WidebandFullyPassiveGSMInterceptionSystem

o Aconvenientsolutionthatenablesextensiveandloss-freegatheringofinformation.o EGSM-900/GSM-1800orGSM-850/GSM-1900.o 600simultaneouscallsusing1096frequenciesreceivingsystem.o Thesystemcontinuouslyanalysesall548downlinkchannelsandprovides

identificationofBTScontrolchannels.o AnyfakeBTScanbedetectedandshowntothesystemoperator.o Thesystemisabletoreceive,decode,storeandshowVoiceandSMSfromaGSM-

network.o Distanceofinterception.o 2Gduplexinterceptionisupto400meterslineofsightandsimplexinterceptionupto

2km.o Distanceofinterception.o Usingoptionalactivesubsystemallowingmonitoringof4G/3Gtargetphonesin2G.100

meterso ThesystemcanalsobeusedasPassiveIMSIcatcherandprovidenotificationaboutany

newIMSIeventinsideoftheinterceptionarea.WhiteandblacklistoftargetsIMSIscanbeusedforfilteringofgroupofsubscribers.

TechnicalInformationWidebandFullyPassiveGSMInterceptionSystem

TABLEOFCONTENTS

Introduction1. PassiveGSMInterceptionSystem1.1 Passivereceivingstation1.2 Laptop/Workingstationandstorageunit2. NetworkingofMultipleStations3. Specifications3.1 Technicalcharacteristics3.2 Functionalcharacteristics4. Systemdeliverylist5. Systemcomponents6. Screenshots

INTRODUCTIONTheGlobalSystemforMobileCommunications(GSM) iswidelyusedmobileradionetwork.TheGSMstandarddefinesadigitalnetworkforvoicecommunications,forcircuit-switchedandpacket-switcheddataservicesaswellasforshortmessageservices(SMS).ThedocumentdescribesWidebandFullyPassiveGSMInterceptionSystem.ThesystemisabletoshowtheentirereceivableGSMmobileradiotrafficfromEGSM-900,GSM-1800,GSM-850,andGSM-1900andtodisclosecallcontents.Itisaconvenientsolutionthatenablesextensiveandloss-freegatheringofinformation.Thesystemprovidesinterceptionofupto600simultaneouscallswithoutlossofdatausing1096frequenciesreceivingsystemapproachwhenall548GSMduplex-channelsareanalyzed.ItcontinuouslyanalysesGSMnetworksparametersandcontrolsallchannelsofradio-availableBTSsinparallelwithcallsinterception.Thewide-bandsystemarchitectureguarantiesthatallBTSswiththeirhoppingmodeandhandoverprocedurewillbeprocessedinanycases.Anyothersystemarchitecturecannotguarantysuccessfulinterceptionofallradio-availableBTSsandsubscribersincaseofGSMnetworkparameterschanging,offlineprocessingordelayinA5.1decipheringduringsystemoperation.Easyusewithoutoperatorinterventionisastrongbenefitsthissystem.

HIGHLIGHTS

o AllGSMbandsintheinterceptionrangecanbeevaluated.o Alleighttime-slotsinallreceivablechannelsareintercepted.o FrequencyhoppingintheGSMbandtakesplacewithoutlossofdata.o Handoversinthereceiverangeareinterceptedandevaluated.o Thereceivingstationhas548duplex-channelsintotal.Eachchannelisdividedinto8x

slots(fullrate)or16xslots(halfrate).Maximumcapacityofonereceiverstationis548x8communicationsincaseoffullrateor548x16communicationsinhalfrate.

o DataevaluationdoesnotrequireanyknowledgeofIMSI,IMEI,TMSIorphonenumber(MSISDN).

o ThesystemdoesnotrequireanyKiinformation.o Allthedatathatisinterceptedisstoredontheserver.o Thesystemismodular.Thesystemcomponentscanbeusedatdifferentlocations.This

requiresjustaTCP/IPlink.

1. PASSIVEGSMINTERCEPTIONSYSTEMThesystemhasbeendevelopedtointerceptdatafrom548duplexGSMchannelsthatmeans

of 1096 simplex channels in total. The system satisfies the highest of requirements by

analyzingandrepresentingallreceivabledata.Itcanmonitorall548channelsandallitstime-

slotssimultaneouslyandmoreoverkeeptrackofallfrequencyandtime-slotchangeswithin

548channels.Thewide-bandapproachmakesitpossibletoevaluatetheentireusefuldata

trafficontheairinterfacewithoutlosinganyinformation.

TheGSM-Interception-Systemconsistsofthefollowingparts:

o DirectionalandOmni-directionalantennasset

o Passivereceiverstation

o Laptop/working-stationandstorageunit

o Decryptionunit.Itisthird-partyproductwith2upto80real-lifesessionkey

recoveriespersecond

Thesystemisabletoreceive,decode,storeandshowVoiceandSMSfromaGSM-network.

