LTESniffer | intercept traffic on 4G LTE networks

[Mr.Quality]

LTESniffer, allows to passively organize (without sending signals over the air) eavesdropping and interception traffic between a base station and a cellular phone in 4G LTE networks, and provides utilities to organize traffic interception and an API implementation to use LTESniffer functionality in third party applications.
One of the key features of LTESniffer is its ability to capture and decode LTE control plane messages. These messages are used by LTE devices to establish and maintain connections to the network and contain important information about the device and the network. By capturing and analyzing these messages, LTESniffer can provide valuable information about the operation of LTE networks and the behavior of LTE devices.
https://github.com/SysSec-KAIST/LTESniffer
Features

• Real-time decoding of outgoing and incoming LTE control channels.


• Support for LTE Advanced (4G) and LTE Advanced Pro (5G, 256-QAM) specifications.


• Support for DCI formats


• Support for data transfer modes: 1, 2, 3, 4.


• Support for frequency division duplex (FDD) channels.


• Support for base stations using frequencies up to 20 MHz.


• Automatic detection of modulation schemes used for incoming and outgoing data (16QAM, 64QAM, 256QAM).


• Automatic detection of the physical layer configuration for each handset.


• LTE security API support: RNTI-TMSI mapping, IMSI collection, profiling.

To intercept traffic only from the base station, a USRP B210 programmable transceiver (SDR) with two antennas, which costs about $2,000, is sufficient.
A more expensive USRP X310 SDR card is required to intercept traffic from the cell phone to the base station with two additional transceivers (the kit costs about $11,000), since passive detection of packets sent by phones requires precise time synchronization between sent and received frames and simultaneous reception of signals in two different frequency bands.