transmit signals in the targeting frequency band so that One framo they cannot be applied to cellular-based attacks,as it is 10ms 10ms 10ms against FCC regulations to transmit interfering signals in the 0封2的4567格 One slot licensed band. 0.5ms 0.5ms n III.ATTACK SCENARIO AND LTE BACKGROUND FDM sY In this section,we first present the attack scenario of our system.We then introduce the background of LTE system and discuss its protocol design with a focus on downlink Cell- (a)Time domain:frames,subframes,slots and symbols Specific Reference Signals(CRS). Ono resource block (12 subcarriers) A.Attack Scenario 4f-15h We consider an attack scenario where the adversary attempt od DC subcamic to infer the PIN code of a user when he/she inputs it on an 道m ATM or a smart lock door.The adversary may not have direct access to the target,but can deploy equipments at a distance of (b)Frequency domain:subcarriers and resource blocks. 5~15 meters,e.g.,from a building across the road or behind N路×N subcarriers a nearby wall.We assume that there is at least one LTE base Np=12 subcarriers station within a distance of 150 meters to the victim.The LTE coverage could be provided by a macro-cell or an indoor small cell.This requirement usually can be fulfilled in most urban areas.By passive listening to the LTE signal reflected by the victim,the adversary may infer the PIN input by the victim using a probability model. Reference Resource frequency Symbols Block B.LTE Primer (c)Each slot contain N RB.each RB contain 12 subcarriers We give a brief introduction to the LTE signal format and in the frequency domain,and 0.5 ms in the time domain. show how LTE signals form a time-frequency grid that can be used for human activity monitoring.Note that the 5G 700 cellular system uses a similar OFDM modulation scheme and frame structure as in the LTE system.Therefore,most of the following discussion applies to both 4G and 5G systems. 600 Time Domain:In the time domain,LTE BSs transmit 550 radio frames that have a fixed duration of 10ms.Each frame 500 contains ten subframes with a duration of 1ms and each subframe contains two slots of 0.5ms.Depending on the 50 100 150200250300 symbol configuration of the BS,each slot consists of six (in case of extended cyclic prefix)or seven (in case of normal cyclic (d)CRS (shown as small dots)and PSS/SSS for a commercial TDD base station (subcarriers around the DC subcarrier). prefix)OFDM symbols which have durations of 66.67us. Frequency domain:In the frequency domain,the OFDM Figure 2.Illustration of the time-frequency grid of LTE reference signals. symbol contains a series of subcarriers with a frequency subcarriers on two symbols in each slot(0.5 ms).Figure 2(d) interval of Af 15 kHz,as in Figure 2(b).The commonly shows the CRS grid captured from a commercial TDD base used bandwidths for LTE signals are 5,10 and 20 MHz,which station.Note that for TDD,there are some time slots reserved consist of 300,600,and 1200 subcarriers,respectively. for uplink so that the BS does not transmit in these slots. Time-Frequency Grid:The radio resources in LTE are In our experiments,the BS transmits in 14 slots in the 20 scheduled in units called Resource Blocks(RBs),which slots of each frame so that the CRS is sent in 2.800 symbols consists of N=12 subcarriers in the frequency domain (100 frames x 14 slots x 2 symbols)per second,and 200 and lasts one slot (0.5ms)in the time domain,as in Figure subcarriers(100 RB x 2 subcarriers)per symbol. 2(c).The LTE BS transmits the Cell-Specific Reference Signal (CRS)in all downlink RBs.The CRS is transmitted at four C.CRS as a Side Channel different locations in each RB with two CRS separated by In LTE systems,the User Equipments(UEs),e.g.,mobile six subcarriers in each of the two predefined symbols,as in phones,use the CRS to estimate the Channel Frequency Re- Figure 2(c).Therefore,the CRS forms a dense time-frequency sponse(CFR)of the downlink channel.The transmitted value grid at fixed time and frequency intervals.For example,a of CRS is predefined in the LTE protocol [39]determined by Time Division Duplex(TDD)base station that has N=100 the Physical Cell ID (PCD)and slot number.Suppose that the RBs(20 MHz bandwidth)will transmit CRS at 200 different BS transmits S(f,t)on a given subcarrier f at a given time t.transmit signals in the targeting frequency band so that they cannot be applied to