Cellular monitoring
Guardian Air scans cellular networks using modem measurement capabilities to identify nearby cells, track the cellular environment, and detect anomalies that may indicate rogue base stations.
Overview
Guardian Air uses a SIMCom SIM7600G-H2 cellular modem to scan Long-Term Evolution (LTE) (4G) and Universal Mobile Telecommunications System (UMTS) (3G) cell activity in the sensor's vicinity. The modem synchronizes with cells and decodes broadcast channels to collect cell measurements, but does not attach to any network or transmit user data. Guardian Air uses this modem-driven scanning to collect information about the serving cell and neighboring cells. This data enables Vantage to identify anomalies that may indicate rogue base stations or unexpected changes in the cellular environment.
What Guardian Air discovers
Guardian Air collects the following information for each detected cell, covering both the serving cell and neighboring cells.
| Data point | Description |
|---|---|
| Network mode | Whether the cell is an LTE (4G) or UMTS (3G) base station. |
| mobile country code (MCC) | The three-digit code identifying the country of the mobile network operator. |
| mobile network code (MNC) | The two- or three-digit code identifying the mobile network operator within a country. |
| Cell ID | The unique identifier (ID) of the base station cell. |
| Frequency band | The LTE or UMTS frequency band in use. Guardian Air resolves band numbers and their corresponding frequency ranges from the E-UTRA absolute radio frequency channel number (EARFCN) (LTE) or UTRA absolute radio frequency channel number (UARFCN) (UMTS) channel number. |
| tracking area code (TAC) | The LTE tracking area code used for location registration (LTE only). |
| physical cell ID (PCI) | The physical layer cell identifier used to distinguish cells on the same frequency (LTE only). |
| Signal strength (received signal strength indicator (RSSI)) | The received signal strength of the cell in dBm. |
| reference signal received power (RSRP) | The average power of LTE reference signal resource elements, used as a measure of signal quality (LTE only). |
| reference signal received quality (RSRQ) | The ratio of RSRP to total received power, indicating signal-to-interference quality (LTE only). |
| Cell role | Whether the cell is the serving (selected) cell in idle mode or a neighbor cell detected during scanning. |
| Operator name | The name of the mobile network operator, where available. |
Attack detection
Guardian Air uses cellular scan data to detect anomalies that may indicate unauthorized network infrastructure.
| Attack type | Description |
|---|---|
| Rogue cell tower | A cell with stronger signal and mismatched parameters is detected, possibly indicating a rogue or fake base station. |
Frequency bands monitored
Guardian Air detects LTE cells across a broad range of frequency bands, from sub-700 MHz low-band spectrum to 3.8 GHz high-band spectrum. The modem resolves the frequency range from the EARFCN value reported for each cell. Examples of monitored bands include Band 1 (2110 to 2170 MHz) and Band 3 (1805 to 1880 MHz). Additional examples include Band 7 (2620 to 2690 MHz), Band 20 (791 to 821 MHz), and Band 28 (758 to 803 MHz), among others.
For UMTS (3G), Guardian Air uses the UARFCN value to identify the cell's operating frequency.
Hardware
Cellular monitoring uses the SIMCom SIM7600G-H2 module
(interface cellular). This module also provides Global Positioning System (GPS) capability
when used for location services. No SIM card is required for cellular monitoring
because the sensor operates in scan-only mode.