Pacific-Blue Technologies»Products»Drone Jammer

IMSI Catcher Back Pack

The operational threat

Cellular devices are used for various nefarious activities including terrorism, criminal activity, Search and rescue operations and much more. In the last 10 years and more, cellular devices are at the core of these negative activities allowing criminals and terrorists to better execute their plans. The threat emanating from cellular devices is in constant growth as the usage of these devices has entered almost any aspect of our life.

Key operational benefits to the customer

Phantom's Technologies active cellular system, also known as the IMSI Catcher 500, provides the operators with the capability to extract cellular identities in a designated area of interest.
The system provides three main operational advantages:

  • Independency from Cellular service Providers – the operator does not need to connect with the Cellular Providers systems.
  • Covert operations – the system can be deployed in a discrete manner allowing the operating forces the much needed covertness.
  • The system is portable and can be handled in a suitcase.
  • All SW and HW are manufactured by the company The system's main purpose is to provide a low cost – high affective active cellular system that enables operators to control the cellular communications.

Solution description

The IMSI500 is our IMSI catcher monitoring system, designed to detect the IMSI's and the IMEI's present and active in the designated area for both 2G and 3G Phones (and future 4G). This capability enables the device's operators to identify possible threats. The IMSI 500 was specifically designed to provide maximum capacity flexibility as the BTS number can vary from 1 BTS – 6 BTS in a single drawer (several drawers can be supplied) as each BTS is Software Defined Radio BTS in the technology in which it is working. This means that once a technology has been chosen, GSM or UMTS, the BTS in the defined technology is SDR.
IMSI back pack: the system includes 4 BTS's, 2x2G BTS's and 2x2UMTS BTS's. In the back pack they include a 25W power amplifier that is embedded inside the BTS.

Main capabilities

  • Extraction of IMSI, IMEI and TMSI in 2G, 3G and future 4G
  • Target selection and automatic alert
  • 4000 phone calls capacity
  • Highly configurable BTS drawers
  • Backup power – 3 hours
  • Internal antennas for 2G and 3G
  • Support decryption of: A5/1, A5/2 and A5/0
  • The system can work simultaneously in 2G (2 BTS's) and 3G (2 BTS's)
  • Showing consumption, running time and phones captured
  • SW – configurable, scalable, adaptable as customer will receive user manual
  • Scalability – the system can easily add features, technologies, BTS's and more.

System components

  • The BTS in a back pack: the BTS drawer is uniquely designed to fit multiple form factors and its dimensions are 1/2 19" 1U for a single BTS drawer. The exceptionality of this BTS that the 25W Power Amplifier is already embedded in the same BTS, thus saving precious space. The 2G, 3G BTS is full SDR multi RAT.
  • Batteries: there is a 1U drawer of highly durable batteries that supplies up to 5 hours of continuous operation. These batteries are swappable and another set of batteries will supply an additional 5 hours operational time.
  • Antennas: usually directional antennas adjusted according to the needs of the customer.

How does it work

Firstly, the system uses its network scanner to scan the entire cellular spectrum, provide the frequency of the different cellular networks and recommend the setting of the system. The system can automatically upload existing pre scans for previous activities. When the scan is done, the system provides a map with BTS location and their signal strength and neighbors list. The network scanner shows the following:

  • All GSM/UMTS networks in a single scan
  • Channel number
  • Signal strength
  • BA
  • LAC – Location Area Code
  • Cell identity
  • Store and log all gathered information
Priority module: the system's basic need is to be perceived as the strongest BTS in the environment. Therefore, it chooses the weakest signal strength of the BTS, emulates itself as this BTS and then, it uses the priority module to enhance the signal strength, making the fake BTS as the strongest BTS; it forces the cellular subscribers to register to the false tower. This registration happens due to the protocols of the cellular devices which cause them to continuously look for a tower with superior reception capabilities.
As the cellular subscribers are registered to the active cellular system they surrender their IMSI, IMEI, TMSI and other data (such as MCC, MNC and BCCH data) to the active cellular system. These identities are registered automatically in the system and afterwards stored. The operator can choose that specific IMSI's or IMEI's are targets, thus creating a 'black list'. These targets are continuously monitored by the system and create an automatic alert (color coded) when they are registered in the system (transmission power of target can be changed by the system). The following is the captured information collected per subscriber (manually or automatically):
  • IMSI/IMEI/TMSI – system will alert when there was a change in IMSI/IMEI by same user. This data could be exported to a report.
  • Date and time of interrogation
  • Mobile network
  • Mobile phone manufacturer – only sometimes since there are thousands of phone versions and sometimes (especially in prisons), people are making their own make and model.
  • Time advance – in GSM/UMTS
  • GPS – only if the GPS is turned on
  • Target acquisition – if a target preexists in the DB then it will resurface when the system will capture him in a new operation.
The system shows the operator all time when the target phone is captured by the system and when it is lost. Switching between interrogation targets is done without stopping transmission.

