2014 IEEE Security and Privacy Workshops

Steganography in Long Term Evolution Systems

Iwona Grabska, Krzysztof Szczypiorski

Institute of Telecommunications
Warsaw University of Technology
Warsaw, Poland
e-mail: {i.grabska, ksz}@tele.pw.edu.pl

Abstract This paper contains a description and analysis of a

new steganographic method, called LaTEsteg, designed for
LTE (Long Term Evolution) systems. The LaTEsteg uses
physical layer padding of packets sent over LTE networks.
This method allows users to gain additional data transfer that
is invisible to unauthorized parties that are unaware of hidden
communication. Three important parameters of the LaTESteg
are defined and evaluated: performance, cost and security.
Keywords 4G, LTE, Steganographic
Steganographic Channel, Steganography

I.

II.

The presented steganographic system uses the frequency

division duplex (FDD) mode of LTE, where downlink and
uplink transmission takes place at the same time in a separate
frequency channel. Each FDD transmission frame
(Tframe = 10 ms) consists of two time slots (Tslot = 0.5 ms). In
the frequency domain such an FDD frame is divided into
15 kHz subcarriers. The maximum number of subcarriers is,
therefore, not a constant value but depends on the width of
the available bandwidth ([2], [1]).
Every single time slot consists of 7 OFDM (Orthogonal
Frequency-Division Multiplexing) symbols with the useful
duration of 66.7 s. In the frequency domain, such a slot
contains exactly 12 subcarriers with a total width of 180 kHz
(12 * 15 kHz). This slot resource block (RB) is the basic
unit for the allocation of the transmitted data. The network
assigns to its users not a single RB unit but a pair of units
belonging to one subframe. Therefore, NRB as used in this
paper stands for the number of allocated RB pairs, rather
than their total number.
Depending on the size of resources allocated to the user,
the base station places data for that user in appropriate RBs.
Information about the localization of those RBs is sent via
another physical channel so that the users receiver is able to
locate and read these blocks.
The data size that the user can send using the resources
assigned to him is well defined. 3rd Generation Partnership
Project (3GPP) standardization documents contain a list of
available modulation and coding schemes (MCSs). Twentyeight out of 31 defined proposals of these schemes are used.
Each MCS with the index IMCS has an ITBS parameter
assigned. That parameter defines the size of a data block that
can be sent in the channel depending on the size of
resources allocated to the user (NRB). Such a defined data
block is called a transport block (TB) [3].

Algorithm,

INTRODUCTION AND STATE OF THE ART

LTE technology is currently enjoying huge popularity in

wireless networking and helps in introducing services that
could not be previously offered in cellular systems like high
definition video transmission or VoD (Video on Demand)
([8], [15], [19]). With growing popularity of these services
and the possibility of very fast wireless transmission, LTE
systems are becoming the perfect carriers for steganography
[12].
There are many proposals for steganographic systems
designed for different types of networks. Most methods are
based on the most popular and commonly used protocols
such as TCP/IP (Transmission Control Protocol/Internet
Protocol) or VoIP (Voice over Internet Protocol), which can
be combined with standard networks like WiFi (Wireless
Fidelity) [17]. One can observe first proposals of
steganographic systems dedicated for LTE as can be found in
[14], where usage of padding was used to develop additional
covert channels. However, that steganographic systems
where not evaluated well, especially by network simulations.
The idea of using the padding is also presented in this
paper, however, padding-based steganographic system for
LTE were additionally tested and assessed for performance
and efficiency. The presented system was also implemented
in the simulation environment.
The idea of using padding for covert channels was also
presented for other types of wireless networks: WiFi
(method called WiPAD) [18] and for WiMAX [13].
Moreover, first implementation of LTE physical layer in
FPGA was presented [11] and gives the opportunity for
further work to implement presented steganographic system
in the real network and make them evaluated not only in
simulation environment.

2014, Iwona Grabska. Under license to IEEE.

DOI 10.1109/SPW.2014.23

LTE STANDARD

III.

