Downloads, Hacking Tools, LTESniffer, Smartphone, Sniffer, Sniffers, Sniffing, Synchronization, Wireshark

LTESniffer – An Open-source LTE Downlink/Uplink Eavesdropper

LTESniffer is An Open-source LTE Downlink/Uplink Eavesdropper

It first decodes the Physical Downlink Control Channel (PDCCH) to obtain the Downlink Control Informations (DCIs) and Radio Network Temporary Identifiers (RNTIs) of all active users. Using decoded DCIs and RNTIs, LTESniffer further decodes the Physical Downlink Shared Channel (PDSCH) and Physical Uplink Shared Channel (PUSCH) to retrieve uplink and downlink data traffic.

LTESniffer supports an API with three functions for security applications and research. Many LTE security research assumes a passive sniffer that can capture privacy-related packets on the air. However, non of the current open-source sniffers satisfy their requirements as they cannot decode protocol packets in PDSCH and PUSCH. We developed a proof-of-concept security API that supports three tasks that were proposed by previous works: 1) Identity mapping, 2) IMSI collecting, and 3) Capability profiling.

Please refer to our paper for more details.

LTESniffer in layman’s terms

LTESniffer is a tool that can capture the LTE wireless messages that are sent between a cell tower and smartphones connected to it. LTESniffer supports capturing the messages in both directions, from the tower to the smartphones, and from the smartphones back to the cell tower.

LTESniffer CANNOT DECRYPT encrypted messages between the cell tower and smartphones. It can be used for analyzing unencrypted parts of the communication between the cell tower and smartphones. For example, for encrypted messages, it can allow the user to analyze unencrypted parts, such as headers in MAC and physical layers. However, those messages sent in plaintext can be completely analyzable. For example, the broadcast messages sent by the cell tower, or the messages at the beginning of the connection are completely visible.

Ethical Consideration

The main purpose of LTESniffer is to support security and analysis research on the cellular network. Due to the collection of uplink-downlink user data, any use of LTESniffer must follow the local regulations on sniffing the LTE traffic. We are not responsible for any illegal purposes such as intentionally collecting user privacy-related information.

Features

New Update

  • Supports two USRP B-series for uplink sniffing mode. Please refer to LTESniffer-multi-usrp branch and its README for more details.
  • Improved the DCI 0 detected in uplink.
  • Fixed some bugs.

LTESniffer is implemented on top of FALCON with the help of srsRAN library. LTESniffer supports:

  • Real-time decoding LTE uplink-downlink control-data channels: PDCCH, PDSCH, PUSCH
  • LTE Advanced and LTE Advanced Pro, up to 256QAM in both uplink and downlink
  • DCI formats: 0, 1A, 1, 1B, 1C, 2, 2A, 2B
  • Transmission modes: 1, 2, 3, 4
  • FDD only
  • Maximum 20 MHz base station.
  • Automatically detect maximum UL/DL modulation schemes of smartphones (64QAM/256QAM on DL and 16QAM/64QAM/256QAM on UL)
  • Automatically detect physical layer configuration per UE.
  • LTE Security API: RNTI-TMSI mapping, IMSI collecting, UECapability Profiling.

Hardware and Software Requirement

OS Requirement

Currently, LTESniffer works stably on Ubuntu 18.04/20.04/22.04.

Hardware Requirement

Achieving real-time decoding of LTE traffic requires a high-performance CPU with multiple physical cores. Especially when the base station has many active users during the peak hour. LTESniffer was able to achieve real-time decoding when running on an Intel i7-9700K PC to decode traffic on a base station with 150 active users.

The following hardware is recommended

  • Intel i7 CPU with at least 8 physical cores
  • At least 16Gb RAM
  • 256 Gb SSD storage

SDR

LTESniffer requires different SDR for its uplink and downlink sniffing modes.

To sniff only downlink traffic from the base station, LTESniffer is compatible with most SDRs that are supported by the srsRAN library (for example, USRP or BladeRF). The SDR should be connected to the PC via a USB 3.0 port. Also, it should be equipped with GPSDO and two RX antennas to decode downlink messages in transmission modes 3 and 4.

On the other hand, to sniff uplink traffic from smartphones to base stations, LTESniffer needs to listen to two different frequencies (Uplink and Downlink) concurrently. To solve this problem, LTESniffer supports two options:

  • Using a single USRP X310. USRP X310 has two Local Oscillators (LOs) for 2 RX channels, which can turn each RX channel to a distinct Uplink/Downlink frequency. To use this option, please refer to the main branch of LTESniffer.
  • Using 2 USRP B-Series. LTESniffer utilizes 2 USRP B-series (B210/B200) for uplink and downlink separately. It achieves synchronization between 2 USRPs by using GPSDO for clock source and time reference. To use this option, please refer to the LTESniffer-multi-usrp branch of LTESniffer and its README.

Installation

Important note: To avoid unexpected errors, please follow the following steps on Ubuntu 18.04/20.04/22.04.

