![Page 1: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/1.jpg)
FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild
[email protected] http://www.greenorbs.org/people/lzh/
Mar. 1st, 2017
Zhenhua Li Christo Wilson Chen Qian
1
Feb. 26 – Mar. 1
Weiwei Wang Jian Chen Lan Zhang Kebin Liu Yunhao Liu Xiangyang Li Taeho Jung
![Page 2: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/2.jpg)
Outline
Background State of the Art Our System Locating FBSes Summary
2
![Page 3: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/3.jpg)
3
Story 1
From 95599 (Agriculture Bank of China): We’re processing the student loan you’ve applied for, and now requiring you to transfer a deposit of ¥9900 (≈$1500) to the bank account XXXXXXXXX.
SMS Text Message
* Note: This is a simplified version of the actual story which involves more complex details.
![Page 4: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/4.jpg)
4
Story 2
From 95566 (Bank of China): We’re processing the house mortgage for you. Please prepare ¥17,600,000 (≈$2,600,000) ...
SMS Text Message
* Note: This is a simplified version of the actual story which involves more complex details.
Fake Base Stations
![Page 5: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/5.jpg)
5
GSM (Global System for Mobile Communication) Birth Year User Scale Speed Security
2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion High Fine
authentication
X
Fake Base Stations
![Page 6: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/6.jpg)
6
FBS Carrier
Veryhighsignalstrength
![Page 7: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/7.jpg)
7
Fake Base Station (FBS)
Legitimate BS
FBS
Wireless Transceiver
Engineering Laptop
Engineering Cellphone
USB Cable
FBS
![Page 8: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/8.jpg)
8
FBS Attack on GSM Phones
Current Connection
Location Update
WhichBShasthehighest
signalstrength?
- 70 dBm
- 30 dBm - 60 dBm
- 100 dBm
ImayhavetoswitchmyBSconnec8on…
GSM
![Page 9: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/9.jpg)
9
FBS Attack on GSM Phones
New Connection
- 70 dBm
- 30 dBm - 60 dBm
- 100 dBm
GSM
![Page 10: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/10.jpg)
10
FBS Can Also Impact 3G/4G Phones
Jamming Signal
GSM 3G/4G
Degrade
GSM GSM has existed for many years, so
abandoning GSM also needs many years …
![Page 11: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/11.jpg)
11
FBS Attack Is NOT Hypothetical
US China India
Russia UK
☜ Year #FBSMsgs
2013 >>2.9billion
2014 >>4.2billion
2015 >>5.7billion
N*billion
![Page 12: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/12.jpg)
12
FBS Industry in China
Device:$400
Dailyincome:$40
Device:$1000
Dailyincome:$70
Device:$700
Dailyincome:upto$1400
![Page 13: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/13.jpg)
13
FBS Industry in China
Device:$400
Dailyincome:$40
Device:$1000
Dailyincome:$70
Device:$700
Dailyincome:upto$1400
![Page 14: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/14.jpg)
State of the Art
14
![Page 15: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/15.jpg)
15
Electronic Fence
Huge infrastructure costs à Poor scalability
![Page 16: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/16.jpg)
16
FBS-signal Detection Car
Random walk à Limited coverage & “dull”
![Page 17: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/17.jpg)
17
User Reporting
Most users don’t realize the existence of FBSes
Dial 12321
![Page 18: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/18.jpg)
18
Client-side Tools
Do they really work in large-scale practice? …
![Page 19: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/19.jpg)
Our System: FBS-Radar
19
![Page 20: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/20.jpg)
20
Baidu PhoneGuard Users Opt-in Report multiple
fields of suspicious SMS messages
p Sender’s number is not in the recipient’s contact list
p Sender’s number is an authoritative number
![Page 21: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/21.jpg)
21
Five Methods
1.SignalStrength
Examina8on
2.BSIDSyntaxChecking
3.MessageContentMining
4.BS-WiFiLoca8onAnalysis
5.BS-HandoverSpeed
Es8ma8on
0.23%
0.15%
0.16% 4.1%
0.39% ~100M users
![Page 22: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/22.jpg)
22
3.1 Signal Strength Examination
☜
-40 dBm
FBS
> -40 dBm
0.23%ofuser-reportedsuspicious
SMSmessages
![Page 23: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/23.jpg)
23
3.2 BS ID Syntax Checking
BS ID = MCC + MNC + LAC + CID
p MCC: Mobile Country Code, 3 digits p MNC: Mobile Network Code, 2 digits p LAC: Location Area Code, 16 bits p CID: Cell Identity, 16 bits for 2G/3G and 28 bits for 4G
0.15% of suspicious messages were sent by BSes with syntactically invalid IDs
![Page 24: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/24.jpg)
24
3.3 Message Content Mining p Bag-of-words SVM (SupportVectorMachine)classifier trained on 200,000 hand-labeled SMS messages ① Labellingsuspiciousmessages;② Wordsegmenta8on;③ Featureextrac8on;④ Quan8zingthefeaturevector;⑤ TrainingtheSVMmodel;⑥ Preprocessingthetestset;⑦ SVMclassifica8onofthetestset.
