LTESniffer v2.1 releases: Open-source LTE Downlink/Uplink Eavesdropper

LTE Eavesdropper

LTESniffer – An Open-source LTE Downlink/Uplink Eavesdropper

LTESniffer is An Open-source LTE Downlink/Uplink Eavesdropper

It first decodes the Physical Downlink Control Channel (PDCCH) to obtain the Downlink Control Informations (DCIs) and Radio Network Temporary Identifiers (RNTIs) of all active users. Using decoded DCIs and RNTIs, LTESniffer further decodes the Physical Downlink Shared Channel (PDSCH) and Physical Uplink Shared Channel (PUSCH) to retrieve uplink and downlink data traffic.

LTESniffer supports an API with three functions for security applications and research. Many LTE security research assumes a passive sniffer that can capture privacy-related packets on the air. However, non of the current open-source sniffers satisfy their requirements as they cannot decode protocol packets in PDSCH and PUSCH. We developed a proof-of-concept security API that supports three tasks that were proposed by previous works: 1) Identity mapping, 2) IMSI collecting, and 3) Capability profiling.

Please refer to our paper for more details.

LTESniffer in layman’s terms

LTESniffer is a tool that can capture the LTE wireless messages that are sent between a cell tower and smartphones connected to it. LTESniffer supports capturing the messages in both directions, from the tower to the smartphones, and from the smartphones back to the cell tower.

LTESniffer can NOT DECRYPT encrypted messages between the cell tower and smartphones. It can be used for analyzing unencrypted parts of the communication between the cell tower and smartphones. For example, for encrypted messages, it can allow the user to analyze unencrypted parts, such as headers in MAC and physical layers. However, those messages sent in plaintext can be completely analyzable. For example, the broadcast messages sent by the cell tower, or the messages at the beginning of the connection are completely visible.

Ethical Consideration

The main purpose of LTESniffer is to support security and analysis research on the cellular network. Due to the collection of uplink-downlink user data, any use of LTESniffer must follow the local regulations on sniffing the LTE traffic. We are not responsible for any illegal purposes such as intentionally collecting user privacy-related information.

Features

LTESniffer is implemented on top of FALCON with the help of the srsRAN library. LTESniffer supports:

  • Real-time decoding LTE uplink-downlink control-data channels: PDCCH, PDSCH, PUSCH
  • LTE Advanced and LTE Advanced Pro, up to 256QAM in both uplink and downlink
  • DCI formats: 0, 1A, 1, 1B, 1C, 2, 2A, 2B
  • Transmission modes: 1, 2, 3, 4
  • FDD only
  • Maximum 20 MHz base station.
  • Automatically detect maximum UL/DL modulation schemes of smartphones (64QAM/256QAM on DL and 16QAM/64QAM/256QAM on UL)
  • Automatically detect physical layer configuration per UE.
  • LTE Security API: RNTI-TMSI mapping, IMSI collecting, UECapability Profiling.

Changelog v2.1

  • Supports recording IQ raw data of subframes to file
  • Supports offline decoding using recorded files
  • Enable API in the downlink mode

Install & Use