A rogue base station is an attacker station that duplicates a legitimate base station. The rogue base station puzzles a set of subscribers trying to get service through what they believe to be a legitimate base station. It may result in long disturbance of service. The exact method of attack depends on the type of network. In a Wi-Fi network, which is carrier sense multiple access, the attacker has to capture the identity of a legitimate access point. Then it builds frames using the legitimate access point’s identity. It then injects the crafted messages when the medium is available. In a WiMAX network, this is more difficult to do because WiMAX uses time division multiple access. The attacker must transmit while the rogue base station is transmitting.
The signal of the attacker, however, must arrive at targeted receiver subscribers with more strength and must put the signal of the rogue base station in the background, relatively speaking. Again, the attacker has to capture the identity of a legitimate base station. Then it builds messages using the stolen identity. The attacker has to wait until time slots allocated to the fake base station start and transmit during these time slots. The attacker must transmit while achieving a receive signal strength higher than the one of the fake base station. The receiver subscribers reduce their gain and decode the signal of the attacker instead of the one from the fake base station. The rogue base station is likely to occur as there are no technical difficulties to resolve. Extensible Authentication Protocol (EAP) supports mutual authentication, i.e. the base station also authenticates itself to the subscriber. When EAP mutual authentication is used, the likelihood of the threat is mitigated, but not totally and remains possible for reasons similar to EAP based authorization. The rogue base station or access point attack is therefore a threat for which the risk is critical. (WiMAX Vision, 2006)