Security and privacy of a user of a wireless device may be attacked by a malicious party. One class of attacks is based on the malicious party placing a piece of radio equipment out in the public where a legitimate mobile network operator (MNO) is providing services. The equipment placed or in the control of the malicious party transmits signals which appear to be legitimate base station signals. Such a piece of radio equipment is referred to herein as a rogue base station run by a rogue operator or hacker. A wireless device, also called a user equipment (UE), may place some trust in the signals from the rogue base station and proceed to attempt to establish or maintain communications using the rogue base station. The rogue base station may attempt to use the UE signals to estimate a geographic location of the UE, an identity of a subscriber using the UE (the name of the person using the wireless device), or to block service to the UE from the legitimate MNO. Blocking service may be referred to as a denial of service (DOS) attack. Some rogue base station behavior is described in A. Shjai et al. “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems,” archived online with the identifier arXiv:1510.07563v2 [cs.CR] 11 Feb. 2016 (hereinafter “Practical Attacks”).
The Third Generation Partnership Project (3GPP) standards development organization has developed and continues to develop a set of standards referred to as Long Term Evolution (LTE). Some embodiments disclosed herein are illustrated with respect to the 3GPP LTE standards. Further details of LTE standards can be found in i) 3GPP 36.213 v14.2.0, March 2017, “Physical layer procedures,” (hereinafter “3GPP 36.213”), ii) 3GPP 36.212 v14.2.0, March 2017, “Multiplexing and channel coding,” (hereinafter “3GPP 36.212”), iii) 3GPP 36.211 v14.2.0, March 2017, “Physical channels and modulation,” (hereinafter “3GPP 36.211”), iv) 3GPP 36.321, March 2017, “Medium Access Control (MAC) Protocol Specification,” (hereinafter “3GPP 36.321”), v) 3GPP 36.331, March 2017, “Radio Resource Control (RRC) Protocol Specification,” (hereinafter “3GPP 36.331”), and vi) 3GPP 36.304, March 2014, “User equipment (UE) procedures in idle mode,” (hereinafter “3GPP 36.304”).
In general, a base station tower may be used by an MNO to operate one or more sectors, using directional antennas. A common arrangement is to use antennas with a 120 degree beam pattern and maintain three sectors from a single tower at a given frequency band. From the point of view of the MNO, a cell is a geographic region served by one base station or one sector. The signals observed in that geographic region, from the point of view of a UE, may be referred to as a cell.
A base station in an LTE system is generally referred to as an eNodeB. Thus, a rogue base station in an LTE system may be referred to as a rogue eNodeB.