The First and Most Exposed Frontier
The first link in the mobile communication chain - the radio connection between the device and the network is also the most exposed.
Long before a call or message reaches the perceived safety of the core network, it must traverse the open air, a domain where adversaries can actively manipulate the connection to identify, track, and intercept communications. This section details the evolution of threats that operate on this air interface, demonstrating how legacy attack vectors have been adapted to compromise even the latest 5G devices.
The Evolution of the False Base Station
From 2G Catchers to 5G Stingrays
At the heart of over-the-air interception is the False Base Station (FBS), a device known by many names, including IMSI Catcher, cell-site simulator, or its most famous brand name, "Stingray". These are sophisticated surveillance tools that impersonate legitimate cell towers. By broadcasting a signal that appears stronger or more attractive than authentic network towers in the vicinity, an FBS tricks mobile devices within its range into connecting to it. Once a device is lured in, the FBS can execute a range of surveillance and attack functions.
The capabilities of these devices have evolved in lockstep with mobile network technology. While early models were limited to capturing the International Mobile Subscriber Identity (IMSI) on 2G networks, modern IMSI catchers are far more potent and versatile. Commercial vendors now openly market systems that are fully compatible with all contemporary network generations, including 2G (GSM), 3G (UMTS), 4G (LTE), and 5G (NR). Their functionality has expanded well beyond simple identity capture to include:
Location Tracking: Pinpointing a device's precise geographic location.
Content Interception: Capturing the content of voice calls and SMS messages, particularly when a device is forced onto a less secure network connection.
Denial of Service: Disrupting a target's mobile service.
Malicious Content Injection: Broadcasting spoofed SMS messages for social engineering or delivering malware.
This technological maturation has been matched by a trend toward miniaturisation and deployment flexibility. The market for IMSI catchers, which is forecast to reach US$ 591.3 million by 2032, is driven by increasing demand from governments, law enforcement agencies, and intelligence agencies. Consequently, these devices are now available in a variety of form factors tailored to different operational scenarios:
Vehicle-Mounted Systems: High-power units, offering up to 20 watts per channel, are installed in vehicles for wide-area surveillance operations, such as tracking all devices at a large public event.
Covert Backpack Units: Lightweight, battery-powered systems weighing as little as 4 kg can be concealed in backpacks for mobile, on-the-ground operations in urban areas or difficult terrain.
UAV (Drone) Payloads: The most advanced systems are miniaturised into payloads weighing just 1.2 kg, designed for deployment on unmanned aerial vehicles (UAVs). These offer unparalleled flexibility for aerial surveillance, combining multiple channels and significant power in a compact package.
The proliferation and commercialisation of this technology signify a critical shift in the threat landscape. What was once the exclusive domain of top-tier intelligence agencies is now a productized capability available to a much wider range of state and non-state actors, dramatically increasing the threat surface for any high-value individual or organisation.
Downgrade & Bidding-Down Attacks
Forcing Your 5G Phone to Speak 2G
While newer network generations, such as 5G Stand-Alone (SA), have introduced enhanced security features, including encrypting the permanent subscriber identifier (known as SUPI), these protections are rendered useless by a persistent and fundamental vulnerability: backwards compatibility. A 5G phone must be able to connect to a 4G or 2G network if a 5G signal is unavailable. Attackers exploit this requirement through "downgrade" or "bidding-down" attacks, which have become a primary vector for compromising modern devices.
The mechanism is deceptively simple. An attacker operating an FBS does not need to "break" 5G encryption. Instead, the FBS can broadcast specific, unauthenticated control messages to a target device. For example, a Tracking Area Update (TAU) Reject message can be sent with a cause code indicating that "LTE services not allowed" or "5GS Services Not Allowed".12 The target phone, correctly following the 3GPP protocol specifications, interprets this as a legitimate network instruction. It ceases to look for a 5G or 4G signal and begins searching for an older, legacy network to connect to. At this point, the attacker's FBS, which is also broadcasting a powerful 2G or 3G signal, becomes the only viable option. The phone connects, and the attacker now has the device on a network where decades-old, well-documented vulnerabilities can be used to intercept its identity and communications.
This reveals a permanent, structural flaw in public cellular networks. The absolute requirement for backward compatibility acts as a "legacy curse," ensuring that the security of the entire system is only as strong as its weakest, oldest link. As long as legacy 2G and 3G networks remain operational anywhere in the world, modern devices will carry the inherent vulnerability of being forcibly downgraded to them, completely negating the billions invested in 4G and 5G security enhancements.
Detection, Legality, and the Privacy Quagmire