Implementation and Evaluation of a Smart Uplink Jamming Attack in a Public 5G Network

In this paper, we present a hardware implementation and an evaluation of the effectiveness and feasibility of a smart jamming attack that targets specific uplink physical channels to destabilize 5G communication systems. Using software defined radio (SDR), we examine the susceptibility of the 5G Physical Uplink Shared Channel (PUSCH) to a smart jamming attack as well as the impact of such an attack on user equipment (UE) throughput. The smart jamming attack is designed to exploit the radio access procedure by: 1) identifying the user’s cell radio network temporary identifier (C-RNTI); 2) decoding the physical downlink control channel (PDCCH) information containing the specific UE resources; and 3) generating a quadrature phase shift keying (QPSK) modulated Orthogonal Frequency-Division Multiplexing (OFDM) waveform to effectively deny uplink access. A detailed description of the implementation of the overall testbed used to evaluate and quantify the effectiveness of the custom implementation of a smart jamming attack is presented in this paper. The evaluation results show that the smart jamming attack successfully denied uplink access by reducing the throughput of a specific UE by 100%.


I. INTRODUCTION
Fifth generation (5G) cellular systems are critical technologies that support society via numerous services and applications over a rapidly increasing number of ultralow latency, high-speed connections [1], [2], [3]. This is especially true for several vertical markets such as energy, healthcare, public safety, and transportation, which are increasingly becoming dependent on reliable 5G for daily operations [4], [5], [6]. However, the use of commercial mobile communication networks by these applications and services makes them susceptible to attacks by malicious third parties attempting to access or disrupt the network operations. Unauthorized access by a malicious third party can lead to attacks that can significantly affect network functionality (e.g., generate service outages by disrupting a smart power grid's 5G management network) or compromise data privacy The associate editor coordinating the review of this manuscript and approving it for publication was Olutayo O. Oyerinde .
Smart jamming attacks are a significant threat to critical infrastructure because they exploit protocol flaws, require minimal power, and can covertly target specific devices and frequency bands [9]. Smart jamming attacks disrupt and disable wireless communication systems by learning the physical layer parameters and network timing to focus energy across specific physical channels. These types of jamming attacks are highly precise and require minimal power, making them difficult to detect. The current literature has explored the vulnerability of 5G networks to smart jamming attacks in addition to mitigation strategies. For example, the work of [10] conducts an in-depth review of smart jamming attacks and vulnerabilities in the 5G New Radio (NR) architecture, as well as recommended mitigation strategies such as machine learning techniques and direct sequence spread spectrum. However, computational complexity and insufficient data can make these mitigation techniques difficult to realize in practice. Research has also revealed the vulnerabilities of 5G wireless networking to smart jamming attacks, yielding denial of service (DoS) scenarios, and to sniffing and spoofing attacks, which can be used to obtain user information and disable network communications [11], [12].
Overall, the smart jamming attacks presented in the open literature focus on both learning and exploiting specific physical layer parameters of the 5G network to disable the network as a whole. For example, it was shown that a smart jammer can target the Physical Broadcast Channel (PBCH), yielding user service denial because the PBCH carries critical information that allows users to connect to the network [13]. Smart jammers can also disable network operations by targeting the Physical Downlink Control Channel (PDCCH) by intercepting and decoding the Control Resource Set (CORESET), as well as by targeting the Physical Random-Access Channel (PRACH), which contains synchronization parameters and allocation resources [10]. In general, these smart jamming attacks focus on disabling the entire network by jamming specific physical layer parameters. However, the current open literature does not provide any insights into how smart jamming attacks can be used to learn about specific user location information to subsequently jam their uplink transmissions.
In a wireless network, most user information or data are stored anonymously to maintain user privacy. However, current research efforts have focused on methods for de-anonymizing user data by identifying techniques to affix identifying labels to data elements [14], e.g., location and mobility traces [15], [16], [17], although techniques that use location and mobility traces require large data sets or a means to associate location data with a fixed label. The work of [14] revealed that it is possible for passive bystanders to receive and process Downlink Control Information (DCI) by determining the corresponding Cell-Radio Network Temporary Identifier (C-RNTI), which provides them with access to user specific information. Despite being able to successfully and efficiently determine the C-RNTI, this method was only implemented in simulation and provides minimal flexibility as the decoding process is only valid for specific configurations. Note that approaches for exploring the de-anonymization of user information to gain access to the DCI such that it can be exploited by smart jamming attacks to target and disable specific 5G network users have not been studied in the open literature.
Overall, there exist several challenges on how smart jamming attacks can leverage the de-anonymization of user information to disrupt 5G network communications: (i) Current de-anonymization attacks lack flexibility and require large data sets, which is impractical for 5G wireless networks [14], [15], [16], [17]. (ii) Current smart jamming attacks exploit vulnerabilities in the 5G NR architecture and do not target specific users within a network but rather disable all network communications [10], [11], [12], [13].
(iii) De-anonymization of user information has not been implemented in a real-time 5G wireless network [9], [14]. In this paper, we address these challenges and reveal the vulnerabilities of the 5G NR architecture via the design and development of a custom real-time prototype implementation of a smart jamming attack using software defined radio (SDR) technology that de-anonymizes user information and targets the user's uplink transmission. The main contributions of this paper can be summarized as follows: (i) An efficient and flexible method for identifying the C-RNTI and decoding the DCI of specific users in a realtime 5G wireless network. (ii) Design of a smart jammer that learns the resource allocation of specific users and issues attacks on the Physical Uplink Shared Channel (PUSCH). (iii) Real-time implementation and evaluation of the smart jammer using both wired and over-the-air (OTA) media. The remainder of this paper is organized as follows: Section II provides an overview of the aspects of the 5G NR physical layer as well as a survey of attacks on existing vulnerabilities. In Section III, we introduce the proposed method for identifying the resource allocation of specific users and jamming the PUSCH. Section IV introduces the implementation of the smart uplink jammer in both hardware and software. Section V describes the testbed architecture and implementation process developed to evaluate the performance of the smart uplink jammer. Sections VI and VII describe the real-time experiments conducted using both wired and OTA media as well as the results of the experiments. The paper concludes with several final observations and remarks in Section VIII.

