Unveiling Wireless Users' Locations via Modulation Classification-based Passive Attack
Ali Hanif, Abdulrahman Katranji, Nour Kouzayha, Muhammad Mahboob Ur Rahman, Tareq Y. Al-Naffouri
TL;DR
This paper addresses a security risk arising from the openness of wireless standards by proposing a passive localization attack that leverages public modulation and coding scheme (MCS) tables. The method consists of two phases: (i) downlink modulation classification using a CNN on 128 I/Q samples to identify the modulation and derive distance bounds via the MCS table, yielding a ring with inner radius $r_a$ and outer radius $r_b$ around the base station, and (ii) uplink sniffing within that ring to refine Bob’s location using received SNR measurements and coarse Friis-based ranging, potentially augmented by DoA with a multi-antenna Eve. The authors validate the approach across LOS scenarios at $5$, $28$, and $100$ GHz with transmit powers of $200$–$400$ mW, including multi-user and multi-antenna extensions; results show downlink classification accuracies above $80\%$, and uplink localization errors down to $0.27$ m when using a $10$-element ULA, versus about $0.66$ m with a single antenna. They also discuss NLOS extensions via radio-map fingerprinting and the concept of a passive digital twin map, highlighting significant security implications and potential ISAC use cases for future work.
Abstract
The broadcast nature of the wireless medium and openness of wireless standards, e.g., 3GPP releases 16-20, invite adversaries to launch various active and passive attacks on cellular and other wireless networks. This work identifies one such loose end of wireless standards and presents a novel passive attack method enabling an eavesdropper (Eve) to localize a line of sight wireless user (Bob) who is communicating with a base station or WiFi access point (Alice). The proposed attack involves two phases. In the first phase, Eve performs modulation classification by intercepting the downlink channel between Alice and Bob. This enables Eve to utilize the publicly available modulation and coding scheme (MCS) tables to do pesudo-ranging, i.e., the Eve determines the ring within which Bob is located, which drastically reduces the search space. In the second phase, Eve sniffs the uplink channel, and employs multiple strategies to further refine Bob's location within the ring. Towards the end, we present our thoughts on how this attack can be extended to non-line-of-sight scenarios, and how this attack could act as a scaffolding to construct a malicious digital twin map.