Академический Документы
Профессиональный Документы
Культура Документы
OPERATION
Technical Proposal
Confidential Information
1
1. Native Interception and Injection – Solution Architecture
The Native Interception Solution is coupled with the Injection and Data Extraction Solution, having the following
high-level architecture:
4G
RAN
Tactical Unit 2
3G
100-240V~,
CO NS O
Android
5 3 4.85A MAX,
LE
1 50/60Hz
4 2
0
SPD LN K LN K S PD L NK
SPD LN K S PD
FW – VPN Concentrator
Mobile Gateway - FW
Internet
Confidential Information
2
The solution is composed from:
- The Tactical Vehicle Deployment which contains:
o The Radio Units RF Front-End (System Exciter, 100W Power Amplifier, antennas)
o The RF Front-End (antennas installation + cables)
o The Polus embedded Core (RAN, GGSN/PGW)
o Polus Application Server
o Database storing Target intercepted data (encrypted)
o The Android & iOS Injection and Data Extraction
o The Mobile Gateway
- The Polus Core Hub
o SS7/Diameter (signaling) Gateway
o Voice/SMS Gateway
Confidential Information
3
2. System Hardware Specifications
Confidential Information
4
Hardware Specification
POWER SUPPLY INPUT 20-32 VDC input- converters shall be used depending on car
Confidential Information
5
2.2 Antenna Specifications
Confidential Information
6
2.3 Backhaul Connectivity
Confidential Information
7
3. Operational Flow – Technical Description
Before the actual deployment, it would be preferable to create target identities, assuming that target information
is known from other intelligence data (e.g. IMSI, MSISDN, etc).
If target information is not yet known, the target identities can also be created during the mission from the captured
UEs during transmission.
Note:
- Native targets are created by default with the Hold option selected. This will trigger the system to hold
the UEs captive and intercept any outbound/inbound data/calls/SMSes from the UE.
- Payload Injection setting will automatically start the payload injection process once the Native target is
captured and it has an ongoing active data session.
Confidential Information
8
3.2 Network Analysis
When the tactical unit reaches the area of interest (AOI), the first step required is to perform a full 3G and 4G
network scan and to analyze the surrounding RF environment.
The Network Analysis provides crucial data about the commercial cell towers in the vicinity, allowing the system to
calculate the correct transmission broadcast parameters (e.g. PLMN, U/EARFCN, PSC/PCI, LAC/TAC, etc).
The Network Analysis will save also the Tactical unit GPS location where the scan was performed. This will
allow the same results to be re-used in future missions in the same area.
Optionally, the user can visualize the commercial cell tower location on the map (in the Live View panel), using ’s
internal DB of cell tower location.
Confidential Information
9
Fig. 04 – Cell Towers location on map
First the user needs to configure the Native transmission, preferably on a clear channel or on a frequency which
has less interference from the commercial operators’ transmissions.
The Native transmission will hold the targets captive, provide cellular services (Data /Ca lls / SMSes) and also
allowing the system to intercept and to manipulate incoming and outgoing Data / Calls / SMSes.
Secondly, the user needs to setup and to start the Standalone transmissions which will capture the UEs from the
real operator. The Native targets UEs will be redirected to the Native transmission, while the non-targets will be
rejected back to the commercial operator.
Having previously performed successfully the Network Analysis, the system will provide two types of automatic
parameters for the Standalone transmissions:
Confidential Information
10
- Individual U/EARFCN manual transmission (i.e. the user manually selects which U/EARFCNs to be used
for transmission). The system will automatically provide the calculated parameters needed for this channel
transmission
- Full operator transmission: the user can select to start all transmissions needed to cover one specific
operator, by clicking on the Transmit all button next to the operator name. The system will automatically
start all the 3G and 4G transmissions needed to cover fully the operator (subject to the available DSP
resources available in the system)
When the Native target UEs are captured on the standalone transmissions, they are automatically redirected to the
Native transmission where they will be held indefinitely. While captured, the Native targets will be allowed cellular
services (inbound/outbound calls, SMSes and data traffic).
The system will provide the user with Target events notifications as follows:
- Target has been captured / lost
Confidential Information
11
- Incoming / outgoing call
- Incoming / outgoing SMS (with option to manipulate content or destination MSISDN)
- Data traffic session (with option to disconnect, download raw PCAP file)
- Payload injection
Confidential Information
12
3.6 Data Traffic Sessions
When the Native target is captured and starts a data session, will show this as a Target Event.
Incoming and outgoing traffic is passing through the system and the system acts a Man-in-The-Middle allowing
to capture and manipulate the data session:
- The user can export the captured data as a raw PCAP file for 3rd party analysis tools.
- The user can trigger to disconnect and block the internet traffic for the Native target.
Note:
• The hardware system can support up to 16x UEs captured on the Native DSP and in active internet
connections
• Bandwidth allowance per radio:
o 3G: up to 8 Mbps (DL), up to 4Mbps (UL)
o 4G: up to 20Mbps (DL), up to 10Mbps (UL)
The actual speed may be different since it can be affected by the RF conditions (signal quality, obstacles, interference,
etc). Also, the total speed is limited by the Backhaul datalink conditions.
Confidential Information
13
3.7 Payload Injection
While the data session is ongoing, the user can choose to manually trigger the Payload Injection process which
installs the data extraction agent on the target’s smartphone. The payload is non persistent, which means as long as
the target is connected to the payload exist and communicates, once the phone is disconnected or left the area the
payload will be deleted ensuring covertness of the operation.
When the agent has been successfully installed, the user will receive a new notification. From now on, the user can
choose to stand-by the transmissions and to continue with the Data extraction management console in order to extract
files, messages, etc. which are stored on the target phone.
Note: When the Native target is defined in having the Inject Payload flag enabled, the system will automatically start
the payload injection process once the target is captured and it has an active ongoing data session.
Confidential Information
14