II. OVERVIEW OF THE 5G NR PHYSICAL LAYER AND EXISTING VULNERABILITIES
This section provides a brief description of the 5G NR physical layer components that are relevant to this work, as specified in [18], [19], [20], [21], and [22], and describes the relevant physical layer vulnerabilities and possible attacks.
A. 5G NR FRAME STRUCTURE AND PHYSICAL CHANNELS Smart jamming attacks learn physical (PHY) layer parameters and network timing with the objective of disabling wireless communication systems by focusing energy across specific physical channels. Therefore, it is important to understand the structure of the 5G NR PHY layer as it can be exploited during a smart jamming attack. The specifications for the PHY layer of 5G wireless communication systems were first released by 3GPP in June 2018 and encompass modulation, waveforms, multi-antenna transmission, channel coding, frame structure, duplexing schemes, and control and reference signals [19], [20], [21], [22]. According to the 3GPP terminology, devices on the network are referred to as user equipment (UE) and the base station is denoted as 75994 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. a generation Node B (gNB), which is an implementation of a logical radio access network node. The gNB can be realized in different ways based on the standardized gNB protocol. The specification utilizes orthogonal frequency-division multiplexing (OFDM), which is a digital multi-carrier modulation scheme that transmits data as a combination of orthogonal narrowband signals called subcarriers [23]. The specifications released by 3GPP describe a scalable OFDM numerology (µ) which enables diverse services over a wide range of frequencies and deployments [19]. Feasible subcarrier spacings can be 15 kHz * 2 µ and are currently specified from 15 kHz to 960 kHz [24]. For the 60 kHz subcarrier spacing, an extended cyclic prefix (CP) is specified and is determined by deployment types with different delay spread requirements, frequency bands, service types, or involvement of beam forming technology [25].
The physical time-frequency resources correspond to OFDM symbols and subcarriers. As depicted in Figure 1, a resource element is the smallest physical time-frequency resource consisting of one subcarrier in one OFDM symbol [26]. A physical resource block (PRB) consists of 12 subcarriers. The entire radio transmission in 5G is organized into radio frames, subframes, and slots. The duration of the radio frame is 10 ms and contains 10 subframes with a duration of 1 ms each. The numerology (µ) determines the number of slots per frame (N frame,µ slot ) and the number of slots per subframe (N subframe,µ slot ) [19]. With a normal CP, each slot consists of 14 OFDM symbols and is denoted as (N slot symb ). The physical time-frequency resources which carry information transmitted between the PHY layer and the medium access control (MAC) layer are known as physical channels. For downlink transmissions, there are three physical channels used: the Physical Downlink Shared Channel (PDSCH) carrying user data; the Physical Downlink Control Channel (PDCCH) carrying downlink control information (DCI) that contains scheduling decisions required for the reception of downlink data and for scheduling grants that give the UE permission to transmit uplink data, as well as contains configuration information such as HARQ re-transmissions, link adaption, and MIMO; the Physical Broadcast Channel (PBCH) carrying UE network access information by broadcasting system information known as the master information block (MIB). This work focuses on decoding the DCI in the PDCCH to obtain the scheduling information of each UE in the network. Furthermore, downlink transmissions utilize several types of reference signals: Primary and Secondary Synchronization Signals (PSS and SSS) that form the Synchronization Signal Block (SSB) and are used by the UEs to receive radio frame timing information and the cell ID; Demodulation Reference Signals (DM-RS) that are used for channel estimation for demodulation and retrieval of physical channels; Phase Tracking Reference Signals (PT-RS) that enable compensation of the oscillator phase noise; Channel State Information Reference Signals (CSI-RS) that are used for CSI acquisition and link adaptation.
Uplink transmissions utilize three different physical channels: the Physical Uplink Shared Channel (PUSCH) which is used for uplink data transmission from the UE; the Physical Uplink Control Channel (PUCCH) which contains uplink control information including HARQ feedback acknowledgements, scheduling requests, and CSI for link adaptation; and the Physical Random Access Channel (PRACH) which is used by the UE to initiate a connection request. For uplink transmissions, the reference signals include the DM-RS and PT-RS, which are similar to those used in downlink transmissions, as well as Sounding Reference Signals (SRS), which also perform similar objectives as the CSI-RS used in downlink transmissions.

