This work addresses a critical gap in existing rogue base station detection systems, which rely on custom-built prototypes and consequently lack awareness of real-world behaviors exhibited by commercial equipment, leading to incomplete threat models and undetected attack vectors. To bridge this gap, the authors present Devilray, a reconstructable adversarial baseline system grounded in the first empirical analysis of a commercial rogue base station and aligned with 3GPP standards. Devilray systematically generates 2,592 realistic behavioral variants of rogue base stations and evaluates them through a configurable RF emulation platform and a rigorous assessment framework. Comprehensive testing across seven representative detectors reveals substantial coverage gaps in all, exposing systemic vulnerabilities rooted in overly restrictive assumptions. This study thus establishes a more realistic benchmark and adversarial model for future research in cellular network security.

Fake Base Station (FBS) detection has been a critical focus of cellular security research for over two decades. However, significant financial and regulatory barriers to accessing commercial FBS (C-FBS) devices have limited direct visibility into real-world operations, forcing detection systems to be designed and evaluated around self-built prototypes. In this paper, we present Devilray, a reconfigurable and reference-grade adversarial baseline designed to systematically explore the realistic adversarial space and identify adversarial blind spots in current detection -- regions of realistic adversarial behavior excluded by prevailing threat models. We establish an empirical ground truth through the first academic analysis of a C-FBS and extend these observations into specification-driven operational variants permitted by 3GPP standards. Devilray enables the systematic exploration of 2,592 feasible and realistic FBS instances, capturing a wide range of operational possibilities. Using Devilray, we evaluate seven representative accessible FBS detectors and uncover coverage gaps across all seven, revealing blind spots rooted in assumption-bound design and evaluation. Our work provides the first robust adversarial model grounded in real-world behavior and specification analysis, enabling the community to develop and evaluate future detection mechanisms in a rigorous manner.