Fake base station (FBS) crime is a type of wireless communication crime that has appeared recently. The key to enforcing the laws on regulating FBS based crime is not only to arrest but also to convict criminals effectively. Much work on FBS discovering, localization, and tracking can assist the arresting, but the problem of collecting evidence accurately to support a proper conviction has not been addressed yet. To fill in the gap of enforcing the laws on FBS crimes, we design FBSleuth, an FBS crime forensics framework utilizing “radio frequency (RF) fingerprints”, e.g., the unique characteristics of the FBS transmitters embedded in the electromagnetic signals. Essentially, such fingerprints stem from the imperfections in hardware manufacturing and thus represent a consistent bond between an individual FBS device and its committed crime. We model the RF fingerprint from the subtle variance of the modulation errors, instantaneous frequency, and phases of the RF signals. Our validation of FBSleuth on six FBSes from four cities over more than 5 months shows that FBSleuth can achieve over 99% precision, 96.4% recall, and 97.94% F1 score in a dynamic wild environment.

FBSleuth is composed of five modules: raw signal collection, signal processing, evidence database, fingerprint generation, and verification. The raw signal collection module is to collect the raw signals from FBSes during crime conduction and after an arrest. The collected signals are marked with both time and location information. The signal processing is divided into modulation domain and waveform domain. Modulation domain processing is to calculate several modulation errors for each burst. Waveform domain processing is to extract bursts (basic processing elements in the RF signals) from the raw signals, select target region from the bursts for further fingerprint generation. The evidence database module stores the raw signals, demodulates the FBS signals and records its content, sender and receiver (IMEI for example) information. The fingerprint generation module generates and selects the RF fingerprints from the processed signals both in modulation domain and waveform domain. The verification module utilizes machine learning algorithm to train the model and match the fingerprints with a specific FBS.

Figure 1: Working Flow of FBSleuth. The black arrow (left) indicates the procedure of processing raw FBS signals collected by the acquisition devices when FBS is committing the crime. The blue arrow (right) indicates the procedure of processing raw FBS signals collected by the police when FBS is caught.

Figure 2: Lab Environment Experiment Setup.

Figure 3: Wild Environment Experiment Setup.


Zhou Zhuang, Xiaoyu Ji, Taimin Zhuang, Juchuan Zhang, Wenyuan Xu, Zhenhua Li, Yunhao Liu. FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting. ACM Asia Conference on Computer and Communications Security, 2018.