It is possible to intercept A5.0, A5.2 andA5.1-communication. The system can intercept

uplinkanddownlink-channels.Iftheuplink-channelisnotavailable(duetophysicalreasons),

thesimplex-communicationisrecorded(onlydownlinkchannel).

Theconfigurationofthesystemmainlydependsontheuserrequirementsaswellasonthe

networkinfrastructurethatexistsinthemonitoringarea.

ThereceiverstationreceivesthebandstobemonitoredandchecksthemforGSMburstsby

meansoffastGSMdecoding.Thechannelinformationreceivedistransmittedtotheserver

whereitisprocessed.

The receiver stationnowmakes the receiveddataavailable to theuser and initiates the

calculationofthenecessaryKc.Aseparatecalculatingunit,theDecryptionUnit,isrequired

forKccalculating.

TheserverstoresallthedatawhiletheKcisbeingcalculated.Thiscapabilitymakessurethat

nodataislostandthatalwaystheentirecallcontentisavailable.

1.1 PASSIVERECEIVINGSTATION

ThepassivereceivingstationconsistsofaRF-front-endtoreceiveGSMupanddownlinkin

900/1800MHz-rangeincludingEGSM(or850/1900MHz-range).Itishighsensitivityanda

widedynamicrangeoftheradioreceivingstation.Thereceivedsignalsaredemodulatedand

storedinaFIFO-buffer.Ifastartofacommunicationisdetected,thedataareforwardedto

the decryption unit to archive the Kc (session key for the actual communication). After

receivingtheKcfromthedecryptionunit,thereceivingstationperformsdecryptingofthe

intercepteddataandforwardsthisdatatothestoragesystem.

Thereceivingstationhas548duplex-channelsintotal.Eachchannelisdividedinto8xslots

(full rate) or 16 x slots (half rate).Maximum capacity of one receiver station is 548 x 8

communicationsincaseoffullrateor548x16communicationsinhalfrate.

Thereceivingunitdemodulatesalltime-slotsonthe548channels.Aslongasthedecryption

unitneedstocalculatetheKc,thereceivedataarestoredtemporaryinafirst-in-first-out-

buffer.ThecapacityoftheFIFO-memoryis100GB.

1.2 LAPTOP/WORKSTATIONANDSTORAGEUNITThisistheuser-interfacetocontrolthesystemandevaluatethedata.Theworkstationcan

handle different receiver-units to be combined to one encryption unit. All decrypted

informationwillbestoredinadatabase.

Recordingcapacities:

NumberofduplexGSMchannels

Datarate

Recordingcapacity

Recordingtime

548(100%trafficactivity)

30MByte/s

2TByte

20hours

DuetofrequencyreusingprincipleinGSMnetworkRealenvironmentaroundthesystemlocationcontainsapprox.

nomorethat200duplexchannels

200with100%NetworkUtilization

11MByte/s

2TByte

52hours

200with30%NetworkUtilization

3.3MByte/s

2TByte

176hours

TherecordeddatacanbeexportedtoaremoteMonitoringCenterThis capacity calculation is based on the assumption that the standard hard disks. This

operating mode provides higher reliability. Should the memory space nevertheless be

insufficient,itispossibletoequipthesystemwithadditionalharddisks.

Theseflexiblememorymanagementoptionsallowthesystemtobeadaptedtospecificuser

requirements.

2. MULTIPLESTATIONNETWORKING

Thefullflexibilityofthesystemcanbeutilizedifsystemsarecoupled.Itisalsofeasibleto

operatemultiple systems at different locations. The information that has been collected

doesnothavetobeevaluatedatthelocationwhereithasbeenrecorded.

Theindividualreceivingstationsandtheservercommunicatebymeansofwireline.Awide

areanetwork(WAN)canbeimplementedbyapplyingdifferenttechnologies.

Arealisticscenariowouldbethepositioningofthereceivingsystemsalongaborder.Inthis

case, thedata canbe evaluatednot only at theplaceof recordingbut also at a remote

location.AnoptionaldecryptingunitfordecryptingtheKcatacentrallocationcanalsobe

provided.

Appropriate wire line technologies for connecting the subsystems are DSL and LAN.

AppropriatewirelesstechnologiesforconnectingthesubsystemsareUMTS,HSPAorWLAN.

