Meet Rayhunter A New Open Source Tool from EFF to Detect Cellular Spying
Meet Rayhunter A New Open Source Tool from EFF to Detect Cellular Spying
Nota importada desde Inbox durante consolidacion bulk.
Resumen
Article from the Electronic Frontier Foundation (EFF) presenting Rayhunter, an open source tool designed to detect cell-site simulators (CSS), also known as Stingrays or IMSI catchers. Rayhunter runs on a $20 Orbic mobile hotspot and intercepts, stores, and analyzes control traffic (not user traffic) between the hotspot and the cell tower in real-time. It alerts users to suspicious events such as base stations attempting to downgrade connections to 2G or requesting IMSI under suspicious circumstances. Previous detection methods required rooted Android phones or expensive software-defined radio rigs focused on legacy 2G networks. Rayhunter works natively on modern 4G networks.
Contenido
Background: Cell-Site Simulators (CSS)
CSS (also known as Stingrays or IMSI catchers) are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a real tower. They operate by conducting a general search of all cell phones within the device's radius.
Capabilities:
- Pinpoint phone locations with greater accuracy than CSLI (Cell Site Location Information)
- No need to involve the phone company
- Log IMSI numbers (unique to each SIM card) and IMEI hardware serial numbers
- Some advanced CSS may intercept communications
Knowledge gaps:
- Little is known about how commercial CSS actually work
- No strong evidence about CSS usage to surveil First Amendment protected activities (protests, journalist-source communications, religious gatherings)
- Some circumstantial evidence of CSS use at US protests (DNC 2024, Chicago protests)
- Evidence of use by US law enforcement, spyware operators, and scammers
- Even less known about CSS use outside the US
Rayhunter: Technical Details
Hardware: Orbic mobile hotspot (Amazon/Ebay, ~$20)
How it works:
- Intercepts, stores, and analyzes control traffic (not user traffic like web requests) between the hotspot and cell tower
- Analyzes traffic in real-time for suspicious events
- Suspicious events include:
- Base station trying to downgrade connection to 2G (vulnerable to attacks)
- Base station requesting IMSI under suspicious circumstances
User Interface:
- Green line (blue in colorblind mode) at top of screen = running, nothing suspicious
- Red line = suspicious event logged
- Connect to device's WiFi access point for web interface with details
- Download logs in PCAP format for expert review
Installation:
- Buy Orbic hotspot
- Download latest release package from GitHub
- Unzip, plug device into computer
- Run install script for Mac or Linux (Windows not supported for installation)
Goals
- Determine conclusively if CSS are used to surveil free expression (protests, religious gatherings)
- Collect empirical data (PCAPs) about exploits CSS actually use in the wild
- Get clearer picture of CSS usage outside the US (especially countries without free speech protections)
- Help people engage in accurate threat modeling about CSS risks
- Provide data useful for legal and legislative efforts to rein in CSS use
Legal Disclaimer
Use Rayhunter at your own risk. EFF believes running this program does not currently violate any laws or regulations in the United States. Not responsible for civil or criminal liability. If outside the US, consult with local attorney.
Name Origin
Named after Stingray (brand name for CSS). Natural predators of stingrays are orcas, which hunt them using "wavehunting" technique. Also chosen because it was the only name not already trademarked.
Análisis
Rayhunter represents a significant democratization of CSS detection capability. Previous methods required either rooted Android phones (technical barrier) or expensive SDR rigs (financial barrier), and both focused primarily on legacy 2G attacks. Rayhunter works on modern 4G networks with commodity hardware ($20), making it accessible to activists, journalists, and privacy-conscious individuals worldwide.
The tool is particularly relevant for:
- Journalists protecting source communications
- Activists at protests
- Organizations in countries with limited press freedom
- Security researchers studying CSS deployment patterns
- Legal professionals building cases against unlawful surveillance
Puntos Clave
- $20 hardware cost (Orbic RC400L hotspot) makes CSS detection accessible to anyone
- Works on 4G networks (not just legacy 2G like previous tools)
- Open source: https://github.com/EFForg/rayhunter
- Detects suspicious control plane events in real-time
- Does NOT intercept user traffic (web requests, etc.)
- Outputs PCAP format for forensic analysis
- Installation only supported on Mac/Linux (not Windows)
- Community-driven data collection approach to map CSS usage globally
Referencias
- Source: EFF Deeplinks - Meet Rayhunter
- GitHub: EFForg/rayhunter
- Hardware: Orbic RC400L (Amazon, Ebay)
- Authors: Cooper Quintin, Will Greenberg (EFF)
- Background: EFF Street Level Surveillance, CSS explainer, CSS whitepaper