In communications networks when, for example, performing a handover of a user equipment (UE) from one cell to another one need to establish a neighbour relationship between base stations serving the cells.
In Long Term Evolution systems (LTE), an Adaptive Neighbouring Cell Relations (ANR) function is used in the base stations. The ANR is defined in 3GPP TS 36.331 as a function that automatically conFigures neighbouring cell relations between cells. This is done by assistance from a UE.
A first eNodeB serving a first cell has an ANR function. As a part of the normal call procedure, the first eNodeB instructs each UE to perform measurements on the surrounding radio environment. The first eNodeB may use different policies for instructing the UE to do measurements, and when to report them to the first eNodeB. This measurement procedure comprises the steps:                The UE sends a measurement report regarding a second cell of a second eNodeB. This report contains the second cell's Physical Cell ID (Phy-CID), but not the second cell's Global-CID.        
When the first eNodeB receives a UE measurement report containing Phy-CID, the following sequence may be used.                The first eNodeB instructs the UE, using the newly discovered Phy-CID as parameter, to read the Global-CID, tracking area code (TAC) and all available Public Land Mobile Network (PLMN) ID(s) of the related second cell. To do so, the first eNodeB may need to schedule appropriate idle periods to allow the UE to read the Global-CID from the broadcast channel (BCH) of the detected second cell in any known manner.        When the UE has found out the second cell's Global-CID on the BCH, the UE reports the detected Global-CID to the first eNodeB serving the first cell. In addition, the UE reports the TAC and all PLMN IDs that have been detected, whenever the first eNodeB requests this information.        The first eNodeB decides to add this neighbour relation, and can use Phy-CID and Global-CID to:                    a Lookup a transport layer address to the new second eNodeB.            b Update its Neighbour Relation List.            c If needed, setup a new X2 interface towards this second eNodeB.                        
There is a security problem with ANR in that the ANR functionality utilizes information from the UEs to conFigure neighbouring cell relations.
A “hostile” UE could report “fictional” physical cell identities. This could lead to the creation of neighbouring cells, the creation of neighbouring cell relations and that the establishment of X2 interfaces are initiated.
This type of behaviour could be viewed as a type of Denial of Service (DoS) attack since the “fictional” neighbouring cells would block “real” neighbouring cells (and relations) from being created; setting up X2 interfaces to fictional neighbouring cells leaving no capacity to “real” neighbouring cells. Also, the attack would cause increased signalling load in the radio access network (RAN) since X2 connection establishment would be initiated when the “fictional” neighbouring cell is belonging to another base station.
These types of security issues could be an increasing problem when open source Operating Systems are introduced in the UEs, such as Android and or the like, wherein hostile attacks may increase from different operators/UEs and/or the like.
A similar problem could also occur due to e.g. weather conditions. In certain weather, the radio propagates further (atmospheric reflection) and this will lead to that UEs may report the physical identities of base stations far away from their serving base station.
When the “wrong” neighbouring cell relation has been conFigured by ANR, the UEs are handed over to the “wrong” base station leading to an increased risk of connections being dropped.