THE PROPOSAL OF LATESTEG

During the normal operation of the LTE system, padding

fields consist of sequences of zeroes. Immediately after
receiving the frame, these sequences are rejected by the
receiver as unnecessary bits without relevant user
information. The principle of the presented steganographic
system is to create a hidden transmission channel by placing
an additional amount of information in the padding field
instead of the zeroes.
92

TBSIZE the size of the TB. It depends on the

resources assigned to the user and on the currently
used MCS (in bytes);
Depending on the size LIP of the currently transmitted IP
packet, that packet is appropriately formatted so it can be
transmitted in the radio channel and delivered to the receiver.
If the following condition is satisfied:

The LTE system is based on packet transmission with the

use of an IP protocol [4]. Each of the IP packets (of a
variable length) that should be delivered to users is properly
formatted in the transmitter of the base station. Each IP
packet is, therefore, processed by the packet data
convergence protocol (PDCP) [7], radio link control (RLC)
[6] and medium access control (MAC) [5] layers, having an
important impact on the final size of the padding.
Estimations of the effectiveness of the presented
steganographic system were based on a number of
assumptions:
x the LTE system works in the unacknowledged mode
(UM) and acknowledged mode (AM);
x there is no IP header compression in the PDCP layer;
x fragmentation in the RLC layer is used only when
the total size of the MAC protocol data unit (MAC
PDU) is larger than the available TB;
x concatenation of the RLC service data units (RLC
SDU) is used only in cases where adding the whole
next SDU unit (without its fragmentation) does not
cause the unit to exceed the available TB size.
The scheme of the creation of the TBs in the transmitter,
with the padding field marked, is presented in Figures 1 and
2.
In this paper the following designations are used:
x LIP the size of the currently transmitted IP packet
(in bytes);
x LH-PDCP the size of header added to the PDCP SDU
in PDCP layer (LH-PDCP = 2 bytes);
x LH-RLC the size of the header added in the RLC
layer:
2,
for = 1
 =  2,5 + 1,5 , for = {3, 5, 7, } ,
2 + 1,5 ,
for = {2, 4, 6, }

 +   ,

where:
 =  +  + 



x
x

2 bytes, for   128 bytes

;
3 bytes, for   > 128 bytes

IP packet

IP packet

PDCP

PDCP
Header

RLC

MAC

IP packet

PDCP
Header

PDCP
Header

RLC
Header

RLC
Header

MAC
Header

PAD

MAC
Header

PAD

PHY
Transport Block

Transport Block

Figure 1. Construction of the transmitted TBs using RLC SDU

concatenation (source: [8])

The maximum number of IP packets NMAX that are

included in the given TB equals:

(1)

 = 

!"#$%&  '*-./ '*9:/

$; <'*;?/;

@,

(5)

where B is the floor of X.

It is necessary to verify the obtained NMAX value. If the
size of the newly received unit  +  is equal to  :
 +  =  ,

(2)

(6)

where:
 =   +  +  for  = 1, =  ,  = 0

where n is the number of MAC SDU units included

in one MAC PDU unit and the size LSH-MAC of the
subheader depends on the current MAC SDU size:
 = 

for  = 1,  = 1,  = 0,

so the length of IP packet with all basic headers added in

each layer does not exceed the available TB, then
fragmentation of the IP packet is not needed.

where k is the number of RLC SDU units included in

one RLC PDU unit;
LH-MAC the size of the header added in the MAC
layer. It consists of MAC subheaders designed for
individual MAC SDU units contained in the MAC
PDU unit and padding field (if there is one):
1,
for  = 1,  = 0
=  ( 1) + 1, for  > 1,  = 0 ,
for  1,  0
  + 1,

(4)

the assumption of simultaneous transmission of NMAX

packets is maintained and:

(3)

 = 0.

LPAD the size of the padding field in the MAC PDU

unit (in bytes);
BR hidden channel capacity;

However, if:

(7)
 +  < 

where:
 =   +  +  for  = 1, =  ,  0

93

 +  < E  ,

the number of simultaneously transmitted packets is also

NMAX, but the size of the padding is not zero and:

where:

 =  [ ( +  ) +  +  ]

(8)
 =  + E  + E 

In other cases the NMAX value is decreased by 1:

 =  1,

for

(9)

 = 1, = 1,  = 0,

 = 1, = 1,  0,

until in the newly formed unit (made as in the previous case

of the IP packet and additional headers from each layer)
Equation (6) or (8) is satisfied. Then, the size of padding
reaches (7) or (9).

