The first open source LTE sniffer with full functionality


LTE base station

There are many instructions on the Internet on how to equip own LTE station. 4G networks are becoming a massive and accessible infrastructure for data transmission. And it is important to understand what security threats exist in this area, how to intercept and analyze traffic.

Devices for listening to traffic LTE until recently, they had limited functionality and could not analyze all service data. However, last year, engineers from the Korea Advanced Institute of Technology (KAIST) published the source code of the world's first open-source sniffer LTESniffer with a full set of functionality, including decoding of PDCCH and PDSCH traffic.


History of LTE sniffers and methods of their use

The LTE sniffer passively intercepts wireless traffic from 4G base station subscribers. Due to the nature of LTE traffic, anyone with the appropriate equipment can intercept these signals. By simulating the behavior of user equipment (such as a smartphone) and the base station, the sniffer decodes the downlink and uplink traces. Unlike regular smartphones, which only decode

my

trace, the sniffer decodes

all

available over-the-air tracing, including plaintext and some service packets. Of course, it is not able to decrypt encrypted traffic from the client device, but it can still extract some information from there.

LTE Physical Layer

The scope of use of LTE sniffers by attackers and security specialists is described in detail in the literature:

The last task (network analytics) is the main reason why engineers develop and use sniffers.

Several sniffers have been implemented in previous years, but almost all of them are limited to decoding only the downlink control channel (PDCCH). They do not listen for IP packets or Link Control Protocol packets between the device and the cellular network (such as RRC and NAS). The first attempt to decode a DL channel was the program LTEye with basic network monitoring functions. Left later OWL And FALCON. There are also three commercial sniffers Wavejudge, ThinkRF And AirScope, which can decode data channels. The first two decode both DL and UL, but are difficult to use due to their high price (from $25,000 for Wavejudge). The most popular commercial sniffer in academia is AirScope, but it does not decode UL traffic and its performance is poor (see below). In addition, commercial software is closed source, so it is not easy to modify it and add new features.

The above-mentioned LTESniffer from Korean specialists is the world’s first open-source LTE sniffer that passively decodes data in the upstream and downstream channels. Crucial to its operation is obtaining information about all subscriber devices to improve the accuracy of data decoding, especially in high-bandwidth scenarios. The main functions of the program are implemented using an open source package srsRAN. Article “LTESniffer: An open source listening device for LTE Downlink/Uplink” prepared for the 16th conference ACM WiSec 2023.



LTESniffer architecture

The implementation of LTESniffer is not very trivial, since detailed configurations and parameters must be understood to successfully decode each user's traffic. Using various methods, the authors found a way to improve decoding performance. The following chart shows that LTESniffer is dramatically superior to AirScope in decoding speed:



Subframe decoding rate during peak load compared to AirScope

LTESniffer compares favorably with other LTE sniffers. As already mentioned, this is essentially the only open source system that monitors both data channels (DL/UL) and manages the transmission:

The program decodes the Physical Downlink Control Channel (PDCCH) to obtain the Downlink Control Information (DCIs) and Radio Network Temporary Identifiers (RNTIs) of all active users. Using the decoded DCI and RNTI, LTESniffer further decodes the Physical Downlink Shared Channel (PDSCH) and the Physical Uplink Shared Channel (PUSCH) to receive uplink and downlink data traffic.

LTESniffer supports an API with three functions: ID matching, IMSI collection and profiling.

System requirements

Currently, LTESniffer works stably on Ubuntu 18.04/20.04/22.04.

Decoding real-time traffic requires a high-performance CPU with multiple cores, especially during peak load times when there are many active users at the base station.

LTESniffer successfully decoded base station traffic with 150 active users in real time on an Intel i7-9700K.

Recommended configuration:

  • Intel i7 CPU with at least 8 physical cores

  • At least 16 GB RAM

  • 256 GB SSD storage

  • Software Defined Radio SDR

LTESniffer is compatible with different SDRs for uplink and downlink.

For single downlink traffic from a base station, most SDRs supported by the library can be used srsRAN (eg USRP or BladeRF). The SDR must be connected to the PC via a USB 3.0 port. In addition, GPSDO and two RX antennas are required to decode downlink messages in transmission modes 3 and 4.

In UL+DL listening mode, you need to process two frequencies simultaneously, which can be achieved using the more professional USRP X310 (costs about $9100) or two USRP B-Series.

Thus, to effectively monitor a cellular network, track users and analyze network traffic, it is no longer necessary to buy an expensive license for commercial software. All this is available in an open source package.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *