NATIVE INTERCEPTION AND INJECTION

OPERATION

Technical Proposal

Confidential Information

1
 1. Native Interception and Injection – Solution Architecture
The Native Interception Solution is coupled with the Injection and Data Extraction Solution, having the following
high-level architecture:

Polus CORE Hub : SS7, Diameter Voice, SMS Vehicular System

SS7/Diameter GW Voice/SMS GW Polus CORE embedded: Data Radio Units 3G

4G
RAN
Tactical Unit 2
3G

GGSN/ Tactical Unit 1

4G
SS7/Diameter SMS Voice P-GW
(DATA)
M GM T

100-240V~,
CO NS O

Android
5 3 4.85A MAX,
LE

1 50/60Hz

4 2
0

SPD LN K LN K S PD L NK
SPD LN K S PD
FW – VPN Concentrator

VPN – AES 256

DB
AS
iOS

Mobile Gateway - FW

Internet

Fig. 01 – Native Interception and Injection Architecture

Confidential Information

2
 The solution is composed from:
- The Tactical Vehicle Deployment which contains:
o The Radio Units RF Front-End (System Exciter, 100W Power Amplifier, antennas)
o The RF Front-End (antennas installation + cables)
o The Polus embedded Core (RAN, GGSN/PGW)
o Polus Application Server
o Database storing Target intercepted data (encrypted)
o The Android & iOS Injection and Data Extraction
o The Mobile Gateway
- The Polus Core Hub
o SS7/Diameter (signaling) Gateway
o Voice/SMS Gateway

Data security is guaranteed by:

- Firewall
- File System Encryption
Signaling, SMS and Voice security is guaranteed by:
- Firewall
- IPSec VPN AES 256 tunnels between the Tactical Vehicle Deployment and Polus Core Hub

Confidential Information

3
 2. System Hardware Specifications

2.1 Tactical Vehicle Unit

Fig. 02 – 100W Vehicle Unit

Confidential Information

4
 Hardware Specification

TRANSMITERS / RECEIVERS 8 cells same time

TECHNOLOGIES RAT LTE-FDD, UMTS, GSM

50dBm (100W) per band,

POWER TRANSMITTER
Typically 500 in LOS conditions
AVAILABLE FREQUENCIES BANDS • APAC region
• EMEA region
• CALA region

*or other bands at request

CONTROL UNIT i7 CPU processor, SSD storage drive Notebook/Desktop

• Permanent auto-diagnosis for each frequency band

BUILT-IN TEST / ALARM • VSWR test and amplifier auto protection
• Over temperature protection

CONNECTIVITY LAN, GPS positioning, WAN connection

220V AC power direct supply

Car alternator / deep discharge battery array to 220V AC

POWER SUPPLY INPUT Inverters

Continuous static operation with optional Diesel Generator

fail safe.
• Power consumption 1200 W
POWER CONSUMPTION AT MAXIMUM RF POWER
• Current consumption 80A @ 24VDC

9U – 19” rack drawers, ruggedized chassis, mount shock

MOUNTING
absorbers

POWER SUPPLY INPUT 20-32 VDC input- converters shall be used depending on car

OPERATING TEMPERATURE -0°C to +65°C, cooling forced by fans

STORAGE TEMPERATURE -40°C to +85°C

HUMIDITY 90% Max (Non Condensing)

Confidential Information

5
 2.2 Antenna Specifications

Confidential Information

6
 2.3 Backhaul Connectivity

- Sierra Wireless MG90 datalink modem

- Redundant Cellular Connection
- 2 Radio modules (4x SIM cards)
- Peak bandwidth:
o Downlink: up to 300Mbps
o Uplink: up to 50Mbps
- Supported bands:
o 4G: LTE 1900(B2), AWS(B4), 850(B5), 700(B13), 700(B17), 1900(B25) 2100(B1), 1900(B2),
1800(B3), AWS(B4),850(B5), 2600(B7), 900(B8), 700(B12),700(B13), 800(B20), 1900(B25),
850(B26), 700(B29), TDD B41
o 3G: 2100(B1), 1900(B2), 1800(B3), AWS(B4),850(B5), 900(B8)

Confidential Information

7
 3. Operational Flow – Technical Description

3.1 Pre-deployment preparation

Before the actual deployment, it would be preferable to create target identities, assuming that target information
is known from other intelligence data (e.g. IMSI, MSISDN, etc).

Fig. 02 – Editing / creating a new Target

If target information is not yet known, the target identities can also be created during the mission from the captured
UEs during transmission.

Note:
- Native targets are created by default with the Hold option selected. This will trigger the system to hold
the UEs captive and intercept any outbound/inbound data/calls/SMSes from the UE.
- Payload Injection setting will automatically start the payload injection process once the Native target is
captured and it has an ongoing active data session.

