Finding Phones Fast: Low-Latency and Scalable Monitoring of Cellular Communications in Sensitive Areas

The widespread availability of cellular devices introduces new threat vectors that allow users or attackers to bypass security policies and physical barriers and bring unauthorized devices into sensitive areas. We identify a critical gap in this context: the absence of low-latency systems for high-quality and instantaneous monitoring of cellular transmissions. Such low-latency systems are crucial to allow for timely detection, decision, and disruption of unauthorized communication in sensitive areas. Operator-based monitoring systems, built for purposes such as people counting or tracking, lack real-time capability, require cooperation across multiple operators, and thus are hard to deploy. Operator-independent monitoring approaches proposed in the literature either lack low-latency capabilities or do not scale. We propose WaveTag, the first low-latency and scalable system designed to monitor 5G and LTE connections across all operators prior to any user data transmission. WaveTag consists of several downlink sniffers and a distributed network of uplink sniffers that measure both downlink protocol information and uplink signal characteristics at multiple locations to gain a detailed spatial image of uplink signals. WaveTag then aggregates the recorded information, processes it, and provides a decision about the connection--all done prior to the complete connection establishment of a UE. To evaluate WaveTag, we deployed it in the context of geofencing, where WaveTag was able to determine whether the signals originate from inside or outside of an area within 2.3 ms of the initial base station-to-device message, therefore enabling prompt and targeted suppression of communication before any user data was transmitted. WaveTag achieved 99.66% geofencing classification accuracy. Finally, we conduct a real-world uplink measurement evaluation on a commercial 5G SA network.