How Fake BTS Attacks Steal Your OTP — And How to Protect Yourself

explanations 5 Minutes

If you are receiving OTP via SMS for your bank transfers, logins, or reseting passwords, you must read this. This is a realistic hack happened in real life in many countries and cybercriminals has stolen a lot of money by this trick. Victims are any people who live in countries that still use 2G (LTE) mobile network, use old phones with 2G network mode enabled by default, and has many things to be stolen.

1. What is 2G mobile network

2G (Second Generation) is one of the earliest digital mobile network technologies, introduced in the 1990s. Unlike the old analog 1G systems, 2G allowed phones to transmit voice calls digitally, making communication clearer and more secure than 1G. 2G was designed mainly for: Voice calls, SMS text messages and Very slow mobile internet (GPRS / EDGE).

Compared to modern networks today such as 4G and 5G, 2G has extremely limited bandwidth and weak security protections. Many security mechanisms used by 2G were created decades ago and are now considered outdated.

Why 2G Still Exists

Even today, many telecom providers still keep 2G active because:

  • Old feature phones still depend on it
  • Some IoT devices use it
  • Rural areas may rely on legacy infrastructure
  • Emergency fallback compatibility

However, this backward compatibility also creates a serious security problem.

2. What Is a Base Transceiver Station (BTS)?

A Base Transceiver Station (BTS) is the radio communication equipment that connects mobile phones to a cellular network. In simple terms, a BTS is the “cell tower” your phone talks to when you:

  • making calls
  • sending SMS
  • using mobile data
  • registering to the network

Every time your phone shows signal bars, it means your device is communicating with a nearby BTS.

Image
Image
Image
Image

MS — Mobile Station

The Mobile Station is the physical mobile phone, plus the SIM card identity inside it. Each MS has identifiers such as:

  • IMSI (International Mobile Subscriber Identity)
  • IMEI (device identifier)

These identifiers are important and fake BTS attacks often try to capture them.

BTS — Base Transceiver Station

The BTS acts as the bridge between your phones and the telecom core network. Its responsibilities include:

  • transmitting radio signals
  • receiving signals from phones
  • managing communication channels
  • broadcasting network information
  • forwarding traffic to the carrier network

A BTS usually covers a geographic area called a “cell.” When you move around, your phone constantly switches between BTS towers through a process called: handover, or roaming

How MS and BTS Communicate

The communication between phone and BTS happens over radio frequencies using GSM protocols. Basic flow is like so:

  1. Phone searches for nearby BTS signals
  2. BTS broadcasts network identity information
  3. Phone selects the strongest or preferred tower
  4. Phone registers itself to the network
  5. BTS assigns communication channels
  6. Voice/SMS/data traffic begins

In 2G GSM, the BTS continuously broadcasts:

  • MCC (country code)
  • MNC (carrier code)
  • Cell ID
  • supported encryption modes

The problem is that early GSM protocols were designed with a dangerous assumption: The phone trusts the BTS automatically. This becomes the core weakness exploited by fake BTS devices.

3. The Security Problem in 2G GSM

In modern 4G/5G systems, both sides, BTS and MS, authenticate each other. But in classic 2G GSM:

  • The network authenticates the user
  • The user does NOT authenticate the network

That means:

  • A fake tower can pretend to be a legitimate carrier
  • Nearby phones may connect automatically
  • Users often receive no warning

Attackers exploit this weakness by broadcasting a stronger signal than legitimate towers. Once the phone connects, the rogue BTS can:

  • Request IMSI identifiers: this means attacker can know your phone number without asking.
  • Downgrade connections from 4G to 2G for weaker encryption: this means attacker can read your SMS.
  • Intercept SMS: this means attacker can even impersonate you and send SMS to your friends, under your name.
  • Send phishing messages: attacker can impersonate other legit phone numbers, your boss’s number for example, to send you a link and require you to fill passwords

This is the fundamental mechanism behind IMSI Catchers and Fake BTS attacks.