RLC

PDCP
Header

RLC
Header

MAC

RLC
Header

MAC
Header

 =

MAC
Header

PAD

Transport Block

Figure 2. Construction of the transmitted TBs using IP packet

fragmentation (source: [8])

$; <'*;?/;

!"#$%& '*-./ '*9:/

G,

(11)

N =

(15)

(16)

;.?
!OPQRS

(17)

where LPAD is the size of padding calculated on the basis

of (7), (9), (13) and (15), and Tframe is the duration of the
transmission frame.

(12)

IV.

THE EFFICIENCY OF LATESTEG

Dependencies obtained in the above analysis were used

to determine the theoretical efficiency of the LaTEsteg.
According to the research [16], the most common IP packets
in the network are packet sizes 40 and 1 500 bytes.
Therefore, in this work we focus on the analysis of these
types of packets.
The results confirm the significant impact of external
factors as well as conditions in the network on the size of
padding. Therefore, the efficiency of the steganographic
system is not constant. Hidden channel capacity depends on:
x the size of IP packet which is to be sent to the user;

where:
 =  + E  + E  for  = 1, = 1,  = 0.

This is the situation, where exactly q TBs are needed in

order to transmit an IP packet of the length of LIP.
Therefore,
 = 0.

The derivation of the relationships (7), (9), (13) and (15)

enables the size of padding that corresponds to one TB to be
calculated. In addition to the size of the padding, another
important parameter that determines the efficiency of the
steganographic system is the hidden channel capacity. In
this case, the capacity of the proposed steganographic
channel is:

where B is the ceiling of X.

Using q TBs, there are two possible variants of the
network operation. The first corresponds to the following
condition satisfying:
 +  = E  ,

 =  +  (E 1) (   )

If however, condition (4) is not satisfied, so the IP packet

along with its headers is greater than the resources allocated
to the user, it is necessary to fragment the transmitted packet
on the level of the RLC layer (Figure 2). For this purpose,
the received unit (IP packet with PDCP layer header) is
divided into q parts. As a result, q TBs are needed to transmit
one IP packet:
E=F

!"#$%& '*9:/ '*-./

where L is the number of bytes from the given IP packet and

the attached PDCP layer header that were transmitted in the
qth TB. Therefore:

PHY
Transport Block

in case of first E 1 TBs

,
in case of EKL TB

which corresponds to the situation where the last used TB is

not fully filled with the bits from the IP packet and attached
headers. Therefore, a newly created transmission unit must
be appropriately padded. Padding obtained in that way
(counted as the number of padding bytes per TB) has the
length of:

IP packet

PDCP

(14)

(13)

The second case corresponds to the condition:

94

padding [bit]

900

6000

600

3000

300

100

10

10

15

20

25

20

25

NRB = 90

1200

9000

900

6000

600

3000

300

throughput [kbps]

20

padding [bit]

200

throughput [kbps]

padding [bits]

30

15
IT BS

12000

10

40

300

1200

9000

NRB = 30
400

NRB = 30

12000

throughput [kbps]

x how the packet is formatted in each network layer

the size of the headers of each layer (PDCP, RLC and
MAC);
x segmentation usage in the RLC layer;
x the size of the TB, which depends on the MCS used,
the conditions of the radio environment and the
resources assigned to the user.
Figure 3 illustrates the relationship between the MCS
(ITBS) and the obtained padding size and hidden channel
capacity for selected sizes of resources assigned to the user
(NRB = {30, 90}) and for 40-byte IP packets. A similar
relationship for the transmission of 1 500-byte IP packets is
presented in Figure 4.

IT BS
0

400

40

300

30

200

20

100

10

10

15

20

25

10

15

20

25

IT BS

Figure 4. The size of padding and hidden channel capacity as a function of

MCS (ITBS) and available resources (NRB ={30, 90} ) for LIP = 1 500 bytes
throughput [kbps]

padding [bits]

NRB = 90

The graphs presented are characterized by significant

and dynamic volatility depending on ITBS (Figures 3 and 4)
and NRB (Figure 5). However, regardless of the amount of
resources assigned to the user, the size of padding varies
considerably and in some cases takes the value 0. Therefore,
a large amount of resources does not guarantee high
capacity in the hidden channel. Moreover, the size of
padding changes with the improvement in the radio
environment condition and the MCS used, which influences
the TB size. Therefore, the current conditions of the radio
channel have a significant impact on the efficiency of the
LaTEsteg. Table I presents the results of analyses for
significant, specific network conditions and confirms the
number of factor affections on the obtained hidden channel
capacity.