B. 5G NR PHYSICAL LAYER VULNERABILITIES AND POSSIBLE ATTACK VECTORS
The physical channels of 5G wireless networks contain vulnerabilities that can be exploited to disable network operations. Jamming attacks can be used to target these vulnerabilities. Possible attack vectors include the following: Synchronization Attack: In 5G NR wireless networking, the SSB contains the PSS, SSS, and PBCH which are used during cell search operations for the UE to obtain the required information to gain access to the cell. The PSS and SSS mapping to the downlink resource grid are dependent on the cell subcarrier spacing, carrier frequency, and the parameter offset-ref-low-scs-ref-PRB [12], [19]. A jammer can be designed to target the PSS or SSS by synchronizing to the cell in time and identifying the subcarrier spacing, thereby preventing the UE from receiving synchronization signals and gaining access to the network [10], [13], [19], [27], [28], [29]. Reference Signal Attack: There are several reference signals (RSs) specified for 5G NR, including DM-RS, PT-RS, and CSI-RS. The reference signal most vulnerable to jamming attacks is the DM-RS, as it resides in the same location in every frame and can easily be identified with the knowledge of the cell ID and PBCH. A jammer capable of targeting the DM-RS will disable all UE communications [13], [27], [28], [30], [31]. Physical Broadcast Channel (PBCH) Jamming: The PBCH is transmitted in the same slots as the PSS and SSS, and the symbols dedicated to the PBCH are within two slots if the carrier is below 3 GHz and within four slots if the carrier is above 3 GHz [10], [12]. A jammer designed to target the PBCH will have a lower duty cycle as the sub-carrier spacing is increased, owing to the smaller slot duration. The MIB is carried on the PBCH and contains information known as the minimum system information that the UE needs to access the cell. Therefore, if a jammer targets the PBCH, the UEs will be unable to access the cell, disrupting the network operations [10], [12], [32], [33], [34].

Physical Downlink Control Channel (PDCCH) Jamming and Physical Uplink Control Channel (PUCCH) Jamming:
The PDCCH is used to send downlink control information (DCI) containing scheduling information and transmission permissions to the UEs. The control resource VOLUME 11, 2023 set (CORSET) contains parameters that dictate the location in frequency and time of the PDCCH in the resource grid, as it can appear on any subcarrier and has a duration of one, two, or three OFDM symbols. The PDCCH always appears in the first symbol of each slot, is QPSK modulated, and uses polar coding [19]. A jammer designed to target the PDCCH must decode the CORSET and target all locations where the PDCCH resides. A jammer capable of targeting the PDCCH disrupts network operations by preventing the UEs from receiving the scheduling information required for uplink transmissions [10], [12], [28], [35]. The PUCCH contains control information from the UE, has five different formats, is capable of intra-slot hopping, and uses polar coding or repetition coding as the error coding scheme. A jammer that targets the PUCCH blocks the gNB from receiving uplink control information from the UE and can result in misinterpretation of received signals and a reduction in uplink and downlink throughput [36]. Physical Downlink Shared Channel (PDSCH) and Physical Uplink Shared Channel (PUSCH) Jamming: The PDSCH and the PUSCH are used for the transmission of user data between the gNB and UE. These channels comprise the majority of available resources in the frame for uplink and downlink transmissions. By targeting either the PDSCH or PUSCH, the jammer can disrupt network operations by preventing the UEs and gNB from receiving user data resulting in a denial of service [9], [12], [36]. UE Targeted Uplink Jamming: The PDCCH is used to send the DCI, which contains the scheduling decisions for the UEs. A DCI decoder can determine the resource blocks for a specific UE via its Radio Network Temporary Identifier (RNTI), which can be obtained via de-anonymization [9], [14]. The implementation and evaluation of this jamming attack are described in this work.

III. 5G NR SMART UPLINK JAMMING: CONCEPT AND IMPLEMENTATION
This section discusses the approaches used to develop and implement a jammer capable of targeting specific UEs on a 5G network. The de-anonymization method used to identify the C-RNTI and decode the DCI is detailed in this section. To initiate communication between the gNB and the UE operating on the network, the gNB sends the SSB to the UE which contains the synchronization signals and the PBCH so that the UE can synchronize with the cell and obtain system information. The jammer decodes this information to synchronize with the cell. The gNB and the UE then initiate the random access procedure where the UE is assigned the C-RNTI and receive a scheduling grant. The jammer identifies the C-RNTI of the UE and decodes the PDCCH and the DCI to identify the resource blocks assigned to the UE. The jammer transmits on top of the UE's assigned resource blocks disrupting network operations.