0.16% of suspicious messages came from authoritative phone numbers and were determined to contain fraud text content
l Computa8onintensive
l Viola8onofuserprivacy
![Page 25: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/25.jpg)
25
3.4 BS-WiFi Location Analysis
BS Location
User WiFi Location
4.1% of suspicious messages were sent by BSes that were not in their correct geolocation, i.e., they were spoofing the ID of a legitimate but distant BS.
![Page 26: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/26.jpg)
26
3.4 Counterfeiting a Nearby BS ID
Current Connection
Location Update
IfIcounterfeitanearbyBSID
…
- 70 dBm
- 30 dBm - 60 dBm
- 100 dBm Myloca8ondoesnotchangealot,soIneedn’tswitchtoanewBSJ
![Page 27: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/27.jpg)
27
3.5 BS-Handover Speed Estimation p For BS-WiFi location analysis, what if the WiFi
location information is not available?
![Page 28: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/28.jpg)
28
4.5 BS-Handover Speed Estimation
>>0.39%ofsuspiciousSMSmessagescomefromFBSes
![Page 29: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/29.jpg)
29
Detection Performance p > 4.7% of suspicious messages should have come from FBSes - False positive rate is only 0.05% (according to user feedback), mainly due to the inaccuracy of our WiFi database
p Set-3 (by message content mining) is >98% covered by the other 4 sets
- No need to collect the text content of users’ messages!
![Page 30: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/30.jpg)
30
Arresting FBS Operators p With the help of FBS-Radar, the police have arrested
tens to hundreds of FBS operators every month
![Page 31: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/31.jpg)
Locating FBSes
31
![Page 32: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/32.jpg)
32
Locating FBSes based on User Device Locations
Time
BS ID1
Ć Ć Window
BS ID2 Ć Ć
p FBSes frequently move and change their IDs Ø We take both temporal and spatial locality into
account
Only those FBS messages 1) using the same BS ID,
2) happening in the same time window,
and 3) located in the same spatial cluster
can be attributed to one FBS.
![Page 33: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/33.jpg)
33
Locating FBSes based on User Device Locations
FBS
deviation distance
p The centroid of every cluster is the estimated location of an FBS.
☜
Thisloca8onaccuracyissufficientforustotrackFBSes!
![Page 34: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/34.jpg)
34
Real-time Locations of FBSes PublicURLàhttp://shoujiweishi.baidu.com/static/map/pseudo.html
![Page 35: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/35.jpg)
35
l Using extensive crowdsourced data, we evaluate five different methods for detecting FBSes in the wild, and find that FBSes can be precisely identified without sacrificing user privacy.
l We present a reasonable method for locating FBSes
with an acceptable accuracy. l FBS-Radar is currently in use by ~100M
people. It protects users from millions of malicious messages from FBSes every day, and has helped the authorities arrest numerous FBS operators every month.
