Air fingerprinting infers application activity by sniffing metadata from cellular control channels. 5G encrypts these channels, breaking the attack chain that prior attacks depend on. This paper reveals a physical-layer side channel that bypasses encryption: under the link adaptation mandated by the cellular communication standard, the uplink Modulation and Coding Scheme (MCS) remains stable, so the number of Physical Resource Blocks (PRBs) occupied by a transmission accurately reflects the IP packet length. Combined with the uplink control channel that carries downlink information, an attacker can reconstruct a bidirectional traffic profile. This bidirectional information recovery can be achieved simply by observing the uplink spectrum, without decoding any channel. Building on this side channel, we design Crosshair, a passive three-step attack. First, a blind extraction stage recovers the uplink physical channel occupancy from raw IQ samples via energy detection, reconstructing bidirectional traffic from uplink spectrum. Second, we design a data augmentation method that synthesizes spectral profiles across diverse channel conditions, eliminating the need for prior knowledge of the communication environment. Third, cross-modal alignment embeds the spectral and IP domains into a shared space, enabling new applications to be enrolled from a collected IP trace alone. Extensive experiments on a 5G NR testbed demonstrate the robustness and precision of Crosshair: it outperforms the State-of-the-Art (SOTA) physical layer fingerprinting method in application recognition accuracy, and maintains high accuracy in cross-MCS scenarios.

翻译：空中指纹识别通过嗅探蜂窝控制信道的元数据推断应用活动。5G加密了这些信道，打破了先前攻击依赖的攻击链。本文揭示了一种绕过加密的物理层侧信道：根据蜂窝通信标准强制实施的链路自适应机制，上行链路调制与编码方案（MCS）保持稳定，因此传输占用的物理资源块（PRB）数量能够准确反映IP数据包长度。结合承载下行链路信息的上行控制信道，攻击者可重构双向流量特征。仅通过观测上行频谱即可实现这种双向信息恢复，无需解码任何信道。基于此侧信道，我们设计了Crosshair——一种被动三步攻击方法。首先，盲提取阶段通过能量检测从原始IQ样本中恢复上行物理信道占用情况，进而从上行频谱重构双向流量。其次，我们设计了一种数据增强方法，可合成不同信道条件下的频谱特征，从而消除对通信环境先验知识的需求。第三，跨模态对齐将频谱域与IP域嵌入到共享空间中，使得仅凭采集的IP流量轨迹即可注册新应用。在5G NR测试平台上进行的广泛实验证明了Crosshair的鲁棒性和精准性：在应用识别准确率上，它优于最先进的物理层指纹识别方法，并在跨MCS场景下保持高准确率。