Confidential Information

8
 3.2 Network Analysis

When the tactical unit reaches the area of interest (AOI), the first step required is to perform a full 3G and 4G
network scan and to analyze the surrounding RF environment.

The Network Analysis provides crucial data about the commercial cell towers in the vicinity, allowing the system to
calculate the correct transmission broadcast parameters (e.g. PLMN, U/EARFCN, PSC/PCI, LAC/TAC, etc).

Fig. 03 – Network Analysis results

The Network Analysis will save also the Tactical unit GPS location where the scan was performed. This will
allow the same results to be re-used in future missions in the same area.

Optionally, the user can visualize the commercial cell tower location on the map (in the Live View panel), using ’s
internal DB of cell tower location.

Confidential Information

9
 Fig. 04 – Cell Towers location on map

3.3 Starting the Transmissions

First the user needs to configure the Native transmission, preferably on a clear channel or on a frequency which
has less interference from the commercial operators’ transmissions.

The Native transmission will hold the targets captive, provide cellular services (Data /Ca lls / SMSes) and also
allowing the system to intercept and to manipulate incoming and outgoing Data / Calls / SMSes.

Secondly, the user needs to setup and to start the Standalone transmissions which will capture the UEs from the
real operator. The Native targets UEs will be redirected to the Native transmission, while the non-targets will be
rejected back to the commercial operator.
Having previously performed successfully the Network Analysis, the system will provide two types of automatic
parameters for the Standalone transmissions:

Confidential Information

10
 - Individual U/EARFCN manual transmission (i.e. the user manually selects which U/EARFCNs to be used
for transmission). The system will automatically provide the calculated parameters needed for this channel
transmission
- Full operator transmission: the user can select to start all transmissions needed to cover one specific
operator, by clicking on the Transmit all button next to the operator name. The system will automatically
start all the 3G and 4G transmissions needed to cover fully the operator (subject to the available DSP
resources available in the system)

3.4 Capturing the Native target

When the Native target UEs are captured on the standalone transmissions, they are automatically redirected to the
Native transmission where they will be held indefinitely. While captured, the Native targets will be allowed cellular
services (inbound/outbound calls, SMSes and data traffic).

Fig. 05 – Captured Native Targets

3.5 Target Events

The system will provide the user with Target events notifications as follows:
- Target has been captured / lost

Confidential Information

11
 - Incoming / outgoing call
- Incoming / outgoing SMS (with option to manipulate content or destination MSISDN)
- Data traffic session (with option to disconnect, download raw PCAP file)
- Payload injection

Note: the system will present 3 types of Target events:

• Active events: ongoing calls, data sessions, etc. The user has the option to manipulate (for example to
hang-up the ongoing call, etc).
• Past events: events which happened in the past and are already finished
• Pending events: events which need user input (for example for SMS manipulation, the SMS is pending
user editing before deciding to send or to block the SMS).

Fig. 06 – Target Event SMS pending manipulation

Confidential Information

12
 3.6 Data Traffic Sessions

When the Native target is captured and starts a data session, will show this as a Target Event.

Fig. 06 – Live Data Traffic Session Event

Incoming and outgoing traffic is passing through the system and the system acts a Man-in-The-Middle allowing
to capture and manipulate the data session:
- The user can export the captured data as a raw PCAP file for 3rd party analysis tools.
- The user can trigger to disconnect and block the internet traffic for the Native target.

Note:
• The hardware system can support up to 16x UEs captured on the Native DSP and in active internet
connections
• Bandwidth allowance per radio:
o 3G: up to 8 Mbps (DL), up to 4Mbps (UL)
o 4G: up to 20Mbps (DL), up to 10Mbps (UL)
The actual speed may be different since it can be affected by the RF conditions (signal quality, obstacles, interference,
etc). Also, the total speed is limited by the Backhaul datalink conditions.

Confidential Information

13
 3.7 Payload Injection

While the data session is ongoing, the user can choose to manually trigger the Payload Injection process which
installs the data extraction agent on the target’s smartphone. The payload is non persistent, which means as long as
the target is connected to the payload exist and communicates, once the phone is disconnected or left the area the
payload will be deleted ensuring covertness of the operation.

When the agent has been successfully installed, the user will receive a new notification. From now on, the user can
choose to stand-by the transmissions and to continue with the Data extraction management console in order to extract
files, messages, etc. which are stored on the target phone.

Note: When the Native target is defined in having the Inject Payload flag enabled, the system will automatically start
the payload injection process once the target is captured and it has an active ongoing data session.

Confidential Information

14