Post on 08-Apr-2020
WidebandFullyPassiveGSMInterceptionSystem
o Aconvenientsolutionthatenablesextensiveandloss-freegatheringofinformation.o EGSM-900/GSM-1800orGSM-850/GSM-1900.o 600simultaneouscallsusing1096frequenciesreceivingsystem.o Thesystemcontinuouslyanalysesall548downlinkchannelsandprovides
identificationofBTScontrolchannels.o AnyfakeBTScanbedetectedandshowntothesystemoperator.o Thesystemisabletoreceive,decode,storeandshowVoiceandSMSfromaGSM-
network.o Distanceofinterception.o 2Gduplexinterceptionisupto400meterslineofsightandsimplexinterceptionupto
2km.o Distanceofinterception.o Usingoptionalactivesubsystemallowingmonitoringof4G/3Gtargetphonesin2G.100
meterso ThesystemcanalsobeusedasPassiveIMSIcatcherandprovidenotificationaboutany
newIMSIeventinsideoftheinterceptionarea.WhiteandblacklistoftargetsIMSIscanbeusedforfilteringofgroupofsubscribers.
TechnicalInformationWidebandFullyPassiveGSMInterceptionSystem
TABLEOFCONTENTS
Introduction1. PassiveGSMInterceptionSystem1.1 Passivereceivingstation1.2 Laptop/Workingstationandstorageunit2. NetworkingofMultipleStations3. Specifications3.1 Technicalcharacteristics3.2 Functionalcharacteristics4. Systemdeliverylist5. Systemcomponents6. Screenshots
INTRODUCTIONTheGlobalSystemforMobileCommunications(GSM) iswidelyusedmobileradionetwork.TheGSMstandarddefinesadigitalnetworkforvoicecommunications,forcircuit-switchedandpacket-switcheddataservicesaswellasforshortmessageservices(SMS).ThedocumentdescribesWidebandFullyPassiveGSMInterceptionSystem.ThesystemisabletoshowtheentirereceivableGSMmobileradiotrafficfromEGSM-900,GSM-1800,GSM-850,andGSM-1900andtodisclosecallcontents.Itisaconvenientsolutionthatenablesextensiveandloss-freegatheringofinformation.Thesystemprovidesinterceptionofupto600simultaneouscallswithoutlossofdatausing1096frequenciesreceivingsystemapproachwhenall548GSMduplex-channelsareanalyzed.ItcontinuouslyanalysesGSMnetworksparametersandcontrolsallchannelsofradio-availableBTSsinparallelwithcallsinterception.Thewide-bandsystemarchitectureguarantiesthatallBTSswiththeirhoppingmodeandhandoverprocedurewillbeprocessedinanycases.Anyothersystemarchitecturecannotguarantysuccessfulinterceptionofallradio-availableBTSsandsubscribersincaseofGSMnetworkparameterschanging,offlineprocessingordelayinA5.1decipheringduringsystemoperation.Easyusewithoutoperatorinterventionisastrongbenefitsthissystem.
HIGHLIGHTS
o AllGSMbandsintheinterceptionrangecanbeevaluated.o Alleighttime-slotsinallreceivablechannelsareintercepted.o FrequencyhoppingintheGSMbandtakesplacewithoutlossofdata.o Handoversinthereceiverangeareinterceptedandevaluated.o Thereceivingstationhas548duplex-channelsintotal.Eachchannelisdividedinto8x
slots(fullrate)or16xslots(halfrate).Maximumcapacityofonereceiverstationis548x8communicationsincaseoffullrateor548x16communicationsinhalfrate.
o DataevaluationdoesnotrequireanyknowledgeofIMSI,IMEI,TMSIorphonenumber(MSISDN).
o ThesystemdoesnotrequireanyKiinformation.o Allthedatathatisinterceptedisstoredontheserver.o Thesystemismodular.Thesystemcomponentscanbeusedatdifferentlocations.This
requiresjustaTCP/IPlink.
1. PASSIVEGSMINTERCEPTIONSYSTEMThesystemhasbeendevelopedtointerceptdatafrom548duplexGSMchannelsthatmeans
of 1096 simplex channels in total. The system satisfies the highest of requirements by
analyzingandrepresentingallreceivabledata.Itcanmonitorall548channelsandallitstime-
slotssimultaneouslyandmoreoverkeeptrackofallfrequencyandtime-slotchangeswithin
548channels.Thewide-bandapproachmakesitpossibletoevaluatetheentireusefuldata
trafficontheairinterfacewithoutlosinganyinformation.
TheGSM-Interception-Systemconsistsofthefollowingparts:
o DirectionalandOmni-directionalantennasset
o Passivereceiverstation
o Laptop/working-stationandstorageunit
o Decryptionunit.Itisthird-partyproductwith2upto80real-lifesessionkey
recoveriespersecond
Thesystemisabletoreceive,decode,storeandshowVoiceandSMSfromaGSM-network.