A. 5G NR SMART UPLINK JAMMING CONCEPTS
The overall goal of our smart uplink jammer is to disrupt the 5G NR PUSCH of the target UE operating on a network. The smart uplink jammer conducts the attack by synchronizing with the cell, identifying the target UE's C-RNTI, decoding the PDCCH and DCI containing the UE's time and frequency allocation, and transmitting on the resource blocks originally assigned to the target UE. A smart uplink jamming attack is structured as shown in Figure 2.
The first objective of the jammer, in launching a smart uplink jamming attack, is to synchronize the cell, which means that frame synchronization must be acquired. The method for acquisition of frame synchronization was derived by analyzing the processes used by UEs to recover system information and synchronize with the cell. System information is contained in both the MIB and the System Information Block (SIB1) and is transmitted by the gNB periodically using the SSB, which consists of the PSS, SSS, and PBCH. The structure of the SSB is independent of numerology, as shown in Figure 3. The PSS is a physical layer specific symbol, that allows the UEs to acquire the radio frame boundary and detect the cell ID sector (N (2) ID ) [37]. The PSS is located on 127 subcarriers and is always allocated to the first symbol of the SSB. There are three possible sequences for the PSS that are determined based on N (2) ID [38]. The SSS allows the UEs to acquire the cell ID group (N (1) ID ), is on 127 subcarriers, is allocated to the third symbol of each SSB, and can be one of 336 possible sequences that are determined by N (2) ID and N (1) ID . For the UE to access the above information, it starts what is known as the cell search procedure in which the UE utilizes the PSS and SSS to estimate and correct the frequency and time offsets. By decoding the PSS, the UE identifies N (2) ID which can be used to decode the SSS and identify N (1) ID , allowing the UE to compute the serving cell ID (N cell ID ). The UE can then recover the MIB from the PBCH, decode the corresponding DCI, and finally recover SIB1 [39].
After analyzing the synchronization process and the cell search procedure performed by UEs in a 5G network, it was determined that for the jammer to synchronize with the frame it would only need to identify N (2) ID from the PSS which can be done by correlating the received waveform with the three possible sequences for the PSS and extracting the strongest VOLUME 11, 2023 correlation peak. The PSS sequence can be used by the receiver as a reference to estimate the timing offset to the strongest SSB and synchronize in time with the frame.
Once the jammer achieves frame synchronization, its next objective is to decode the DCI by capturing the PDCCH. The DCI is encoded or scrambled with a scrambling sequence that is initialized using the cell ID or a UE specific scrambling identity and UE specific C-RNTI [22]. Therefore, it is necessary to identify a method for de-anonymizing this user specific information. A novel de-anonymization method was developed, in which polar decoding is used to generate unique bit sequence fingerprints that correspond to UE specific scrambling sequences. The C-RNTIs of all UEs operating on the network can be identified from the scrambling sequences. The unique bit sequence fingerprint is generated using a polar decoding lattice in which the scrambled DCI bits are XOR'd with a frozen bit or a bit value of zero. An example of the implementation and use of the polar decoding lattice is shown in Figure 4. In this example, F denotes the frozen bit, U n denotes the nth data bit, and X n denotes an unknown bit value. Focusing on U 1 , it can be seen that the bit value of U 1 is unknown, but can be identified by traversing the polar lattice. After traversing the polar lattice, an equation (see Figure 4) is generated that will always be valid (both sides of the equation are equal), if there are no errors in the received waveform. If the resulting equation is valid, it is assigned a bit value of one. If the resulting equation is invalid, it is assigned a bit value of zero. This process is repeated until a unique sequence of 32 bits was generated. The unique 32 bit sequence is considered a fingerprint that has a corresponding scrambling sequence consisting of a combination of the cell ID and UE specific C-RNTI. It is important to note that the bit length of the fingerprint is dependent on the list length, number of data bits, and aggregation level of the PDCCH.
Using the identified de-anonymization method, a syndrome table was created that consisted of all unique 32-bit sequences, the corresponding scrambling sequences, and C-RNTIs. Figure 5 depicts the process used to create FIGURE 5. This flowchart depicts the process that was used to create the syndrome table that contains all possible scrambling sequences and the corresponding 32-bit fingerprint. The syndrome table is used to look up the scrambling sequence of the corresponding 32-bit fingerprint that is obtained using the polar lattice. The identified scrambling sequence is then used to descramble the DCI. the syndrome table. First, a random DCI was created according to the 5G NR specifications. A cyclic redundancy check (CRC) was appended to the end of the DCI. The CRC was scrambled using the a known C-RNTI and the resulting CRC bits were interleaved with the DCI. Next, frozen bits were inserted to prepare for polar encoding, after which sub-block interleaving occurred. The result of the sub-block interleaving was then scrambled with the scrambling sequence, which is a combination of the known cell ID and C-RNTI. The scrambled DCI then underwent sub-block deleaving before traversing the polar lattice used to generate the 32-bit fingerprint. Finally, the 32-bit fingerprint was recorded along with the corresponding scrambling sequence and C-RNTI. This process was repeated for all possible scrambling sequences.  Figure 4 is used in the step denoted ''Traverse Polar Lattice'' in which a 32-bit fingerprint is obtained. The scrambling sequence that corresponds to that 32-bit fingerprint is then extracted from the syndrome table and used to descramble the DCI. It is important to note that the DCI is re-encoded with the identified scrambling sequence and the received DCI and the re-encoded DCI are compared to ensure that the scrambling sequence is correct. The rate of occurrence of the C-RNTI is calculated to ensure that noise does not result in an erroneous C-RNTI.
The syndrome table is utilized by the jammer to match the 32-bit fingerprints to the C-RNTIs, which can then be used to descramble the DCI and obtain the time and frequency resource allocation of specific UEs. The DCI is transmitted over the PDCCH extracted from the received waveform, as shown in Figure 6, which depicts the process developed to descramble the DCI and extract the corresponding C-RNTI. After the PDCCH bits are extracted from the received waveform, sub-block deleaving occurs, such that the DCI candidate can be extracted. The 32-bit fingerprint for the DCI candidate is then found using the polar lattice and the corresponding scrambling sequence identified from the syndrome table. The identified scrambling sequence is used to descramble the DCI. Following descrambling, the DCI undergoes polar decoding, removal of frozen bits, and CRC deleaving to obtain the decoded DCI with the masked CRC [40]. It is assumed that there are no errors; therefore, the CRC is set to zero, leaving the decoded DCI and the associated C-RNTI. The DCI is then re-encoded using the identified scrambling sequence to verify that the correct scrambling sequence was selected. If both the received DCI and re-encoded DCI are the same, then the C-RNTI is recorded. It is important to note in Figure 6 that the rate at which the unique C-RNTI occurs is also recorded. VOLUME 11, 2023 FIGURE 7. Software flowchart depicting the frame synchronization process. It is important to note that for initial frame synchronization the PSS search has no reference of where the SSB is located and therefore inspects two radio frames of received data to identify the location of the SSB. However, after initial frame synchronization is achieved, the initial SSB location is known and therefore the PSS search inspects only a slot sized amount of the received data.
This ensures that noise does not erroneously result in a valid scrambling sequence and 32-bit fingerprint and that the obtained scrambling sequence and C-RNTI correspond to a specific UE operating on the network. This process is repeated for all the PDCCH candidates received by the jammer.

