Robust and Precise Application Fingerprinting on 5G Physical Uplink Channel
arXiv SecurityArchived Jun 16, 2026✓ Full text saved
arXiv:2606.15221v1 Announce Type: new Abstract: Air fingerprinting infers application activity by sniffing metadata from cellular control channels. 5G encrypts these channels, breaking the attack chain that prior attacks depend on. This paper reveals a physical-layer side channel that bypasses encryption: under the link adaptation mandated by the cellular communication standard, the uplink Modulation and Coding Scheme (MCS) remains stable, so the number of Physical Resource Blocks (PRBs) occupie
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Cryptography and Security
[Submitted on 13 Jun 2026]
Robust and Precise Application Fingerprinting on 5G Physical Uplink Channel
Yu Li, Liqi Zhuang, Dong Wei, Jiwen Luo, Hang Zhang, Meng Zhang, Xiaona Li, Weiqing Huang
Air fingerprinting infers application activity by sniffing metadata from cellular control channels. 5G encrypts these channels, breaking the attack chain that prior attacks depend on. This paper reveals a physical-layer side channel that bypasses encryption: under the link adaptation mandated by the cellular communication standard, the uplink Modulation and Coding Scheme (MCS) remains stable, so the number of Physical Resource Blocks (PRBs) occupied by a transmission accurately reflects the IP packet length. Combined with the uplink control channel that carries downlink information, an attacker can reconstruct a bidirectional traffic profile. This bidirectional information recovery can be achieved simply by observing the uplink spectrum, without decoding any channel. Building on this side channel, we design Crosshair, a passive three-step attack. First, a blind extraction stage recovers the uplink physical channel occupancy from raw IQ samples via energy detection, reconstructing bidirectional traffic from uplink spectrum. Second, we design a data augmentation method that synthesizes spectral profiles across diverse channel conditions, eliminating the need for prior knowledge of the communication environment. Third, cross-modal alignment embeds the spectral and IP domains into a shared space, enabling new applications to be enrolled from a collected IP trace alone. Extensive experiments on a 5G NR testbed demonstrate the robustness and precision of Crosshair: it outperforms the State-of-the-Art (SOTA) physical layer fingerprinting method in application recognition accuracy, and maintains high accuracy in cross-MCS scenarios.
Subjects: Cryptography and Security (cs.CR)
Cite as: arXiv:2606.15221 [cs.CR]
(or arXiv:2606.15221v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2606.15221
Focus to learn more
Submission history
From: Yu Li [view email]
[v1] Sat, 13 Jun 2026 09:36:34 UTC (5,363 KB)
Access Paper:
HTML (experimental)
view license
Current browse context:
cs.CR
< prev | next >
new | recent | 2026-06
Change to browse by:
cs
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)