Finding Phones Fast: Low-Latency and Scalable Monitoring of Cellular Communications in Sensitive Areas

TL;DR

The paper tackles the challenge of real-time monitoring of cellular activity inside sensitive areas to prevent unauthorized communications. It introduces WaveTag, an operator-independent, distributed system that observes initial UL messages (PRACH, RRC, and PUCH) across multiple bands with downlink sniffers, and a central unit that makes geofencing decisions within 2.3 ms of the first signaling event. Through two urban deployments and a 5G SA feasibility study, WaveTag demonstrates high geofencing accuracy (up to 99.66%), low latency, and scalable operation across many cells and operators, supported by a large publicly released dataset collected with COTS modems. The work shows practical impact by enabling rapid, targeted interference or disconnection actions while maintaining low disruption in surrounding areas, and it provides a foundation for broader operator-independent monitoring research in real-world networks.

Abstract

The widespread availability of cellular devices introduces new threat vectors that allow users or attackers to bypass security policies and physical barriers and bring unauthorized devices into sensitive areas. We identify a critical gap in this context: the absence of low-latency systems for high-quality and instantaneous monitoring of cellular transmissions. Such low-latency systems are crucial to allow for timely detection, decision, and disruption of unauthorized communication in sensitive areas. Operator-based monitoring systems, built for purposes such as people counting or tracking, lack real-time capability, require cooperation across multiple operators, and thus are hard to deploy. Operator-independent monitoring approaches proposed in the literature either lack low-latency capabilities or do not scale. We propose WaveTag, the first low-latency and scalable system designed to monitor 5G and LTE connections across all operators prior to any user data transmission. WaveTag consists of several downlink sniffers and a distributed network of uplink sniffers that measure both downlink protocol information and uplink signal characteristics at multiple locations to gain a detailed spatial image of uplink signals. WaveTag then aggregates the recorded information, processes it, and provides a decision about the connection--all done prior to the complete connection establishment of a UE. To evaluate WaveTag, we deployed it in the context of geofencing, where WaveTag was able to determine whether the signals originate from inside or outside of an area within 2.3 ms of the initial base station-to-device message, therefore enabling prompt and targeted suppression of communication before any user data was transmitted. WaveTag achieved 99.66% geofencing classification accuracy. Finally, we conduct a real-world uplink measurement evaluation on a commercial 5G SA network.

Figures (9)

• Figure 1: Diagram of a connection establishment procedure between a UE and an xNB.
• Figure 2: Spectrogram of the LTE uplink for one subframe with all the possible uplink physical channels. The uplink reference signals (RS), which are used for uplink measurements (\ref{['sec:features']}), are highlighted in blue. The X-axis represents the time, and in this figure it spans one subframe, lasting 1 millisecond. The Y-axis represents the frequency; in this case, the uplink channel is 20 MHz wide.
• Figure 3: In (A), we show a sketch of a deployment with two downlink receivers and six uplink receivers positioned around the sensitive area. The purple triangles on the uplink receivers show the azimuth of the two opposite facing antennas. In (B), we show how the system components interact. First, the downlink receivers detect a new connection on the downlink and inform the UL receivers about it. The UL receivers then measure the corresponding uplink signals. Finally, all measurements are aggregated in the central unit (CU), which makes a decision about the connection. In (C), we show how a concrete wall can be used for improved inside/outside separation of a single uplink receiver unit.
• Figure 4: Overview of a typical connection on one of the FDD bands with annotated mean processing latencies for end-to-end measurement of PRACH, PUSCH, and PUCCH transmissions. The downlink receiver decodes the RAR and PDSCH messages. The RAR message both informs about the PRACH message 3-13ms in the past and the PUSCH message 6ms in the future. Any PDSCH message triggers a corresponding PUCCH message 4ms later.
• Figure 5: Measured signal power difference between two ports of a single uplink receiver in a real-world deployment. The color shows the measured signal power difference of an uplink signal transmitted from the corresponding point on the map.