B. 5G NR SMART UPLINK JAMMING IMPLEMENTATION
The objectives and methods discussed in the previous section for frame synchronization, de-anonymization, and PDCCH and DCI decoding were simulated in MATLAB and converted to C for implementation using the MATLAB Coder Toolbox and 5G Toolbox [41], [42]. MathWorks provides an example that discusses the process used by a UE to synchronize, demodulate, and decode a live gNB signal [43]. The MATLAB software provided in the example was used to implement both frame synchronization and the aspects of the PDCCH and DCI decoding process.
The software implementation of the frame synchronization process is illustrated in Figure 7. If the jammer has not previously attempted to synchronize with the network, it enters the process known as initial frame synchronization, which is depicted by the left hand side of Figure 7. A conditional statement is used to check whether initial frame synchronization is achieved. Then, PSS search is performed, in which the cell ID sector (N (2) ID ) is used to generate the PSS symbols to be used as the reference grid. The cell ID sector is equal to zero for our network configuration. During the initial frame synchronization, the jammer has no knowledge of the SSB location. Based on our network configuration, it is known that the periodicity of the SSB is every two radio frames or every 20ms. The SSB is also confined to a 5ms window which is located in either the first or second half of the 10 ms radio frame. Therefore, for the initial frame synchronization to calculate the timing offset, timing estimation performs cross-correlation of two radio frames or 20 ms of the received waveform with the reference waveform, which is created by modulating the reference grid using OFDM. Frame synchronization is performed every two radio frames due to the periodicity of the SSB. However, if initial frame synchronization has occurred, the right side of the flowchart shown in Figure 7 is executed, in which instead of performing timing estimation with two radio frames of the received waveform, only one slot of the received waveform is used. Only one slot of the received waveform is used to compute the timing offset using timing estimation, because the extra offset accumulated during software execution never exceeds one slot. Software execution time is also reduced by performing cross correlation of one slot of the received waveform and the reference waveform.
The jammer was designed using a multi-threaded program structure which can be seen in Figure 8. There are five different threads that contribute to the UE targeted uplink attack, where the jammer learns the time and frequency allocation of a target UE and transmits on the UE's assigned resource blocks. The receive thread is responsible for reading the data (I/Q samples) from the USRP and posts to a semaphore to permit the execution of the frame synchronization thread, PDCCH thread, and the PUSCH thread, based on which part of the radio frame is received. Initial frame synchronization occurs after the jammer receives the first two radio frames and when initial frame synchronization is complete. The receive thread posts to a semaphore to execute the PDCCH thread when the first symbol of the next slot is received. The PDCCH thread is executed for the first symbol of each slot received by the jammer after the initial frame synchronization is acquired. The PDCCH thread is then responsible for decoding the PDCCH, extracting and decoding the DCI bits, and identifying the C-RNTIs of the UEs operating on the network. The PDCCH thread also handles prompting the operator of the jammer to select a target UE from a list of C-RNTIs and the corresponding UEs on the network. The selection of a target UE then signals the execution of the PUSCH thread.
The PUSCH thread is responsible for identifying the frequency allocation of the UE based on the DCI bits as well as generating the jamming signal. For our network configuration, the DCI format corresponds to the uplink resource allocation type one which consists of a resource indication value (RIV). The RIV dictates the frequency allocation as it contains the starting resource block (RB start ) and the length of the allocated resource blocks (L RBs ). The first 11 bits of the DCI correspond to the RIV, and  [19] if L RBs − 1 ≤ N size BWP /2 then Algorithm 1 is used to identify the values of RB start and L RBs . The network configuration uses a constant time allocation of six slots, and begins after the symbol containing the DCI. Frequency and time allocation are used to generate the OFDM modulated jamming signal with the same frequency allocation and time allocation. After the PUSCH thread is executed and the jamming signal is generated, a semaphore is used to permit the execution of the transmit thread, which transmits the jamming signal at the correct frequency and time allocation in turn disabling the communication of the target UE with the network.

