Researchers from the Korea Advanced Institute of Technology have published the LTESniffer toolkit, which allows you to passively (without sending signals on the air) organize listening and intercepting traffic between a base station and a cell phone in 4G LTE networks. The toolkit provides utilities for organizing traffic interception and an API implementation for using the LTESniffer functionality in third-party applications.
LTESniffer provides decoding of the physical channel PDCCH (Physical Downlink Control Channel) to obtain information about traffic from the base station (DCI, Downlink Control Information) and temporary network identifiers (RNTI, Radio Network Temporary Identifier). The definition of DCI and RNTI further allows decoding data from the PDSCH (Physical Downlink Shared Channel) and PUSCH (Physical Uplink Shared Channel) channels to gain access to incoming and outgoing traffic. At the same time, LTESniffer does not decrypt encrypted messages transmitted between a mobile phone and a base station, but provides access only to information transmitted in clear text. For example, messages sent by the base station in broadcast mode and initial connection messages are transmitted without encryption, which makes it possible to collect information about from which number, when and to which number there were calls).
Interception requires additional equipment. To intercept traffic only from the base station, a USRP B210 programmable transceiver (SDR) with two antennas, costing about $ 2000, is enough. To intercept traffic from a mobile phone to a base station, a more expensive USRP X310 SDR board with two additional transceivers (the kit costs about $11000) is required, since passive sniffing of packets sent by phones requires precise time synchronization between sent and received frames and simultaneous reception signals in two different frequency bands. A sufficiently powerful computer is also required to decode the protocol, for example, to analyze the traffic of a base station with 150 active users, an Intel i7 CPU system and 16GB of RAM are recommended.
Main features of LTESniffer:
- Real-time decoding of outgoing and incoming LTE control channels (PDCCH, PDSCH, PUSCH).
- Support for LTE Advanced (4G) and LTE Advanced Pro (5G, 256-QAM) specifications.
- Support for DCI (Downlink Control Information) formats: 0, 1A, 1, 1B, 1C, 2, 2A, 2B.
- Support for data transfer modes: 1, 2, 3, 4.
- Support for frequency division duplex (FDD) channels.
- Support for base stations using frequencies up to 20 MHz.
- Automatic detection of used modulation schemes for incoming and outgoing data (16QAM, 64QAM, 256QAM).
- Automatic detection of physical layer settings for each phone.
- LTE Security API support: RNTI-TMSI mapping, IMSI collection, profiling.
Source: opennet.ru