CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◬ AI & Machine Learning Jun 16, 2026

Robust and Precise Application Fingerprinting on 5G Physical Uplink Channel

arXiv Security Archived Jun 16, 2026 ✓ Full text saved

arXiv:2606.15221v1 Announce Type: new Abstract: Air fingerprinting infers application activity by sniffing metadata from cellular control channels. 5G encrypts these channels, breaking the attack chain that prior attacks depend on. This paper reveals a physical-layer side channel that bypasses encryption: under the link adaptation mandated by the cellular communication standard, the uplink Modulation and Coding Scheme (MCS) remains stable, so the number of Physical Resource Blocks (PRBs) occupie

Full text archived locally
✦ AI Summary · Claude Sonnet


    Computer Science > Cryptography and Security [Submitted on 13 Jun 2026] Robust and Precise Application Fingerprinting on 5G Physical Uplink Channel Yu Li, Liqi Zhuang, Dong Wei, Jiwen Luo, Hang Zhang, Meng Zhang, Xiaona Li, Weiqing Huang Air fingerprinting infers application activity by sniffing metadata from cellular control channels. 5G encrypts these channels, breaking the attack chain that prior attacks depend on. This paper reveals a physical-layer side channel that bypasses encryption: under the link adaptation mandated by the cellular communication standard, the uplink Modulation and Coding Scheme (MCS) remains stable, so the number of Physical Resource Blocks (PRBs) occupied by a transmission accurately reflects the IP packet length. Combined with the uplink control channel that carries downlink information, an attacker can reconstruct a bidirectional traffic profile. This bidirectional information recovery can be achieved simply by observing the uplink spectrum, without decoding any channel. Building on this side channel, we design Crosshair, a passive three-step attack. First, a blind extraction stage recovers the uplink physical channel occupancy from raw IQ samples via energy detection, reconstructing bidirectional traffic from uplink spectrum. Second, we design a data augmentation method that synthesizes spectral profiles across diverse channel conditions, eliminating the need for prior knowledge of the communication environment. Third, cross-modal alignment embeds the spectral and IP domains into a shared space, enabling new applications to be enrolled from a collected IP trace alone. Extensive experiments on a 5G NR testbed demonstrate the robustness and precision of Crosshair: it outperforms the State-of-the-Art (SOTA) physical layer fingerprinting method in application recognition accuracy, and maintains high accuracy in cross-MCS scenarios. Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2606.15221 [cs.CR]   (or arXiv:2606.15221v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2606.15221 Focus to learn more Submission history From: Yu Li [view email] [v1] Sat, 13 Jun 2026 09:36:34 UTC (5,363 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-06 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)
    💬 Team Notes
    Article Info
    Source
    arXiv Security
    Category
    ◬ AI & Machine Learning
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