Home
/
Blog
/

Fake Base Station Attacks in 5G: Why Overshadowing Still Bypasses the Air Interface

Fake base station and overshadowing attacks still target 5G. Why the air interface stays exposed and how mobile operators can detect the activity.

Research
Jul 13, 2026
Fake Base Station Attacks in 5G: Why Overshadowing Still Bypasses the Air Interface

Fake base station attacks still work against 5G. 5G introduced strong subscriber identity protection and mandatory mutual authentication, yet it never authenticated the radio cell before a device connects to it. A device still attaches to whichever cell broadcasts the strongest usable signal, and most of the messages exchanged before authentication completes carry no integrity protection. That gap is exactly what fake base stations and signal overshadowing attacks exploit, and recent published research shows the technique remains practical on 5G Standalone networks.

This article explains how fake base station and overshadowing attacks operate against 5G, what they let an attacker achieve, what 3GPP is doing to close the gap, and how operators can detect the activity on their own networks. For the wider radio access picture, see our overview of RAN security.

What is a fake base station attack in 5G?

A fake base station is a radio transmitter that impersonates a legitimate cell so nearby devices attach to it instead of the real network. The concept predates 5G. In 2G, 3G, and 4G it is best known as the IMSI catcher, a rogue cell that tricks a handset into revealing its permanent identity or into using weaker security. If you need a primer on that identifier, see what IMSI is and why it matters.

In 5G the device is a User Equipment (UE), the cell is a gNB, and the standard adds protections that were missing in earlier generations. The threat did not disappear, it shifted. Instead of harvesting a plaintext identity, a modern fake base station in 5G focuses on the messages and procedures that happen before a trusted security context exists between the UE and the network.

Why 5G did not remove the fake base station problem

The short answer: 5G protects the subscriber identity and authenticates the core network, but it does not authenticate the cell at the radio layer before a security context is established.

Two 5G mechanisms are often cited as the cure. The first is concealment of the subscriber identity. The permanent identifier (SUPI) is no longer sent in clear text. It is encrypted into the Subscription Concealed Identifier (SUCI) using a public key belonging to the home network, which we cover in detail in SUPI and SUCI in 5G. The second is mutual authentication through 5G-AKA, where the network proves itself to the UE using the authentication token (AUTN) and its message authentication code, explained in our breakdown of AKA.

Neither mechanism authenticates the cell at the moment the UE is choosing where to camp. Cell selection and reselection are driven by signal measurements, so a UE attaches to the strongest suitable cell regardless of who operates it. The broadcast system information (the MIB and SIBs), paging messages, the early RRC connection setup, the NAS Identity Request, and RRC and registration reject messages are all sent before or outside the protection that 5G-AKA eventually establishes. An attacker who can transmit those messages convincingly can influence the device before any cryptographic trust exists.

Overshadowing: attacking the air interface without a full rogue network

Overshadowing is a refinement of the fake base station idea. Instead of standing up a complete rogue cell and persuading devices to camp on it, the attacker injects crafted radio signals on top of the legitimate base station transmission. The injected signal is timed and powered so the receiver decodes the attacker bits rather than the genuine ones. Published academic work, including the SigOver and AdaptOver techniques, demonstrated this against LTE and 5G Non-Standalone deployments, and more recent research has extended it to 5G Standalone.

Downlink overshadowing

In downlink overshadowing the attacker overwrites messages that appear to come from the real cell toward the device. Spoofed system information, a forged RRC reject, an unexpected Identity Request, or a registration reject can be slipped into the device input. Because these messages arrive before integrity protection is active, the device has no cryptographic way to tell genuine from forged. This is the building block for downgrade and denial of service.

Uplink overshadowing

Uplink overshadowing targets the messages the device sends toward the network. Recent research on 5G Standalone showed that an attacker can use the uplink grant contained in the Random Access Response to transmit a crafted message with slightly higher power, overshadowing the device legitimate Msg3 during the random access procedure. The effect can be a stealthy denial of service that disables connections to a base station, or manipulation of the early RRC exchange, without operating a visible rogue cell.

Does Standalone or Non-Standalone deployment change the risk?