It is possible to intercept A5.0, A5.2 andA5.1-communication. The system can intercept
uplinkanddownlink-channels.Iftheuplink-channelisnotavailable(duetophysicalreasons),
thesimplex-communicationisrecorded(onlydownlinkchannel).
Theconfigurationofthesystemmainlydependsontheuserrequirementsaswellasonthe
networkinfrastructurethatexistsinthemonitoringarea.
ThereceiverstationreceivesthebandstobemonitoredandchecksthemforGSMburstsby
meansoffastGSMdecoding.Thechannelinformationreceivedistransmittedtotheserver
whereitisprocessed.
The receiver stationnowmakes the receiveddataavailable to theuser and initiates the
calculationofthenecessaryKc.Aseparatecalculatingunit,theDecryptionUnit,isrequired
forKccalculating.
TheserverstoresallthedatawhiletheKcisbeingcalculated.Thiscapabilitymakessurethat
nodataislostandthatalwaystheentirecallcontentisavailable.
1.1 PASSIVERECEIVINGSTATION
ThepassivereceivingstationconsistsofaRF-front-endtoreceiveGSMupanddownlinkin
900/1800MHz-rangeincludingEGSM(or850/1900MHz-range).Itishighsensitivityanda
widedynamicrangeoftheradioreceivingstation.Thereceivedsignalsaredemodulatedand
storedinaFIFO-buffer.Ifastartofacommunicationisdetected,thedataareforwardedto
the decryption unit to archive the Kc (session key for the actual communication). After
receivingtheKcfromthedecryptionunit,thereceivingstationperformsdecryptingofthe
intercepteddataandforwardsthisdatatothestoragesystem.
Thereceivingstationhas548duplex-channelsintotal.Eachchannelisdividedinto8xslots
(full rate) or 16 x slots (half rate).Maximum capacity of one receiver station is 548 x 8
communicationsincaseoffullrateor548x16communicationsinhalfrate.
Thereceivingunitdemodulatesalltime-slotsonthe548channels.Aslongasthedecryption
unitneedstocalculatetheKc,thereceivedataarestoredtemporaryinafirst-in-first-out-
buffer.ThecapacityoftheFIFO-memoryis100GB.
1.2 LAPTOP/WORKSTATIONANDSTORAGEUNITThisistheuser-interfacetocontrolthesystemandevaluatethedata.Theworkstationcan
handle different receiver-units to be combined to one encryption unit. All decrypted
informationwillbestoredinadatabase.
Recordingcapacities:
NumberofduplexGSMchannels
Datarate
Recordingcapacity
Recordingtime
548(100%trafficactivity)
30MByte/s
2TByte
20hours
DuetofrequencyreusingprincipleinGSMnetworkRealenvironmentaroundthesystemlocationcontainsapprox.
nomorethat200duplexchannels
200with100%NetworkUtilization
11MByte/s
2TByte
52hours
200with30%NetworkUtilization
3.3MByte/s
2TByte
176hours
TherecordeddatacanbeexportedtoaremoteMonitoringCenterThis capacity calculation is based on the assumption that the standard hard disks. This
operating mode provides higher reliability. Should the memory space nevertheless be
insufficient,itispossibletoequipthesystemwithadditionalharddisks.
Theseflexiblememorymanagementoptionsallowthesystemtobeadaptedtospecificuser
requirements.
2. MULTIPLESTATIONNETWORKING
Thefullflexibilityofthesystemcanbeutilizedifsystemsarecoupled.Itisalsofeasibleto
operatemultiple systems at different locations. The information that has been collected
doesnothavetobeevaluatedatthelocationwhereithasbeenrecorded.
Theindividualreceivingstationsandtheservercommunicatebymeansofwireline.Awide
areanetwork(WAN)canbeimplementedbyapplyingdifferenttechnologies.
Arealisticscenariowouldbethepositioningofthereceivingsystemsalongaborder.Inthis
case, thedata canbe evaluatednot only at theplaceof recordingbut also at a remote
location.AnoptionaldecryptingunitfordecryptingtheKcatacentrallocationcanalsobe
provided.
Appropriate wire line technologies for connecting the subsystems are DSL and LAN.
AppropriatewirelesstechnologiesforconnectingthesubsystemsareUMTS,HSPAorWLAN.