Dependencies

  • Important dependency: UHD library version >= 4.0 must be installed in advance (recommend building from source). The following steps can be used on Ubuntu 18.04. Refer to UHD Manual for full installation guidance.

UHD dependencies:

sudo apt update
sudo apt-get install autoconf automake build-essential ccache cmake cpufrequtils doxygen ethtool \
g++ git inetutils-tools libboost-all-dev libncurses5 libncurses5-dev libusb-1.0-0 libusb-1.0-0-dev \
libusb-dev python3-dev python3-mako python3-numpy python3-requests python3-scipy python3-setuptools \
python3-ruamel.yaml

Clone and build UHD from source (make sure that the current branch is higher than 4.0)

<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/EttusResearch/uhd.git cd /host mkdir build cd build cmake ../ make -j 4 make test sudo make install sudo ldconfig” dir=”auto”>

git clone https://github.com/EttusResearch/uhd.git
cd <uhd-repo-path>/host
mkdir build
cd build
cmake ../
make -j 4
make test
sudo make install
sudo ldconfig

Download firmwares for USRPs:

sudo uhd_images_downloader

We use a 10Gb card to connect USRP X310 to PC, refer to UHD Manual [1], [2] to configure USRP X310 and 10Gb card interface. For USRP B210, it should be connected to PC via a USB 3.0 port.

Test the connection and firmware (for USRP X310 only):

<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="sudo sysctl -w net.core.rmem_max=33554432 sudo sysctl -w net.core.wmem_max=33554432 sudo ifconfig mtu 9000 sudo uhd_usrp_probe” dir=”auto”>

sudo sysctl -w net.core.rmem_max=33554432
sudo sysctl -w net.core.wmem_max=33554432
sudo ifconfig <10Gb card interface> mtu 9000
sudo uhd_usrp_probe
  • srsRAN dependencies:
sudo apt-get install build-essential git cmake libfftw3-dev libmbedtls-dev libboost-program-options-dev libconfig++-dev libsctp-dev
  • LTESniffer dependencies:
sudo apt-get install libglib2.0-dev libudev-dev libcurl4-gnutls-dev libboost-all-dev qtdeclarative5-dev libqt5charts5-dev

Build LTESniffer from source:

git clone https://github.com/SysSec-KAIST/LTESniffer.git
cd LTESniffer
mkdir build
cd build
cmake ../
make -j 4 (use 4 threads)

Usage

LTESniffer has 3 main functions:

  • Sniffing LTE downlink traffic from the base station
  • Sniffing LTE uplink traffic from smartphones
  • Security API

After building from source, LTESniffer is located in <build-dir>/src/LTESniffer

Note that before using LTESniffer on the commercial, one should have to check the local regulations on sniffing LTE traffic, as we explained in the Ethical Consideration.

To figure out the base station and Uplink-Downlink band the test smartphone is connected to, install Cellular-Z app on the test smartphone (the app only supports Android). It will show the cell ID and Uplink-Downlink band/frequency to which the test smartphone is connected. Make sure that LTESniffer also connects to the same cell and frequency.

General downlink sniffing

<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="sudo .//src/LTESniffer -A 2 -W -f

-C -m 0 example: sudo ./src/LTESniffer -A 2 -W 4 -f 1840e6 -C -m 0 -A: number of antennas -W: number of threads -f: downlink frequency -C: turn on cell search -m: sniffer mode, 0 for downlink sniffing and 1 for uplink sniffing” dir=”auto”>

sudo ./<build-dir>/src/LTESniffer -A 2 -W <number of threads> -f <DL Freq> -C -m 0
example: sudo ./src/LTESniffer -A 2 -W 4 -f 1840e6 -C -m 0
-A: number of antennas
-W: number of threads
-f: downlink frequency
-C: turn on cell search
-m: sniffer mode, 0 for downlink sniffing and 1 for uplink sniffing

Note: to run LTESniffer with USRP B210 in the downlink mode, add option -a "num_recv_frames=512" to the command line. This option extends the receiving buffer for USRP B210 to achieve better synchronization.

<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="sudo .//src/LTESniffer -A 2 -W -f

-C -m 0 -a "num_recv_frames=512" example: sudo ./src/LTESniffer -A 2 -W 4 -f 1840e6 -C -m 0 -a "num_recv_frames=512"” dir=”auto”>

sudo ./<build-dir>/src/LTESniffer -A 2 -W <number of threads> -f <DL Freq> -C -m 0 -a "num_recv_frames=512"
example: sudo ./src/LTESniffer -A 2 -W 4 -f 1840e6 -C -m 0 -a "num_recv_frames=512"

General uplink sniffing

Note: In the uplink sniffing mode, the test smartphones should be located nearby the sniffer, because the uplink signal power from UE is significantly weaker compared to the downlink signal from the base station.

<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="sudo .//src/LTESniffer -A 2 -W -f

-u

Security API

<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="sudo .//src/LTESniffer -A 2 -W -f

-u