Characterizing Encrypted Application Traffic through Cellular Radio Interface Protocol

TL;DR

This work reveals a practical privacy risk: even with end-to-end encryption, 5G signaling—specifically MAC/PHY interactions and unencrypted DCI bitmaps—acts as a side channel that exposes user applications in real time. By building a six-month, in-the-wild dataset of 1217 traces (~43GB) and extracting RRB throughput features across UL/DL, the authors show that both the type of activity and the exact apps can be distinguished, including intra-category differentiation. Their ML evaluation with Random Forest and Extra Trees achieves up to 94% accuracy, demonstrating robust app- and activity-level fingerprinting from 5G control-plane data. The findings underscore a significant privacy vulnerability in 5G signaling and motivate defense and design considerations to mitigate such side-channel leaks in future networks.

Abstract

Modern applications are end-to-end encrypted to prevent data from being read or secretly modified. 5G tech nology provides ubiquitous access to these applications without compromising the application-specific performance and latency goals. In this paper, we empirically demonstrate that 5G radio communication becomes the side channel to precisely infer the user's applications in real-time. The key idea lies in observing the 5G physical and MAC layer interactions over time that reveal the application's behavior. The MAC layer receives the data from the application and requests the network to assign the radio resource blocks. The network assigns the radio resources as per application requirements, such as priority, Quality of Service (QoS) needs, amount of data to be transmitted, and buffer size. The adversary can passively observe the radio resources to fingerprint the applications. We empirically demonstrate this attack by considering four different categories of applications: online shopping, voice/video conferencing, video streaming, and Over-The-Top (OTT) media platforms. Finally, we have also demonstrated that an attacker can differentiate various types of applications in real-time within each category.

Figures (8)

• Figure 1: Comparison of 5G RRB throughput CDFs for major shopping websites \ref{['fig:intro_a']}; and VoIP calling apps \ref{['fig:intro_b']}.
• Figure 2: MAC layer assigns and binds different queues according to user application QoS requirements. The scheduler assigns RRBs against every QoS class.
• Figure 3: The device receives the C-RNTI in plaintext within the Random Access Response message from the network. The device requests the UL radio resources from the network according to its buffer size. The scheduled radio resource block information is encoded in the UL Grant message. The device sends encrypted data using the Radio Resource Blocks (RBs). The attacker knows the size and the length of RBs to plot the throughput over time and can use it as a side channel to infer the user activities.
• Figure 4: Distribution of the top six resources downloaded across four major shopping websites. Each website uses a unique combination of resources of varying sizes.
• Figure 5: Normalized RRB Control plane (CP) and Wireshark downlink (DL) for major shopping websites have identical throughput (TP) patterns. The observation holds true across multiple time instances. For this plot, Wireshark throughput is scaled by a factor of 0.2.