The Electronic Frontier Foundation (EFF) released Rayhunter, an open-source tool for detecting IMSI catchers (cell site simulators, also known as Stingrays) running on consumer-grade hardware — specifically the Orbic RC400L, a $20 portable 4G LTE router. The tool monitors control channel traffic in real time and alerts users to IMSI catcher signatures such as forced 2G downgrade attempts and anomalous IMSI identifier requests.
Understanding IMSI Catchers and Their Security Implications
IMSI catchers operate by mimicking legitimate cellular base stations, forcing nearby mobile devices to establish connections through them instead of authentic cellular towers. These sophisticated surveillance devices can intercept sensitive data, track user locations, and facilitate man-in-the-middle attacks, presenting significant privacy concerns, particularly when deployed by law enforcement agencies without proper oversight.
How Rayhunter Detects Forced 2G Downgrades and IMSI Requests
Rayhunter employs real-time analysis of control channel traffic between mobile devices and base stations to detect suspicious activities. The tool specifically monitors for telltale signs of IMSI catcher operation, including forced 2G downgrade attempts and unusual IMSI identifier requests. Unlike existing detection solutions that require expensive specialized equipment, Rayhunter operates on affordable consumer-grade hardware.
Implementation and User Experience
The primary hardware platform for Rayhunter is the Orbic RC400L, a portable 4G LTE router available for approximately $20. The system implements a user-friendly alert mechanism, displaying a red screen warning when suspicious activity is detected. Security professionals and privacy-conscious users can export PCAP logs for detailed forensic analysis of potential surveillance attempts.
Security Implications and Deployment Considerations
While Rayhunter’s deployment is presumably legal within the United States, EFF recommends consulting legal expertise regarding its use in other jurisdictions. The tool’s source code and comprehensive documentation are freely available through EFF’s GitHub repository, promoting transparency and community involvement in mobile security enhancement.
Rayhunter does not block IMSI catcher surveillance — it detects it. Detection data in the form of PCAP logs provides documented evidence that surveillance equipment was in operation, which is legally significant when challenging evidence obtained through cell site simulators. High-risk users — journalists, activists, attorneys representing sensitive clients — are the primary target audience. EFF notes that Rayhunter’s legality within the United States is clear; use in other jurisdictions requires separate legal review.