IV. EXPERIMENTAL MEASUREMENT SETUP
This section describes the development of the testbed used to measure the performance of the jammer. The testbed was developed using the open-source software known as the OpenAirInterface (OAI) 5G Radio Access Network (RAN) Project developed by the OpenAirInterface Software Alliance (OSA) [44], [45]. It is important to note that federal spectrum regulations prevent wireless experimentation from being conducted using real commercial networks and therefore the OAI 5G RAN Project was used to emulate a 5G network. The OAI 5G RAN Project delivers a 5G software stack similar to that of a real commercial network and therefore allows for experiments to be conducted without violating federal spectrum regulations.

A. OpenAirInterface (OAI) TESTBED INSTALLATION PROCEDURE
The OAI 5G RAN Project is an open-source radio network software run by OSA. The OAI 5G RAN Project delivers a 5G software stack that can be used to implement a gNB, UE, and core network. The software permits the use of a Linux-based operating system to implement the layers of the network stack while using a SDR as the RF front-end. The standalone mode developed by the 5G RAN Project is used to implement the testbed. The OAI software uses numerology one (20 slots per frame and 30 kHz subcarrier spacing), a bandwidth part size of 48 physical resource blocks, and two PDCCH candidates at an aggregation level of four.
The process for implementing the OAI 5G RAN is illustrated in Figure 9. For the gNB and UE, OAI requires an FIGURE 9. Illustration of the steps needed to install and setup the OAI 5G RAN software. OpenAirInterface Software Alliance (OAS) provides documentation on procedures to follow for installation as well as for power management. The UE, gNB, and 5G Core Network are all installed on separate computers with four to eight core i7 processors.
Ubuntu 16.04 Linux distribution with a low latency kernel. Ubuntu 16.04 is installed on computers with four to eight core i7 processors along with low latency kernels. The power management settings are adjusted to meet the requirements outlined by the OAI 5G RAN Project. The git repository provided by OSA is cloned to a local directory, and the files dedicated to the gNB and UE are built. Two National Instruments (NI) USRP-2901s are connected to the host machines through USB 3 ports, to serve as the RF front-end for the gNB and the UE. The network is configured to a center frequency of 3.6192 GHz and a bandwidth of 40 MHz.
After the UE and gNB are implemented using the OAI 5G RAN Project, the 5G Core Network (5GCN) is installed, configured, and deployed. The 5GCN requires Ubuntu 18.04 and utilizes docker to create containers for the individual core network components. Python 3.6 and Wireshark are installed to deploy the core network. Wireshark is used to capture the IP traffic over the network. Once all the needed components are installed, the git repository provided by OSA is cloned, and the container images are pulled and built. The testbed emulates an observed real world cell, as the UE is able to receive and send traffic to the gNB and 5GCN.