Silent call

The purpose of conducting a silent call is mainly to allow the operators of the IMSI monitoring system to conduct an operation with the DF that will allow them to pin point the location of the target and capture him/her. The silent call can be held in 2G and 3G as the target phones will continue to receive phone calls/SMS's and conduct outgoing phone calls/SMS's as well. The silent call causes the target IMSI to be held by the IMSI monitoring system by continuously sending a signal to the real cellular network (on behalf of the target IMSI), requesting that the target IMSI will continuously send its location through the BCCH channel to cellular network. This enables the system operator to send the ARFCN of the target IMSI to the DF operator. The DF operator, holding the device in his hand, receives the exact ARFCN of the target and by acquiring this frequency, he is able to receive continuous signal of the target IMSI measured by the DF. The close the DF is to the target, the higher percentage number the DF will show.
The silent call can work on every channel not used by the GSM network; define the transmission channel, Time slot, training sequence and transmission over SDCCH or Traffic Channel (TCH), graphic display of the DL and UP link transmission signal level, and TA measurement.

Target's location

The target IMSI location can be seen through a 'heat map' presented in the GUI of the system. The heat map is an estimated location based on the TA (time arrival) of the target's IMSI signal from the real cellular BTS. In GSM the TA is measured by segments of 554 meters and therefore, the targets estimated location can vary significantly. In UMTS, the TA of the signal is approximately 50 – 100 meters and therefore, target's estimated location is more accurate than in GSM. The system can change on the fly, interrogation modes without the need to stop the transmission.

System operational modes

The IMSI monitoring system has several modes of operations:

  • Accept mode: The system is forcing all cellular devices to register to it and holds all GSM/UMTS subscribers in the system. In this case, all subscribers surrender their IMSI/IMEI to the system.
  • Reject Mode: in this instance, the system I causing the subscribers to surrender their IMSI/IMEI to the system while returning all of them to the real cellular network.
  • Selective accept mode: in this case, the operator creates a 'black list' of IMSI/IMEI's that the system will continue to hold after all other cellular subscribers has been returned to the real cellular network. In this mode, operator can choose specific target/targets in the area of operations and track only them as long as the system is working. In this mode, the system can create a specific no service for targets while reception bar is still visible to phone subscriber.
  • Selective Reject Mode: in this case, a list of IMSI/IMEI's are selected by the system and rejected back to the real cellular network.
  • Denial of Service: the system registers all phones to the system and sends a command of out of service so basically; all subscribers which are trying to connect to the real cellular network are unable to do so, even if the system has finished its operation. Only restart of the cellular device will provide the cellular subscribers return back to the cellular service.
  • Move to GSM: in this case, the system orders all UMTS subscribers to move to GSM only.

The GUI

The system GUI has the following features:

  • Window based control application
  • easily add interrogated phones as targets in the GUI
  • GUI can be controlled from a tablet or PC (Windows, Apple, Android, Linux)
  • GUI easy to use by non-technical people
  • All system operation (from scanning, monitoring to interception) is done from the GUI

Antennas

The below are the features of the antennas

  • directional antennas with 11 dB gain
  • Antennas will have a magnetic base

Power Supply

  • The system will support 220 Volt 50 Hz AC, 12 volt DC or 24 volt DC
  • All required power cords, adapters and inverters will be given with the device
  • Power supply to the vehicle: an additional alternator will be added to the vehicle allowing the system to use the vehicle power. Spare batteries will be charged when the system is operated by the vehicle as these batteries will allow hot swap of batteries when the vehicle is not working, allowing continuous work of the system.

Health Monitoring

The system will provide the following alarms that are part of the heal monitoring of the system:

  • Problem in SW
  • Fault is power supply
  • Fault in caballing
  • Problem in HW
  • Fault in GUI

Power Amplifiers

Each BTS has its own 25W SDR PA that supports either GSM or UMTS. This PA can be configured in the requested technology to any given frequency in the same technology (meaning that if you have GSM 900 and you would like to change it to 800 then it is doable). Each PA will have its own duplexers to minimize number of antennas.

Technical Specifications

Products: