Characterizing Encrypted Application Traffic through Cellular Radio Interface Protocol

TL;DR

This paper shows that 5G radio interface interactions can be passively observed to accurately identify encrypted applications and their types in real-time, revealing a side-channel vulnerability.

Contribution

It introduces a novel method to fingerprint encrypted applications by analyzing 5G physical and MAC layer interactions, demonstrating real-time application identification.

Findings

Radio resource patterns reveal application behavior

Different application categories can be distinguished in real-time

Passive observation can identify specific applications despite encryption

Abstract

Modern applications are end-to-end encrypted to prevent data from being read or secretly modified. 5G tech nology provides ubiquitous access to these applications without compromising the application-specific performance and latency goals. In this paper, we empirically demonstrate that 5G radio communication becomes the side channel to precisely infer the user's applications in real-time. The key idea lies in observing the 5G physical and MAC layer interactions over time that reveal the application's behavior. The MAC layer receives the data from the application and requests the network to assign the radio resource blocks. The network assigns the radio resources as per application requirements, such as priority, Quality of Service (QoS) needs, amount of data to be transmitted, and buffer size. The adversary can passively observe the radio resources to fingerprint the applications. We empirically demonstrate this attack by considering four different categories of applications: online shopping, voice/video conferencing, video streaming, and Over-The-Top (OTT) media platforms. Finally, we have also demonstrated that an attacker can differentiate various types of applications in real-time within each category.