Both deployment modes are exposed, for different reasons. In 5G Non-Standalone (NSA), the 5G radio is anchored to a 4G core and reuses the LTE control plane, so it inherits the air-interface weaknesses already well documented in LTE, including the unprotected early messages that classic overshadowing exploited. In 5G Standalone (SA), the device uses a native New Radio control plane and the full 5G security architecture, which is a genuine improvement, yet the structural gap remains: the cell is still not authenticated before a security context exists, and broadcast system information is still unprotected. Recent research extending uplink overshadowing to SA confirms that moving to a pure 5G core does not, by itself, remove the problem. Operators planning their SA migration should treat false base station resilience as a separate work item rather than assuming it is solved by the core upgrade.

What an attacker can achieve

The practical impact falls into four categories.

  1. Downgrade. A fake base station can advertise a legacy radio technology, or a spoofed reject can push the device to fall back to 2G, 3G, or 4G, where the security context is weaker. Once on a legacy bearer, older interception and tracking techniques become available again. The value of strong 5G ciphering is undone when the device is coerced off 5G, a point we explore in our review of encryption across mobile generations.
  2. Denial of service. Uplink overshadowing of the random access procedure, or repeated forged reject messages, can prevent a device or a group of devices from attaching, quietly and locally.
  3. Privacy and presence testing. Forcing a NAS Identity Request can prompt the device to send its SUCI, which can then be captured and replayed to test whether a specific subscriber is present in an area, a linkability problem that survives even when the identity itself stays encrypted.
  4. Message injection. Any pre-authentication message the device accepts can be forged, giving the attacker a foothold to manipulate behaviour before security mode is established.

What 3GPP is doing about false base stations

3GPP has acknowledged the problem and studied countermeasures, but the strongest fixes are not yet a mandatory baseline. The security group SA3 documented the issue in the technical report TR 33.809, the study on 5G security enhancements against false base stations. Candidate mitigations described there include digitally signing broadcast system information so a device can verify that a cell belongs to a legitimate operator, network-side detection that uses device measurement reports to spot cells that should not exist, and hash or timestamp based protection of selected messages.

The baseline 5G security architecture is defined in TS 33.501, and it already mandates SUCI concealment and 5G-AKA. The false base station enhancements, by contrast, remain largely at the study and option stage. Until broadcast authentication is widely deployed, the air interface keeps the structural weakness that overshadowing relies on, which is the absence of cell authentication before a security context exists.

How operators can detect fake base station activity

The most reliable defence available today is network-side detection rather than device-side prevention. Operators do not control the radio environment around every subscriber, but they do see telemetry that an attack tends to disturb.

Useful signals include device measurement reports that reference cells or physical cell identities that the operator never deployed, sudden and localised clusters of downgrades from 5G to legacy technologies, abnormal patterns in the random access and RRC setup procedures that can indicate uplink overshadowing, and spikes in registration or attach rejects that do not match planned network changes. Correlating radio-layer telemetry with core signalling monitoring turns isolated anomalies into a detectable pattern. This is the same discipline that underpins telecom intrusion detection, and it pairs naturally with the protocol-aware monitoring discussed throughout our work on RAN and core security.

Device-side improvements such as signed system information will help once they ship at scale, but they depend on both network upgrades and device support. For the foreseeable future, treating the radio edge as monitorable rather than fully preventable is the pragmatic stance.

Key takeaways

  1. 5G conceals the subscriber identity and authenticates the core, but it does not authenticate the cell before a security context exists, so fake base stations remain feasible.
  2. Overshadowing injects crafted signals over a legitimate cell, in both downlink and uplink directions, and recent research confirms it works against 5G Standalone.
  3. The realistic outcomes are downgrade, denial of service, presence testing, and pre-authentication message injection, not direct decryption of a properly secured 5G session.
  4. 3GPP TR 33.809 describes mitigations such as signed broadcast information, but these are not yet a mandatory baseline under TS 33.501.
  5. Network-side detection using measurement reports and signalling correlation is the most actionable defence operators have today.

If your team is assessing radio access exposure or planning false base station detection for a 4G or 5G network, P1 Security can help with telecom-specific testing and detection. Reach out at [email protected].

Explore our Mobile Network Security Guide
Summary
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.