Summary
![Page 36: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/36.jpg)
Backupslides
![Page 37: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/37.jpg)
37
FBS Attack: Passive vs. Active
Passive: IMSI-catcher
Active: Push spam/fraud SMS messages with spoofed phone numbers Year #FBSMsgs
2013 >>2.9billion
2014 >>4.2billion
2015 >>5.7billion
Rarely reported in China, but sometimes reported in the US
![Page 38: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/38.jpg)
38
Ground Truth p Our ONLY ground truth comes from users’ feedback
Wethinkthismessagecomes
fromanFBS.Whatdoyouthink?
p Yes: 99.95%
p No: 0.05%
Manual double-check
![Page 39: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/39.jpg)
39
Why not use GPS? p Most people turn GPS off in most time to save
battery, so we have to ask users for GPS privilege
Locajonaccuracy
increasesby20%?
Userscaledecreasesby20%?for
harassment…
![Page 40: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/40.jpg)
40
Localizing User Devices based on WiFi Information
Dominant Cluster
Centroid
deviation distance
p The centroid of the dominant cluster is the estimated location of the user device k-means
DBSCAN
![Page 41: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/41.jpg)
41
Spam and Fraud SMS Messages
Spam (Ads)
“We are selling excellent, cheap goods and food from Jul. to Aug. 2016. Visit our shops at the People’s Square as soon as possible!” --- sent from a (usually not well-known) mart or grocery. “We provide very cheap and legal invoices that can help you quickly make a big fortune. Don’t hesitate, dial us via the phone number: 010-61881234!” --- sent from a (usually not well-known) company.
Fraud
“Dear user, you are lucky to be the winner of this month’s big award! You will be offered 10-GB FREE 4G traffic by clicking on this URL: http://www.10086award.com.” --- sent from 10086 (China Mobile). “Dear customer, you have failed to pay for this year’s management fee of 100 dollars. If you do not pay for it before Jul. 30th, you will face a fine of 500 dollars. You should pay it by transferring money to the following bank account: ...” --- sent from 95533 (Bank of China).
☜ Spoofed phone numbers
![Page 42: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/42.jpg)
42
FBS-Radar: 4-fold Design Goals p Detect as many FBSes as possible with very
few false positives, without specialized hardware
p Automatically filter spam/fraud FBS messages from user devices with a high precision
p Provide actionable intelligence about geolocations of FBSes to aid law enforcement agencies
p Use minimal resources on client side, minimize collection of sensitive data, and not require root.
![Page 43: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/43.jpg)
43
FBS-Radar & Baidu PhoneGuard
Content-free Analysis
BS-location Database
WiFi-location Database
Content Analysis
User Report
AuthoritativePhone Number List
MessageLogs
SVM Machine Learning Cluster
Baidu PhoneGuard http://shoujiweishi.baidu.com
Crowdsourced data from ~100 Million Users
![Page 44: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/44.jpg)
44
Database and List
Content-free Analysis
BS-location Database
WiFi-location Database
Content Analysis
User Report
AuthoritativePhone Number List
MessageLogs
SVM Machine Learning Cluster
BSIDà<lat,lon,
radius,tag>
WiFiMACà<lat,lon,tag>
≈1500phonenumbers
![Page 45: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/45.jpg)
45
FBS-Radar: Timeline
2014.01-07Design&Implementa8on
2014.08Onlinereleased
2015~17.5millionsuspiciousSMSmessagesreportedperday
2016~32millionsuspiciousSMSmessagesreportedperday
![Page 46: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/46.jpg)
46
Informed Consent from Users
![Page 47: FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild · 2G – GSM 1990 > 1 billion Low Poor 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b682a20583d69fb79226f/html5/thumbnails/47.jpg)
47
Opt-in Options for Users
Detection Rules (for FBS-Radar)
Intelligent Detection ON/OFF
Cloud-side Detection ON/OFF
Content Detection of Suspicious SMS Messages ON/OFF
Suspicious Voice Call & SMS Message Detection ON/OFF
Contacts’ Voice Call & SMS Message Detection ON/OFF
Baidu PhoneGuard
App