Sniffing Attack

Note

This attack is based on the open-source Spritelab 5G Sniffer.

Introduction

5G Sniffer is an open-source tool that decodes the Physical Downlink Control Channel (PDCCH) of 5G base stations, revealing Downlink Control Information (DCI) and Radio Network Temporary Identifiers (RNTI). It overcomes 5G-specific challenges, such as decoding encrypted information, and is optimized for efficiency.

Configuring the Test

Controller Configuration: Add the following to the processes list in the controller configuration located at ran-tester-ue/configs/default.yaml:

processes:
- type: "sniffer"
    id: "dci_sniffer_1"
    config_file: "../5g-sniffer/MSU-Private5G184205.toml"
    rf:
        type: "b200"
        images_dir: "/usr/share/uhd/images/"

Sniffer Configuration: The sniffer configuration file is located at ran-tester-ue/5g-sniffer/5gsniffer/(config.toml). Refer to the parameter reference for details:

parameter: <default value>  # Parameter description

[sniffer]
file_path: "/home/oran-testbed/5g-sniffer/iq_1842MHz_pdcch_traffic.fc32"  # specifies the path to a spectrum recording file
sample_rate: 23040000                                                     # specifies recording or operational sampling rate for the SDR
frequency: 1842500000                                                     # specifies the center frequency used for the SDR operation
nid_1: 1                                                                  # specifies the N_ID_1 parameter from cell ID
ssb_numerology: 0                                                         # specifies numerology for the SSB block (0 for 15 kHz, 1 for 30 kHz)

[pdcch]
coreset_id: 1                                   # specifies the identifier of the CORESET (Control Resource Sets)
subcarrier_offset: 426                          # specifies subcarrier shift needed to center CORESET relative to SSB
num_prbs: 30                                    # indicates the number of PRBs used for PDCCH (corresponds tp "frequencyDomainResources" in RRC)
numerology: 0                                   # indicates numerology (0,1,2) defining subcarrier spacing and slot configuration
dci_sizes_list: [41]                            # indicates DCI sizes to decode (up to 4 per cell)
scrambling_id_start & scrambling_id_end: 1, 10  # specifies the range of the PDCCH scrambling ID we want to sniff
rnti_start & rnti_end: 17921, 17930             # specifies the range of RNTIs we want to sniff
interleaving_pattern: "non-interleaved"         # indicates the interleaving pattern used (corresponds to "cce-REG-MappingType" in RRC)
coreset_duration: 1                             # indicates how many OFDM symbols are used for CORESET (corresponds to “duration” in RRC)
AL_corr_thresholds: [1, 0.5, 0.5, 1, 1]         # indicates correlation threshold for each aggregation level to decode a DCI. Lowering the value increases decoding speed but also the chance of missing DCIs
num_candidates_per_AL: [0, 4, 4, 0, 0]          # number of candidates the sniffer should look for per aggregation level (corresponds to "nrofCandidates" in RRC)

Refer to the Spritelab README for a comprehensive reference.

Attack Metrics

  • MIB (Master Information Block)

    • Cell ID

    • SFN (Single-frequency network)

    • SCS (Supplemental Coverage from Space)

    • CFO (Carrier Frequency Offset)

  • SSB (Synchronization Signal Block)

  • Cell frequency

  • RNTI (Radio Network Temporary Identifier)

  • DCI (Downlink Control Information)

    • Slot index

    • Correlation

    • Symbol in chunk

    • Sample time

    • Found aggregation level

Running the Test

Start the Sniffing attack in the requested environment with real-time metrics displayed in Grafana:

sudo docker compose --profile system up

Access Grafana dashboard at http://localhost:3300.