IT BS

Figure 3. The size of padding and hidden channel capacity as a function of

MCS (ITBS) and available resources (NRB ={30,90} ) for LIP = 40 bytes

95

14000

1400

IT BS = 9 (QPSK/16-QAM)

IT BS = 15 (16-QAM/64-QAM)

IT BS = 26 (64-QAM)

10500

1050

7000

700

3500

350

10

20

30

40

50

60

70

80

90

100

throughput [kbps]

padding [bits]

IT BS = 0 (QPSK)

0
110

NRB
Figure 5. The size of padding and hidden channel capacity as a function of available resources NRB for the chosen MCS (ITBS = {0, 9, 15, 26}) for LIP = 1 500
bytes
STEGANOGRAPHIC SYSTEM EFFICIENCY FOR SELECTED VALUES OF LIP, ITBS AND NRB

TABLE I.

Hidden channel capacity (kb/s)

NRB = 1

LIP [B]
ITBS = 0
QPSK
ITBS = 9
QPSK
16-QAM
ITBS = 15
16-QAM
64-QAM
ITBS = 26
64-QAM

V.

40

NRB = 15

1500

40

NRB = 30

1500

40

1500

NRB = 45

40

1500

NRB = 60

40

1500

TBsize = 2 B
0.00
0.00
TBsize = 17 B

TBsize = 49 B
1.60
0.34
TBsize = 293 B

TBsize = 101 B
7.20
3.20
TBsize = 597 B

TBsize = 157 B
16.00
2.88
TBsize = 871 B

TBsize = 209 B
23.20
14.40
TBsize = 1 191 B

0.00

20.80

20.00

30.40

8.00

0.06

31.45

73.87

92.40

TBsize = 35 B

TBsize = 573 B

TBsize = 1 143 B

TBsize = 1 692 B

8.00

0.80

4.80

26.40

0.00

54.67

310.00

147.20

348.40

TBsize = 2 292 B
19.20

627.20

TBsize = 89 B

TBsize = 1 383 B

TBsize = 2 769 B

TBsize = 4 107 B

TBsize = 5 477 B

33.60

22.40

17.60

9.60

26.40

1.96

502.40

1 009.00

875.20

768.00

number of correctly received bits gradually decreases,

thereby the quality and capacity of the hidden transmission is
lower.
Using the lower modulation and higher number of
redundant bits, the noise in the radio environment has lower
influence on the transmitted signal so the possibility of bit
detection and correction is higher. In some cases it is
possible to avoid any bit errors.
For MCSs with a higher IMCS parameter, the bit error rate
decreases much more slowly depending of Eb/N0 than in the
case of a lower IMCS. This is due to the fact that MCSs with a
lower index use lower modulations and a higher number of
redundant bits. Therefore, in the worst condition of the radio
environment, it is possible to detect and correct more errors.
Figure 8 presents the effect of the Eb/N0 parameter on the
bit error rate (BER) obtained in the hidden channel for the
chosen MCSs. However, with the use of an MCS of a lower
index (for example, IMCS = 9 or IMCS = 10, thus the QPSK and
16-QAM modulations) the BER increases for the same
values of Eb/N0. The reason for this is the difference in the
number of redundant bits, which has a significant influence
on the ability to detect errors and correct them. We can see a