B. OAI TESTBED AND 5G SMART UPLINK JAMMER MEASUREMENT SETUP
Measurements are performed in our laboratory as shown in Figure 10 and Figure 11, which depict the experimental wired setup. The testbed consisting of a gNB, UE, and OAI core network depicted in Figure 10 are created using the installation procedure for the OAI 5G RAN Project,  as discussed in the previous section. The experimental wired setup allows the performance of the jammer to be evaluated in a controlled environment with minimal interference caused by multipath propagation. Measurements are also taken in a wireless setup in which the wired connections are removed and replaced with antennas. The measurements performed using the experimental wireless setup are in conducted in a Faraday cage for isolation from public networks, as shown Figure 12. In the wired configuration, the signals transmitted by the UE and gNB are fed to the jammer using a combiner. NI USRP-2901s serve as the radio frequency front-ends for the UE, gNB, and jammer, and 30dB of attenuation is added to the transmit ports. The network is configured with a center frequency of 3.6192 GHz and a bandwidth of 40 MHz. The gNB contains information on the active C-RNTIs and UE identities on the network. On the 5GCN, Wireshark is used to monitor the flow of IP traffic throughout the network so that the reduction in UE throughput can be quantified. The transmit and receive gain of the gNB and the UE are adjusted to achieve stable, near optimal radio link conditions. A GPS disciplined oscillator and OctoClock provide an external reference clock for the UE, gNB, and jammer.
A Graphical User Interface (GUI) is implemented in the custom jammer software for ease of testing. An example of the GUI is shown in Figure 13. The GUI includes a  list of all the active C-RNTIs on the network, the status of frame synchronization, the percentage of successfully decoded PDCCH candidates, and options to plot the PDCCH constellation and spectrogram of the transmission. The GUI allows the user to enter the C-RNTI of the target UE from the list of active C-RNTIs on the network. The jammer can also be activated and deactivated through the GUI. An option to enter in a jamming signal offset is included so that when plotting the spectrogram the jamming signal can be seen next to the PUSCH signal of the UE and to verify that when transmitted at a different time allocation, the jamming signal will not prevent UE communication.
The 5GCN provides network access and services to the UEs. To create TCP/UDP data streams on the network, the iPerf tool is used on the UE's host machine and on the 5GCN. Specifically, the bandwidth between the 5GCN's Access and Mobility Management Function (AMF) stored in a docker container and the UE is measured. When the jammer is activated the bandwidth is reduced to 0 Kbits/sec.
Overall, it can be stated that the OAI 5G RAN Project, along with SDRs, is used to create the testbed consisting of a UE, gNB, and 5GCN. The testbed emulates an observed real world cell as the UE is able to receive and send traffic to the gNB and 5GCN. The smart uplink jammer is implemented on a SDR using custom software and passively listens to the network emulated by the OAI 5G RAN Project to identify and target UE uplink transmissions. Once the jammer is activated, the performance of the jammer is evaluated using Wireshark.

V. EVALUATION RESULTS
This section describes the evaluation results of the jammer performance for both the wired measurement setup and the wireless measurement setup. The wired measurement setup is a control experiment that allows the performance of the jammer to be measured in an environment with minimal interference as well as ensures a stable implementation of OAI for an accurate representation of the performance of the jammer. The wireless measurement setup allows the performance of the jammer to be evaluated in an environment in which there is interference such as multipath propagation. Overall, the jammer significantly reduces the UE's throughput disrupting network operations.

A. WIRED EVALUATION RESULTS
To visualize the physical channels and signals sent by the UE and gNB as well as the jamming signal, spectrograms are plotted of the received waveforms and jamming signal. Figure 14 contains two spectrograms in which Figure 14a depicts the jamming signal sent at a timing allocation that is one slot before the PUSCH transmission of the UE, and Figure 14b depicts the jamming signal transmitted at the same time and frequency allocation as the PUSCH signal. The spectrograms allow for qualitative verification of the jamming signal being sent at the correct time and frequency allocation. Furthermore, the QPSK constellation of the PDCCH are plotted for three different SNR (−1.60 dB, 2.64 dB, and 21.23 dB) to visualize the impact of the SNR on the channel, as shown in Figure 15. At a higher SNR (Figure 15c), the QPSK constellation contains tighter clusters, resulting in fewer errors in the bit sequence of the PDCCH candidate received by the jammer.
For evaluation, measurements were performed at a SNR range of −2.0 dB to 20.0 dB. The SNR is measured at the receiver of the jammer to identify and quantify the feasibility and performance of the smart jamming attack. To successfully decode the PDCCH candidates, extract the time and frequency allocation from the DCI, and generate the jamming signal, a higher SNR is required. If significant noise is present in the transmission, the jammer receives PDCCH candidates with incorrect bit sequences; therefore, the jammer is unable to decode the correct C-RNTI value and the corresponding UE frequency allocation. As a result, at lower SNR the jammer is unable to send the jamming signal. This performance is reflected by Figure 16 which depicts the maximum achievable throughput of the uplink channel of the UE at the range of SNR. The throughput results depicted in Figure 16 are measured using iPerf which is a tool that creates data streams to perform active measurements of the maximum achievable bandwidth on IP networks. It can    16. This plot depicts the throughput of the UE as the SNR measured at the receiver of the jammer is increased from −2.0 dB to 20.0 dB using the experimental wired setup. It can be seen that as the SNR is increased the jammer performance improves and is able to effectively jam the PUSCH transmission.
be concluded that the jammer has an operational threshold of approximately 3.0 dB to effectively disable the UE's ability to communicate with the core network. At this threshold, the jammer can effectively decode the received PDCCH candidates and therefore is able to effectively jam the PUSCH transmissions of the UE.
To further quantify the performance of the jammer, the percentage of successfully decoded PDCCH candidates are measured at the SNR range of −2.0 dB to 20.0 dB. These measurements are presented in Figure 18. Below approximately 3.0 dB SNR, the jammer is unable to successfully decode any PDCCH candidates and therefore cannot generate a jamming signal. Once, the jammer is able to successfully decode even a small percentage of PDCCH candidates (1.0%), it can effectively send the correct jamming signal at the correct frequency and time and in turn reduce the uplink channel UE throughput to 0 Kbits/s.