cellular-based attacks, as it is against FCC regulations to transmit interfering signals in the licensed band. III. ATTACK SCENARIO AND LTE BACKGROUND In this section, we first present the attack scenario of our system. We then introduce the background of LTE system and discuss its protocol design with a focus on downlink Cell￾Specific Reference Signals (CRS). A. Attack Scenario We consider an attack scenario where the adversary attempt to infer the PIN code of a user when he/she inputs it on an ATM or a smart lock door. The adversary may not have direct access to the target, but can deploy equipments at a distance of 5∼15 meters, e.g., from a building across the road or behind a nearby wall. We assume that there is at least one LTE base station within a distance of 150 meters to the victim. The LTE coverage could be provided by a macro-cell or an indoor small cell. This requirement usually can be fulfilled in most urban areas. By passive listening to the LTE signal reflected by the victim, the adversary may infer the PIN input by the victim using a probability model. B. LTE Primer We give a brief introduction to the LTE signal format and show how LTE signals form a time-frequency grid that can be used for human activity monitoring. Note that the 5G cellular system uses a similar OFDM modulation scheme and frame structure as in the LTE system. Therefore, most of the following discussion applies to both 4G and 5G systems. Time Domain: In the time domain, LTE BSs transmit radio frames that have a fixed duration of 10ms. Each frame contains ten subframes with a duration of 1ms and each subframe contains two slots of 0.5ms. Depending on the configuration of the BS, each slot consists of six (in case of extended cyclic prefix) or seven (in case of normal cyclic prefix) OFDM symbols which have durations of 66.67µs. Frequency domain: In the frequency domain, the OFDM symbol contains a series of subcarriers with a frequency interval of ∆f = 15 kHz, as in Figure 2(b). The commonly used bandwidths for LTE signals are 5, 10 and 20 MHz, which consist of 300, 600, and 1200 subcarriers, respectively. Time-Frequency Grid: The radio resources in LTE are scheduled in units called Resource Blocks (RBs), which consists of N RB SC =12 subcarriers in the frequency domain and lasts one slot (0.5ms) in the time domain, as in Figure 2(c). The LTE BS transmits the Cell-Specific Reference Signal (CRS) in all downlink RBs. The CRS is transmitted at four different locations in each RB with two CRS separated by six subcarriers in each of the two predefined symbols, as in Figure 2(c). Therefore, the CRS forms a dense time-frequency grid at fixed time and frequency intervals. For example, a Time Division Duplex (TDD) base station that has N DL RB =100 RBs (20 MHz bandwidth) will transmit CRS at 200 different 0.5ms 0.5ms 10ms 10ms 10ms One frame One subframe One slot OFDM symbol OFDM symbol Extended CP Normal CP #0 #1 #2 #3 #4 #5 #6 #7 #8 #9 (a) Time domain: frames, subframes, slots and symbols. … … Unused DC subcarrier One resource block (12 subcarriers) Frequency ∆𝑓 ൌ 15𝑘𝐻𝑧 (b) Frequency domain: subcarriers and resource blocks. … … frequency symbol Resource Block Reference Symbols 𝑁ோ஻ ஽௅ ൈ𝑁ௌ஼ ோ஻ 𝑠𝑢𝑏𝑐𝑎𝑟𝑟𝑖𝑒𝑟𝑠 𝑁ௌ஼ ோ஻ ൌ 12 𝑠𝑢𝑏𝑐𝑎𝑟𝑟𝑖𝑒𝑟𝑠 (c) Each slot contain NDL RB RB, each RB contain 12 subcarriers in the frequency domain, and 0.5 ms in the time domain. (d) CRS (shown as small dots) and PSS/SSS for a commercial TDD base station (subcarriers around the DC subcarrier). Figure 2. Illustration of the time-frequency grid of LTE reference signals. subcarriers on two symbols in each slot (0.5 ms). Figure 2(d) shows the CRS grid captured from a commercial TDD base station. Note that for TDD, there are some time slots reserved for uplink so that the BS does not transmit in these slots. In our experiments, the BS transmits in 14 slots in the 20 slots of each frame so that the CRS is sent in 2,800 symbols (100 frames × 14 slots × 2 symbols) per second, and 200 subcarriers (100 RB × 2 subcarriers) per symbol. C. CRS as a Side Channel In LTE systems, the User Equipments (UEs), e.g., mobile phones, use the CRS to estimate the Channel Frequency Re￾sponse (CFR) of the downlink channel. The transmitted value of CRS is predefined in the LTE protocol [39] determined by the Physical Cell ID (PCI) and slot number. Suppose that the BS transmits S(f, t) on a given subcarrier f at a given time t