3. SPECIFICATIONS

3.1 TECHNICALCHARACTERISTICS

Parameter Description

GSM900/1800Version

GSM900channels 0…124,975…1023880…915MHz(uplink)925…960MHz(downlink)

GSM1800channels 512…8851710…1785MHz(uplink)1805…1880MHz(downlink)

NumberofRFchannelsforeachRX(duplex) 548(1096simplexintotal)

NumberoftrafficchannelsforeachRX(duplex) 4384(FR)/8768(HR)

GSM850/1900Version

GSM850channels 128…251824…849MHz(uplink)869…894MHz(downlink)

GSM1900channels 512…8101850…1910MHz(uplink)1930…1990MHz(downlink)

NumberofRFchannelsforeachRX(duplex) 423(846simplexintotal)

NumberoftrafficchannelsforeachRX(duplex) 3384(FR)/6768(HR)

Bothversions

SpecificationofFIFOforeachRX 100GB

Callperminute upto600

Scalabilitywithadd.RXunits Secure

Housing 19"housing

DimensionsforPassiveReceiverStation 19",4U

3.2 FUNCTIONALCHARACTERISTICS

o Searching and identification of BTS control channels in full GSM900/1800 (orGSM850/1900)frequency;

o CollectinganddisplayingoftechnicalandstatisticalinformationaboutnetworkswithdetailedindicationofBTSparameters;

o Displayingofradiofrequencyenvironmentatthepointofsystemlocation;o Tasksassignmentforallthereceivingchannelsautomaticallyormanually;o Operationinscanningmode&datacollectionmodeinparallel;o Operational evaluation of received signal strength and quality at all the receiving

channels;o Savingandfastloadingofthesystemconfigurationparameters;o SupportofSDCCH/8andSDCCH/4signalingchannelsformats;o SessionkeycalculationforA5.1andA5.2encryptionalgorithms;o Severalreceivingstationscanusethesamedecryptionunitlocatedremotely.Itscan

beconnectedwiththeunitbywiredorwirelesscommunicationchannels.o SupportofHR,FR,EFR,AMR-FR,AMR-HRspeechcodecs;o SupportofHoppingmode;o ProcessingoftrafficchannelsHandoverbetweenBTSs;o Registrationandstorageallinterceptedinformationindatabase;o Registrationand storage SMSmessages indatabase (it is supportedall languages

usedinWindowsoperationsystem);o VoicesessionstorageinWAVformat;o PlaybackofVoicesessionsinrealtime;o DisplayingofdialedduringthecallDTMFsymbols;o IMSI/TMSIidentifyingbyknownMSISDNnumber(silentcallorhushSMS);o SelectionoftargetsusingIMSI,IMEI,IMEISV,TMSIandMSISDNidentifiers;o Supportofreceivingchannelsandtargetspriorities;o Userauthorizationaccesstothesystem;o ThesystemsoftwareisworkingonWindows7/10x64;o GeographicpositioningoftheinterestingcallontheGooglemap.ItusesopenGoogle

service with Cell information and gives only supposed location of the BTS. Ifinformation about selected call (with appropriate cell ID) is absent in theGoogledatabasethennocelliconappearsonthemap.Internetconnectionisrequiredforthis.

4. SYSTEMDELIVERYLIST

NN Description Q-ty Notes

1 PassiveGSMInterceptionSystemcomprising: 1

1.1

PassiveReceiver,19"4U430x176x546mm

v.1)Input:IN1880-915MHz,1710-1785MHz,IN2

925-960MHz,1805-1880MHz.

v.2)Input:IN1824-849MHz,1850-1910MHz,

IN2869-894MHz,1930-1990MHz.

Output:TwoGigabitLAN10/100/1000Мbit/s

Power:100-240Vac,50-60Hz,800W

Storagecapacity:(2)SSD:120GB(system)+2TB(data)

SW:SpecializedSWwithLicenseUSBDongle

1

1.2 GSM-modemwithmagneticantennaandinterfacecable 1

1.3 CargocasefortheReceiver,702x397x686mm 1

2 Accessoriescomprising:

2.1 Accessoriescase,619x492x223mm 1

2.2

Workstation,HPProBook450G2NotebookPCwithPowersupply

andpowercable

OS:Windows7/10Professional64(English)

CPU:Intel®Core™i5-4210U

LED:15.6"(1366x768)RAM:8

GBDDR3

SSD:128GB

SW:SpecializedSWwithLicense

1

2.3

KVMConsoletoUSB2.0PortableAdapterNOTECONS01with

LoganDVIPlug-VGASocket

1

2.4 11dBiOmniAntenna+RG174U5m 2

2.5 HeadphonesSennheiserHD205II 1

2.6 Cat5EUTPNetworkCable(5m) 2

2.7 Europeanstandardpowersupplyplugcable1.8m 1

3 A5.1DecipheringUnit 1 Optional

5. SYSTEMCOMPONENTS

(1pcs.)CargocasefortheReceiver,702x397x686mm,16kg

(1pcs.)Accessoriescase,619x492x223mm,10kg

(1pcs.)Receiver,19"4U430x176x546mm,25kg

(1pcs.)GSM-modemwithmagneticantennaandinterfacecable

Accessorycase

(1pcs.)Laptop(2pcs.)11dBiOmniAntennas(1pcs.)Powersupply+powercable(1pcs.)Headphones(1pcs.)KVMConsoletoUSB2.0PortableAdapter+DVI-VGAadapter(2pcs.)Ethernetcable

(1pcs.)Powercable

6. SCREENSHOTS