SIMULATION RESULTS

In order to verify and confirm the obtained theoretical

results, a number of simulations were carried out. Moreover,
such simulations allow the influence of the radio
environment conditions on the hidden transmission quality to
be checked and the hidden channel safety and the cost of the
steganographic systems operation to be evaluated.
Simulations were based on the modified LTE system model
[9], [10] for Simulink.
Figure 7 shows the hidden channel capacity achieved
during the transmission of 1 500-byte IP packets in the
standard way for three selected MCSs and depending on the
noise power in the radio channel. According to the presented
relations, IMCS significantly affects the achieved hidden
channel capacity. However, the use of the higher ratio MCS
does not guarantee a higher result. For example, in Figure 7,
the second case, where IMCS = 15, gives higher hidden
transmission throughput than in the case where IMCS = 25.
The parameter which has a significant influence on the
hidden transmission quality (the number of correctly
received bits for all transmitted bits) is certainly the Eb/N0
level. With worsening conditions in the radio channel, the

96

similar relation in the case of IMCS = 16 and IMCS = 17, where

16-QAM and 64-QAM modulations are used.

600

(a)

IMCS = 5
IMCS = 15

500

600

(a)

IMCS = 25

LIP = 40 B
goodput [kbps]

throughput [kbps]

400

LIP = 1 500 B

500

400

300

200

300
100

200
0
-15

-10

-5

100

10

15

20

goodput [kbps]

LIP = 40 B

throughput [kbps]

15

0
Eb/N0 [dB]

10

15

IMCS = 15
IMCS = 25

600

1200
LIP = 1 500 B

1000

10

IMCS = 5

700

25

IMCS

(b)

800

(b)
0

0
Eb/N0 [dB]

800

500
400
300
200

600

100

400

0
-15

200

-10

-5

Figure 7. Influence of the radio channel condition (Eb/N0) on the hidden

channel capacity for 1 500-byte IP packets as a function of the MCS used
and available resources (a) NRB = 20 and (b) NRB = 70
0

10

15
IMCS

20

25
10

Figure 6. Influence of the MCS used (IMCS) on the hidden channel

capacity as a function of IP packet size and available resources (a) NRB =
20 and (b) NRB = 70

IMCS = 0
IMCS = 9
IMCS = 10

A very necessary aspect of designing a steganographic

system is the avoidance of that systems influence on the
normal network operation. It is very desirable to have the
lowest possible (or no) cost associated with the hidden
channels existence.
In the case of the presented steganographic system, the
estimated cost is small. Additional, hidden data are stored in
the ignored part of the transmitted frame. Therefore, the
hidden transmission does not affect the normal operation of
the network and does not generate additional errors. This is
confirmed by figures presenting BER as a function of Eb/N0
in the standard channel in the case of normal network
operation (Figure 9a) and in the case of the steganographic
systems existence (Figure 9b).

10

IMCS = 16

-1

IMCS = 17

BER

IMCS = 28

10

10

10

-2

-3

-4

-15

-10

-5

0
Eb/N0 [dB]

10

15

Figure 8. Influence of Eb/N0 value on BER in the hidden channel for the
chosen MCS (IMCS = {0, 9, 10, 16, 17, 28})

97

Possible directions for further work and research may be

different. The LaTEsteg can be modified in order to obtain
even better performance not only in an LTE system but
also in other networks. What is more, that system should be
implemented and tested in the environment of real network.

(a)

10

IMCS = 5
IMCS = 13
IMCS = 24

-1

10

BER

ACKNOWLEDGMENT
This research was partially supported by the Polish
National
Science
Center
under
grant
no. 2011/01/D/ST7/05054.

-2

10

REFERENCES
-3

10

(b)

10

-15

-10

-5

0
Eb/N0 [dB]

10

[1]

15

[2]

IMCS = 5

[3]

IMCS = 13
IMCS = 24

-1

[4]

BER

10

[5]
10

-2

[6]

10

-3

-15

-10

-5

10

[7]

15

Eb/N0 [dB]

Figure 9. Influence of the Eb/N0 value on BER in the standard channel

(a) for normal network operation, (b) for simultaneous network and
steganographic system operation

VI.

