The Electronic Frontier Foundation (EFF) has released Rayhunter, a new open-source tool designed to detect cell site simulators (CSS). These devices, also known as IMSI catchers or Stingrays, mimic cell towers to trick phones into connecting so they can collect data. Rayhunter gives researchers, journalists, and privacy advocates a way to identify suspicious cellular activity.
EFF group developed it to work on a common, low-cost mobile hotspot device. At launch, they used an Orbic hotspot, which could be purchased for around $30 at some retailers. This hardware is important because it keeps the barrier to entry low for anyone interested in tracking potential surveillance activity.
How Rayhunter works
Rayhunter works by monitoring the control traffic between the hotspot and nearby cell towers. It does not capture user content such as calls, messages, or websites. Instead, it focuses on metadata and network behavior. It looks for signs that something unusual is happening, like a tower requesting a network downgrade to a less secure protocol or asking for IMSIs in suspicious ways. These are common indicators that a CSS may be active in the area.
The tool’s interface is designed to be simple. When everything looks normal, users see a green line across the screen. If Rayhunter detects activity that could signal a CSS, that line turns red.
When an alert appears, users can connect to the hotspot’s Wi-Fi network and open a built-in web page. From there, they can see details about what Rayhunter observed. They also have the option to download packet capture files in PCAP format. These files can then be analyzed with other tools for deeper investigation or shared with experts for review.
While Rayhunter does not stop CSS from operating, it provides a way to map their presence and patterns. Over time, collected data could help reveal how often these devices are deployed and in what contexts. EFF hopes this will support efforts to protect privacy and hold surveillance programs accountable.
Devices and download
The following devices have been extensively tested by the core developers and are widely used: Orbic RC400L (sometimes also branded Kajeet RC400L), and TP-Link M7350.
Rayhunter is also confirmed to work on these devices:
- Wingtech CT2MHS01 – Americas
- T-Mobile TMOHS1 – Americas
- TP-Link M7310 – Africa, Europe, Middle East
- PinePhone and PinePhone Pro – Global
- FY UZ801 – Asia, Europe
- Moxee hotspot – Americas
Rayhunter is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
Source link
