Layer 1 — RF & Air Interface Pentesting (4G/5G)

Overview

The air interface is the radio link between a User Equipment (UE) and a base station (eNodeB in 4G, gNB in 5G). It is the most externally accessible attack surface — no physical access to operator infrastructure required. With a USRP B210 and open-source software stacks, a researcher can both passively observe and actively interact with this layer.

Threat Points

1.1 Passive Channel Monitoring

What it is: Listening to unencrypted broadcast and control channels transmitted by every base station.

Channels exposed:

What can be extracted:

• Cell identities (eCI, PCI, TAC, PLMN/MCC/MNC)
• Paging TMSI values → correlate to subscriber activity
• Timing and frequency parameters for active attack setup

Tools:

• LTE-Cell-Scanner — discovers LTE cells, decodes MIB/SIB
• srsRAN (srsenb passive mode) — full PHY/MAC layer decode
• gr-lte — GNU Radio LTE receiver blocks
• FALCON — real-time LTE control channel decoder (PDCCH → RNTI tracking)
• LTESniffer — open-source LTE downlink sniffer with PDSCH decode

USRP B210 setup:

# Install srsRAN
sudo apt install srsran

# Scan for LTE cells
srslte_cell_search --rf.device_name=uhd --rf.device_args="type=b200"

# Decode MIB/SIB from found cell
srslte_pdsch_ue --rf.dl_earfcn=1575 --rf.device_name=uhd

1.2 IMSI/IMEI Harvesting (Fake Base Station / IMSI Catcher)

What it is: A rogue eNodeB/gNB that forces nearby UEs to attach, triggering identity request procedures that reveal IMSI or IMEI.

How it works:

1. Attacker transmits a stronger signal than the legitimate cell on the same PLMN/EARFCN
2. UE selects the cell with the best signal (standard 3GPP behavior)
3. Attacker sends Identity Request (4G NAS) — legacy UEs respond with IMSI in cleartext
4. In 4G: no mutual authentication before identity response
5. In 5G: SUPI is concealed as SUCI using ECIES — direct IMSI harvest blocked at NAS layer

4G vulnerability:

• NAS Identity Request can request IMSI before authentication
• No cryptographic binding between UE and "real" network at attach start
• Null encryption/integrity (EEA0/EIA0) can be negotiated if eNB offers it

5G mitigation (and its limits):

• SUPI → SUCI concealment (3GPP TS 33.501) prevents cleartext IMSI
• But: IMEI is still sent in cleartext during 5G registration in some flows
• Downgrade to 4G/3G still possible in NSA (Non-Standalone) mode

Tools:

• srsRAN + Open5GS — build a functional fake 4G eNodeB + EPC
• UERANSIM — simulate gNB for 5G SA research
• OpenLTE — lightweight LTE PHY for IMSI catching research
• Osmocom stack — osmo-bts, osmo-msc for 2G/3G IMSI catch

Lab setup (4G fake eNB):

flowchart LR
    USRP["USRP B210"] --> srsENB --> EPC["srsEPC\n(Open5GS MME)"]
    EPC --> NAS["NAS Identity Request"]
    UE["UE attaches"] --> NAS
    NAS --> LOG["IMSI logged"]

Legal note: Transmitting on licensed cellular spectrum without FCC authorization violates 47 U.S.C. § 301. Operating a device that captures subscriber identities (IMSI/IMEI) from third-party devices may additionally violate 47 U.S.C. § 605 (unauthorized interception of radio communications). No "spectrum authority authorization" exists for private parties conducting IMSI-catching on live networks — the only lawful path is a fully isolated lab environment using your own test SIMs and an RF-shielded enclosure (Faraday cage). FCC experimental licenses do not authorize subscriber harvesting from third-party UEs.

1.3 Downgrade Attacks

What it is: Forcing a 5G/4G UE to fall back to 3G/2G to exploit weaker security in older generations.