B. OVER-THE-AIR (OTA) EVALUATION RESULTS
Measurements are taken using the experimental wireless setup in the Faraday cage to ensure isolation from public networks. The QPSK constellation of the PDCCH are plotted for each of the different SNRs (−1.60 dB, 1.02 dB, and 19.84 dB), as shown in Figure 17. Figure 17a and Figure 17b depict the QPSK constellation at lower SNRs and reflect how more noise in the channel results in errors in the received PDCCH. At a higher SNR, Figure 17c shows that the PDCCH is received with fewer errors because there is less noise in 76004 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. The QPSK constellation for the PDCCH was plotted for three different SNRs: −1.60 dB, 1.02 dB, 19.84 dB. These plots were obtained using the wireless testbed. At lower SNRs, the jammer is unable to properly decode the PDCCH. At higher SNRs, the jammer significantly reduces the number of packets received by the 5GCN.

FIGURE 18.
This plot depicts the percentage of successfully decoded PDCCH candidates as the SNR measured at the receiver of the jammer is increased from −2.0 dB to 20.0 dB using the experimental wired setup. It can be seen that as the SNR is increased the jammer performance improves and is able to effectively decode the PDCCH candidates. . This plot depicts the throughput of the UE as the SNR measured at the receiver of the jammer is increased from −3.5 dB to 21.0 dB using the experimental wireless setup. It can be seen that as the SNR is increased the jammer performance improves and is able to effectively jam the PUSCH transmission.
the channel, resulting in a more ideal QPSK constellation. The QPSK constellations produced using the experimental wireless setup also experienced more distortion than those produced by the experimental wired setup, which can be attributed to the additional complications introduced by the wireless medium such as multipath propagation. FIGURE 20. This plot depicts the percentage of successfully decoded PDCCH candidates as the SNR measured at the receiver of the jammer is increased from −3.5 dB to 21.0 dB using the experimental wired setup. It can be seen that as the SNR is increased the jammer performance improves and is able to effectively decode the PDCCH candidates.
To quantify the performance of the jammer under wireless conditions, throughput measurements are taken at a range SNR (−3.5 dB to 21.0 dB) using iPerf. Figure 19 depicts the maximum achievable throughput of the uplink channel of the UE as the SNR measured at the receiver of the jammer is increased. The jammer is able to effectively disable UE uplink communications at an SNR of −1.2 dB. To further quantify the performance of the jammer, the percentage of successfully decoded PDCCH candidates is also evaluated at the same range of SNR. Figure 20 depicts the percentage of successfully decoded PDCCH candidates as the SNR is increased. At an SNR below −1.2 dB the jammer is unable to decode any PDCCH candidates and therefore cannot transmit the correct jamming signal. However, after this threshold is reached and, at minimum, 1% of PDCCH candidates are successfully decoded, the percentage of successfully decoded PDCCH candidates increases and the jammer is able to successfully identify the resource allocation assigned to the UE.

VI. CONCLUSION AND RECOMMENDATIONS
In this paper, we provide an overview of 5G PHY layer vulnerabilities and how they can be exploited to attack critical infrastructures that have begun to implement 5G cellular technology. In particular, we present our concept and implementation of a smart uplink jamming attack, in which the jammer learns the time and frequency allocation of the UEs on the network and transmits on the resource blocks originally assigned to the target UE. We describe an efficient and flexible method for de-anonymizing 5G user data in which the C-RNTI is identified and the DCI is decoded for specific UEs on the network. The corresponding experimental evaluations demonstrate the feasibility and effectiveness of the attack and show that the jammer is able to significantly reduce throughput, preventing the UE from communicating with the network. The installation process for implementing the OAI 5G RAN Project is also described. Future work includes rigorous analysis and evaluation of the jammer performance at a larger range of SNR values using traffic injection tools.
The successful performance of the jammer emphasizes the criticality of such attacks and the need for security improvements in 5G communication networks. Recommendations for resiliency against jamming attacks include beamforming and secure encryption the PDCCH. Currently, the scrambling method used is easily identified and the DCI can be descrambled revealing the location of user data. Monitoring systems can also be deployed by network operators of critical infrastructures to identify attackers. Future work includes broadening the evaluation to further equipment as well as exploring means of mitigating such attacks by analyzing security pitfalls.