Professional/Private mobile radios (PMR) are two-way radio voice communication systems, including most recognizable handheld radios and widely deployed push-to-talk systems. As these systems can employ direct communication between users, rather than sending information via a central hub (as cellphone or internet messages do), they are still the system of choice for many of those engaged in illicit activities, including criminal gangs and terrorists. As such, there is often a requirement for national military, security and law enforcement agencies to be able to intercept and decode messages sent via PMR. So how do they go about doing so?

Capturing PMR Transmissions

The first part of the process is to capture and record the PMR transmissions, so that they can be investigated and decoded. There are a number of requirements to be considered at this stage. For law enforcement purposes, it is strongly preferable that the capture uses a passive approach, that does not require any interaction with the PMR system. This ensures that the PMR users remain unaware of the fact that they are being monitored and prevents them from taking countermeasures to avoid further detection. The system must also be portable and easily set up, so that it can be deployed wherever communications need to be monitored.

It may not be known ahead of time what frequencies the monitored PMR system will be using, so any recording system will need to cover a wide range of possible frequencies. It will also need to have a high enough sensitivity (and low noise figure) to be able to pick signals out from background noise. The system must be able to capture all of the relevant I/Q data for further investigation. In practice, that means that it will need a sufficiently large memory capacity to allow the entirety of the intercepted transmissions to be stored simultaneously. And for further investigation, the data needs to be recorded in a format that is compatible with whatever analysis software will be used for the decoding process. RFeye Stormcase systems provide all of the necessary capabilities in a portable form, with a frequency range up to 18GHz, realtime recording bandwidth of 100MHz, integrated SSD memory for high volume storage, and an XDAT recording format compatible with a wide range of software (eg Decodio Red). In situations where hours of data needs to be recorded, the RFeye SenS portable can also be deployed.

A cutaway view of the RFeye Stormcase

Analyzing PMR Transmissions

There are a wide range of PMR protocols in existence, including TETRA, NXDN, DMR, dPMR, Tetrapol, D-Star and Fusion, and it may not be clear in advance which (if any) of these protocols a particular target system will be utilizing. If this is the case, decoding systems will run through all known protocols to determine the transmission type, in order to identify it.

TETRA monitoring being carried out by Decodio software

It is also possible that the transmission may be encrypted, and require significant extra capabilities to decrypt. However, even in the absence of successful decryption, there is a significant amount of useful information that can be gleaned just from the transmission metadata. The MCC (mobile country code) and MNC (mobile network code) can identify the corresponding country and network carrier, location areas can be used to identify the cell, terminal IDs can be used to confirm the same handset is being used, manufacturer ID can be used to determine the type and vendor of the handset, and position reports can be used to find the location of a terminal. All of this metadata, when combined with the content of the demodulated voice transmissions, represents a treasure trove of useful information for security and law enforcement personnel.

Find Out More

If this brief introduction has whetted your appetite, much more information can be found in our webinar “COMINT Capture, Decode & Demodulate”, co-presented with Constantin Blümel of Decodio. And if you would like to find out about our RFeye Stormcases, then get in touch with us, and we’ll be happy to help.