Why it works:

• 5G NSA (Non-Standalone) requires 4G anchor — inherit 4G weaknesses
• UE chooses strongest available signal — attacker suppresses 4G/5G signal or offers stronger 2G/3G cell
• 2G (GSM) has no mutual authentication, A5/1 cipher is broken
• 3G has known KASUMI weaknesses

Attack flow:

1. Attacker jams or blocks 4G/5G frequencies selectively
2. Or: broadcasts fake 4G cell with system info indicating "no 5G available" (indicating flag in SIB2)
3. UE falls back to 3G/2G
4. Attacker can now perform 2G IMSI catch or intercept with A5/1 cracking

Tools:

• gr-gsm — GSM downlink decoder + active attack support
• Kalibrate-RTL / Kalibrate-USRP — find GSM/UMTS frequencies
• OsmocomBB — low-level GSM phone firmware for active testing
• Custom SIB manipulation via srsRAN patched builds

Legal note: Selectively jamming or blocking 4G/5G frequencies to force a UE to downgrade violates 47 U.S.C. § 333 (prohibition on willful interference with radio communications). This applies regardless of whether the jamming is targeted or broadband. Lab use only — test exclusively on your own devices inside an RF-shielded enclosure.

1.4 Paging Channel Attacks

What it is: Exploiting the LTE/5G paging mechanism to infer UE presence and location.

Attack types:

• Presence detection: Page a TMSI → observe if paging message is broadcast → confirms UE is in that tracking area
• Location tracking: Page same TMSI from multiple cells → triangulate location
• Paging DoS: Flood paging channel to exhaust capacity

What you need:

• Knowledge of a target's TMSI (obtainable from prior passive monitoring or IMSI catcher)
• Ability to send SS7/Diameter queries (requires interconnect access — beyond USRP scope)
• Or: direct NAS paging injection via rogue eNB

Tools: srsRAN patched NAS layer, custom EPC modifications

1.5 RF Jamming / Denial of Service

What it is: Transmitting interference to prevent legitimate UEs from connecting.

Types:

• Broadband noise — disrupts entire band
• Pilot jamming — target PSS/SSS (sync signals) specifically
• PDCCH jamming — disrupt control channel, data still passes but cannot be scheduled
• Random Access jamming — target PRACH to prevent new attaches

Tools: GNU Radio + USRP B210 with custom jamming flowgraphs

Legal note: RF jamming of cellular, Wi-Fi, GPS, or any licensed spectrum is illegal under 47 U.S.C. § 333 for all private parties and state/local law enforcement — no authorization pathway exists for non-federal entities. The FCC has imposed fines of $48,000 against individual users and $34.9 million against companies that marketed jammers (see FCC Enforcement Advisory DA-14-1785). These penalties apply regardless of intent or duration. Any flowgraph implementing jamming must only ever execute inside a fully RF-shielded enclosure with zero signal leakage to live spectrum.

USRP B210 Capability Map for Layer 1

Lab Environment Recommendations

flowchart TB
    FC["Faraday Cage / RF-shielded room"]
    USRP["USRP B210"]
    PC["Host PC — Ubuntu 22.04"]
    STACK["srsRAN (eNB) + Open5GS (EPC/MME)"]
    UE["Test SIM + Android phone\n(target UE — your own device)"]

    FC --- USRP --- PC --- STACK --- UE

Host PC specs:

Recommendation: For USRP B210 + srsRAN real-time LTE/NR, use a dedicated Linux host or VM. macOS is suitable for passive analysis (LTE-Cell-Scanner, FALCON) and the core network side (Open5GS via Docker), but real-time PHY is unreliable on macOS due to USB timing and UHD driver limitations.

Software stack:

# UHD drivers
sudo apt install libuhd-dev uhd-host
uhd_images_downloader

# srsRAN 4G
git clone https://github.com/srsran/srsRAN_4G
cd srsRAN_4G && mkdir build && cd build
cmake .. && make -j$(nproc)
sudo make install

# Open5GS (EPC)
# Follow: https://open5gs.org/open5gs/docs/guide/01-quickstart/

# FALCON (PDCCH decoder)
git clone https://github.com/falkenber9/falcon

Key 3GPP References

Next Layer

→ Layer 2: RRC/NAS Signaling Attacks — authentication bypass, AKA relay, null encryption negotiation, IMSI paging exploitation at the protocol level.