4. What Is a Fake BTS (IMSI Catcher)?

Image
Image
Image

    Mobile phones are designed to automatically search for the “best” available cellular signal. In GSM/2G networks, your phone often prioritize connecting to BTS tower that has stronger signal. Attackers exploit this behavior by broadcasting:

    • Stronger signals than nearby legitimate towers
    • with Copied carrier information
    • with Attractive network parameters

    To the phone, the fake BTS appears to be a normal carrier tower. Because classic GSM lacks proper network authentication, the device may connect automatically without warning the user.

    IMSI stands for: International Mobile Subscriber Identity. It is a unique identifier stored inside the SIM card. An IMSI Catcher is named after its ability to trick phones into revealing this identifier. Once attackers collect IMSI numbers, they can:

    • Identify devices
    • Track movement
    • Target specific users

    This is one of the first steps in many surveillance-oriented attacks.

    5. Attack Setup (High-Level, No Harmful Instructions)

    A simplified Fake BTS attack flow is like so:

    1. Attacker activates rogue BTS equipment to be a fake tower
    2. Fake tower advertises itself as a legitimate carrier
    3. Nearby phones detect strong signal
    4. Devices connect automatically to the tower with stronger signal
    5. Then Fake BTS requests device identifiers and controls the communication process.

    Depend on attacker’s purpose, the fake tower can:

    • Downgrade your phone from 4G to 2G: this is the most common technique for stealing OTP purpose.
    • Disable encryption: so attacker can read SMS content, which may contains OTP code.
    • Forward traffic to real networks: this is so called: Man-In-The-Middle attack, where attackers keep you communicating normally, but can eavesdrop everything.
    • Inject phishing SMS messages: you can receive SMS from your friend numbers, but actually that SMS is delivered from fake BTS tower, your phone just display it.

    6. How to defend

    Symptoms of a Possible Fake BTS Attack

    Detecting a Fake BTS in real life is extremely difficult. Modern rogue base stations are designed to look almost identical to legitimate carrier towers, and most smartphones provide very little visibility into low-level cellular behavior. Still, there are several warning signs that may indicate suspicious activity.

    Sudden Drop to 2G or “E” Signal

    One of the most common indicators is your phone suddenly falling back from 4G/5G to 2G, commonly with the icon “E” instead “4G” on top-right corner of the phone screen. Attackers often force devices onto 2G because:

    • GSM security is weaker
    • Phones trust the network more easily
    • Encryption protections are cracked easily

    A downgrade becomes more suspicious when 4G/5G coverage is normally strong in the area but the signal change happens unexpectedly, and, multiple nearby devices behave similarly.

    Weak or Missing Encryption Indicator

    In classic GSM networks, the BTS controls whether encryption is enabled. A rogue BTS can force weaker encryption, or request no encryption at all. Historically, some phones displayed warnings such as: “unencrypted network”, “ciphering disabled”. But today, most smartphones hide these low-level network details, so users rarely receive visible warnings. As a result, users may have no obvious indication that something suspicious is happening.

    Reality: Detection Is Extremely Difficult

    The uncomfortable reality is: Most users cannot reliably detect a Fake BTS attack. Reasons include:

    • Users do not understand how phone calls and SMS work in tech.
    • Smartphones show very little info about radio diagnostics.
    • Rogue towers can imitate legitimate carrier behavior.

    Even cybersecurity professionals often require specialized equipment to investigate suspicious cellular activity. Advanced detection may involve using SDR (Software Defined Radio) analysis, Baseband Monitoring tools and Carrier database comparisons. But ordinary users typically have no easy way to confirm whether a nearby tower is genuine.That is one reason Fake BTS attacks remain effective even decades after GSM was introduced.

    Mitigation Strategies

    Due to it is unreliable to detect a Fake BTS, it is reliable to stay away from OTP sent via SMS. Use Authenticator app such as Google Authenticator, or Authy, for OTP is highly recommended. Beside of that, make sure to disable 2G on your phone if it still support 2G. Most of today mobile phone disable 2G by default, so if you are using old phone, let search on how to disable 2G on your phone model. Last but not least, Avoid login, resetting password, or doing bank transfer on public networks, only do it in your trusted places.

    Published

    Leave a comment