 Fake Base Station Identification and

4.1.1 Principles and Procedure of Fake Base Station Detection

Principles of Fake Base Station Identification and Detection

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 7

Figure 4-1 Principles of fake base station identification and detection

The fake base station identification and detection function performs:

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 8

Procedure of Fake Base Station Identification and Detection

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 9

Figure 4-3 Function process

1. On the MAE-Evaluation, an operator subscribes to related NE information.

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 10

– Fake base station information list

Application Constraints of Fake Base Station Identification and Detection

4.1.2 Fake Base Station Whitelist Management

4.1.3 Geographic Display of Fake Base Stations

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 11

4.1.4 Fake Base Station Detection Results

4.2 Network Analysis

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 12

FDD Intra-RAT ANR NR_NR_ANR_SW option of ANR

FDD PCI collision PCI_COLLISION_DETECT_SW ANR

Mutually Exclusive Functions

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 13

DBS3900 LampSite and DBS5900 LampSite. DBS3900 LampSite must be

4.4 Operation and Maintenance

4.4.1 Data Configuration

4.4.1.1 Data Preparation

Issue Draft A Copyright © Huawei Technologies Co., Ltd. 14

4.4.1.2 Using MML Commands

4.4.1.3 Using the MAE-Deployment