[8]
[9]

CONCLUSIONS

[10]

In the LaTEsteg, the maximum achieved hidden

transmission speed reached 1.162 Mb/s. However, the
effectiveness of the steganographic system depends on many
factors which may not be controlled by the hidden-system
user, for example, the size of the transmitted IP packet, MCS
used or amount of assigned resources. Therefore, hidden
channel capacity may be decreased to zero in some cases.
The advantage of the LaTEsteg is the fact that system
does not generate any changes in the operation of the LTE
system. Therefore, there is no cost of the hidden transmission
which makes the proposed steganographic system very
secure. Any additional anomalies do not raise suspicion
among standard network users, thus hidden transmission is
unnoticed. This means that the proposed steganographic
system enables safe and effective hidden transmission and
has potentially huge range of use.
After some modifications, the proposed steganographic
system can be implemented in other types of networks that
use padding. However, in such cases, the effectiveness of the
system may be different than presented as there are several
different factors that influence the parameters of hidden
channel. Therefore, the presented steganographic system
should be analysed for each type of network that implements
that system.

[11]

[12]

[13]

[14]

[15]
[16]

[17]
[18]

98

LTE in a Nutshell: The Physical Layer, White Paper, Telesystem

Innovations, Canada, 2010
3GPP TS 36.211, Evolved Universal Terrestrial Radio Access (EUTRA); Physical Channels and Modulation (Release 9), March 2010
3GPP TS 36.213, Evolved Universal Terrestrial Radio Access (EUTRA); Physical Layer Procedures (Release 9), September 2010
3GPP TS 36.300, Evolved Universal Terrestrial Radio Access (EUTRA) and Evolved Universal Terrestrial Radio Access Network
(E-UTRAN); Overall description; Stage 2 (Release 9), December
2011
3GPP TS 36.321, Evolved Universal Terrestrial Radio Access (EUTRA); Medium Access Control (MAC) Protocol Specification
(Release 9), March 2012
3GPP TS 36.322, Evolved Universal Terrestrial Radio Access (EUTRA); Radio Link Control (RLC) Protocol Specification
(Release 9), September 2010
3GPP TS 36.323, Evolved Universal Terrestrial Radio Access (EUTRA); Packet Data Convergence Protocol (PDCP) Specification
(Release 9), December 2009
Dahlman E., Parkvall S., Skold J., Beming P., 3G Evolution: HSPA
and LTE Mobile Broadband, Academic Press, Burlington 2008
Guo X., Song P., Matlab Simulink Based LTE System Simulator,
Gteborg, Sweden, 2010
Guo X., Song P., Simulink Based LTE System Simulator, M. Sc.
Thesis, Gteborg, Sweden, 2010
Lenzi, K.G.; Bianco F, J.A.; de Figueiredo, F.A.; Figueiredo, F.L.,
"Optimized rate matching architecture for a LTE-Advanced FPGAbased PHY" in Proc. IEEE International Conference on Circuits and
Systems
(ICCAS
2013),
2013
pp.
102-107,
doi:
10.1109/CircuitsAndSystems.2013.6671636
Lubacz J., Mazurczyk W., Szczypiorski K., Network
Steganography,
Telecommunication
Review
and
Telecommunication News, in Polish, no 4/2010, pp. 134135
Grabska I., Szczypiorski K.: Steganography in WiMAX Networks,
in Proc. 5th International Congress on Ultra Modern
Telecommunications and Control Systems (ICUMT 2013), 10-13
September 2013,
Rezaei, F.; Hempel, M.; Dongming Peng; Yi Qian; Sharif, H.,
"Analysis and evaluation of covert channels over LTE advanced" in
Proc. Wireless Communications and Networking Conference
(WCNC),
7-10
April
2013,
pp.
1903-1908,
doi:
10.1109/WCNC.2013.6554855
Sauter M., From GSM to LTE, John Wiley & Sons, UK, 2011
Sinha R., Papadopoulos C., Heidemann J., Internet Packet Size
Distributions: Some Observations, University of Southern
California, Los Angeles, CA, USA (web page released October 5,
2005 republished as ISI-TR-2007-643 May 2007)
Szczypiorski K., Steganography in Wireless Local Networks, in
Polish, Ph. D. Thesis, Warsaw, September 2006
Szczypiorski K., Mazurczyk W., Hiding Data in OFDM Symbols of
IEEE 802.11 Networks, in Proc. International Conference on

Multimedia Information Networking and Security (MINES 2010),

2010, pp. 835840, doi: 10.1109/MINES.2010.177

[19] The Office of Electronic Communications Long Term Evolution, the

Next Step in the Evolution of Mobile Systems, in Polish, Warsaw,
May 2010

99