3. SPECIFICATIONS
3.1 TECHNICALCHARACTERISTICS
Parameter Description
GSM900/1800Version
GSM900channels 0…124,975…1023880…915MHz(uplink)925…960MHz(downlink)
GSM1800channels 512…8851710…1785MHz(uplink)1805…1880MHz(downlink)
NumberofRFchannelsforeachRX(duplex) 548(1096simplexintotal)
NumberoftrafficchannelsforeachRX(duplex) 4384(FR)/8768(HR)
GSM850/1900Version
GSM850channels 128…251824…849MHz(uplink)869…894MHz(downlink)
GSM1900channels 512…8101850…1910MHz(uplink)1930…1990MHz(downlink)
NumberofRFchannelsforeachRX(duplex) 423(846simplexintotal)
NumberoftrafficchannelsforeachRX(duplex) 3384(FR)/6768(HR)
Bothversions
SpecificationofFIFOforeachRX 100GB
Callperminute upto600
Scalabilitywithadd.RXunits Secure
Housing 19"housing
DimensionsforPassiveReceiverStation 19",4U
3.2 FUNCTIONALCHARACTERISTICS
o Searching and identification of BTS control channels in full GSM900/1800 (orGSM850/1900)frequency;
o CollectinganddisplayingoftechnicalandstatisticalinformationaboutnetworkswithdetailedindicationofBTSparameters;
o Displayingofradiofrequencyenvironmentatthepointofsystemlocation;o Tasksassignmentforallthereceivingchannelsautomaticallyormanually;o Operationinscanningmode&datacollectionmodeinparallel;o Operational evaluation of received signal strength and quality at all the receiving
channels;o Savingandfastloadingofthesystemconfigurationparameters;o SupportofSDCCH/8andSDCCH/4signalingchannelsformats;o SessionkeycalculationforA5.1andA5.2encryptionalgorithms;o Severalreceivingstationscanusethesamedecryptionunitlocatedremotely.Itscan
beconnectedwiththeunitbywiredorwirelesscommunicationchannels.o SupportofHR,FR,EFR,AMR-FR,AMR-HRspeechcodecs;o SupportofHoppingmode;o ProcessingoftrafficchannelsHandoverbetweenBTSs;o Registrationandstorageallinterceptedinformationindatabase;o Registrationand storage SMSmessages indatabase (it is supportedall languages
usedinWindowsoperationsystem);o VoicesessionstorageinWAVformat;o PlaybackofVoicesessionsinrealtime;o DisplayingofdialedduringthecallDTMFsymbols;o IMSI/TMSIidentifyingbyknownMSISDNnumber(silentcallorhushSMS);o SelectionoftargetsusingIMSI,IMEI,IMEISV,TMSIandMSISDNidentifiers;o Supportofreceivingchannelsandtargetspriorities;o Userauthorizationaccesstothesystem;o ThesystemsoftwareisworkingonWindows7/10x64;o GeographicpositioningoftheinterestingcallontheGooglemap.ItusesopenGoogle
service with Cell information and gives only supposed location of the BTS. Ifinformation about selected call (with appropriate cell ID) is absent in theGoogledatabasethennocelliconappearsonthemap.Internetconnectionisrequiredforthis.
4. SYSTEMDELIVERYLIST
NN Description Q-ty Notes
1 PassiveGSMInterceptionSystemcomprising: 1
1.1
PassiveReceiver,19"4U430x176x546mm
v.1)Input:IN1880-915MHz,1710-1785MHz,IN2
925-960MHz,1805-1880MHz.
v.2)Input:IN1824-849MHz,1850-1910MHz,
IN2869-894MHz,1930-1990MHz.
Output:TwoGigabitLAN10/100/1000Мbit/s
Power:100-240Vac,50-60Hz,800W
Storagecapacity:(2)SSD:120GB(system)+2TB(data)
SW:SpecializedSWwithLicenseUSBDongle
1
1.2 GSM-modemwithmagneticantennaandinterfacecable 1
1.3 CargocasefortheReceiver,702x397x686mm 1
2 Accessoriescomprising:
2.1 Accessoriescase,619x492x223mm 1
2.2
Workstation,HPProBook450G2NotebookPCwithPowersupply
andpowercable
OS:Windows7/10Professional64(English)
CPU:Intel®Core™i5-4210U
LED:15.6"(1366x768)RAM:8
GBDDR3
SSD:128GB
SW:SpecializedSWwithLicense
1
2.3
KVMConsoletoUSB2.0PortableAdapterNOTECONS01with
LoganDVIPlug-VGASocket
1
2.4 11dBiOmniAntenna+RG174U5m 2
2.5 HeadphonesSennheiserHD205II 1
2.6 Cat5EUTPNetworkCable(5m) 2
2.7 Europeanstandardpowersupplyplugcable1.8m 1
3 A5.1DecipheringUnit 1 Optional
5. SYSTEMCOMPONENTS
(1pcs.)CargocasefortheReceiver,702x397x686mm,16kg
(1pcs.)Accessoriescase,619x492x223mm,10kg
(1pcs.)Receiver,19"4U430x176x546mm,25kg
(1pcs.)GSM-modemwithmagneticantennaandinterfacecable
Accessorycase
(1pcs.)Laptop(2pcs.)11dBiOmniAntennas(1pcs.)Powersupply+powercable(1pcs.)Headphones(1pcs.)KVMConsoletoUSB2.0PortableAdapter+DVI-VGAadapter(2pcs.)Ethernetcable
(1pcs.)Powercable
6. SCREENSHOTS