These days, if you’re walking around with a cellphone, you’ve basically fitted an always-on tracking device to your person. That’s even more the case if there happens to be an eavesdropping device in your vicinity. To combat this, the Electronic Frontier Foundation has created Rayhunter as a warning device.
Rayhunter is built to detect IMSI catchers, also known as Stingrays in the popular lexicon. These are devices that attempt to capture your phone’s IMSI (international mobile subscriber identity) number by pretending to be real cell towers. Information on these devices is tightly controlled by manufacturers, which largely market them for use by law enforcement and intelligence agencies.
To run Rayhunter, all you need is an Orbic RC400L mobile hotspot, which you can currently source for less than $30 USD online. Though experience tells us that could change as the project becomes more popular with hackers. The project offers an install script that will compile the latest version of the software and flash it to the device from a computer running Linux or macOS — Windows users currently have to jump through a few extra hoops to get the same results.
Rayhunter works by analyzing the control traffic between the cell tower and the hotspot to look out for hints of IMSI-catcher activity. Common telltale signs are requests to switch a connection to less-secure 2G standards, or spurious queries for your device’s IMSI. If Rayhunter notes suspicious activity, it turns a line on the Orbic’s display red as a warning. The device’s web interface can then be accessed for more information.
While IMSI catchers really took off on less-secure 2G networks, there are developments that allow similar devices to work on newer cellular standards, too. Meanwhile, if you’ve got your own projects built around cellular security, don’t hesitate to notify the tipsline!
This probably doesn’t work for cell repeaters on 4g or 5g
Each time the change the G they make a new “stingray”
So this likely will not work on a lot of 4g and 5g networks at least in the USA
Since the federal government versions can do the encryption and decryption too
Your phone cannot tell when it’s connected to a stingray or not, so it’s best to use your own custom encryption and obfuscation
So if they get yo phone signal, the data is just gibberish
But then with most people using smartphones they can install remote access Trojan to spy on GPS, listen to you microphone, and watch that camera
Better have os Kernel protection against that, disable camera and microphone until I want to use em
The GPS says whatever I want it too
But they can also watch the LCD with a fast enough rat
Remember you don’t need to be close to a stingray
You can be 5 or 10 mile away and it’s still listening
Phone always connects to the strongest cell tower by design
And people should know that stingray aren’t necessarily a selective device, it taps everyone’s phone that’s in the area
And federal agents have to stay up all night sifting thru all of it to see if they got what they looking for
Or they just go to the phone company and ISP with a court order and they simply just hand over all your data decrypted and plaintext, that’s when encryption and obfuscation become useful
Not hiding illegal shit, just to piss off thay mitm even more
U güd wit dat CPU?
In the US, with a judge’s permission (for now anyway) they just call the phone company and get everything they need. The stingray isn’t even really needed. The phone companies always hand over the data. If you’re going to engage in activities that are frowned upon, especially kidnapping, smuggling, narcotics, gun running and other conspiracy, find a way to do it without a cell phone, or better yet, open a donut shop instead. The stingray hunter is a cool but useless gadget in any context I can think of.
@Andrew How wonderfully naive. That’s not how these things are used in practice.
Why? Once they have them nobody can give up the urge to use it and justify the expense.
This means lots of unnecessary surveillance anywhere they can find an excuse to set it up, bonus points for being able to have a permanent installation “because there is so much traffic” and justify buying more.
Of cource your phone can tell if it’s connected to a genuine cell or not. Your IMSI allows you to speak on the network. No IMSI, no network. No call, no SMS, no data. So when you connect to a stingray, either it’s set up to allow all connections in and offer pseudo data (that would be a huge cost for operating the stingray to actually serve data for all potential cellphone), or it’s not (more likely). Then you’ll be connected but all further communication attempt would fail (since the stingray can’t query your answering machine, can sustain a call, can’t forward your data), so the phone WILL know it.
BTW, even the “fallback” to 2G hack is highly detectable. The phone knows it’s being throttled, but MAINLY, it knows no one is answering as it should.
With roaming technologies (where your phone can talk to multiple cell tower at the same time), it’s a bit harder, but not by much. A cell that’s connected but doesn’t send any data after being sent an IMSI is devious by default and could be flagged as such. The phone should warn you in that case and trigger a report to the authorities. Yet, if you’re moving fast, it’s possible you can attach to a distant cell and by the time you’ve sent your credentials, be too far from the cell tower anymore to communicate. That’s the only case an IMSI catcher could be mistaken for a genuine tower. But that would imply very very low transmission power for the catcher, so very unlikely to be selected by the phone if any valid cell tower is around, so it’s still quite safe.
You really think the United States federal government can’t wire tap your phone
Without you knowing?
Just because you don’t know of the the modern technology
Probably because it’s classified information…
One way is to just dumps everything on the phone line with stingray and passthrough
Then just go to the phone companies that service the area
And they all can decrypt it too
Multiple ways…
Yeah right bud. :Eyeroll:
Nothing you have said is valid. How exactly are you going to do “os kernel protections” How many android phone kernels have you built? You do realize most phones use very old kernels with lots of hacks.
You really think disabling devices in software actually disables them? KEK
“Yeah right bud. :Eyeroll:
Nothing you have said is valid. How exactly are you going to do “os kernel protections” How many android phone kernels have you built? You do realize most phones use very old kernels with lots of hacks.
You really think disabling devices in software actually disables them? KEK”
Android 14 has that built-in
Disable mic, disable camera, and no app can use it not even face unlock or Google assistant
Cough The pull down menu in quick settings…
Must be an iPhone user that doesn’t have updated security patches
You think if they can remotely install a Trojan to let them use your phone’s camera and microphone, some kernel level control is going to allow you to stop them? You think that your GPS spoofing program prevents someone at that level from getting your location?
The only way to prevent a “bad actor” from using your camera or mic is to physically disconnect the camera and mic from the phone. They never needed gps to report your location, just 3 or 4 cell towers.
Y’all guys have no idea how many governments agents I’ve managed to send thru loops
Yeah I know how to actually run secure network and radio transmitter
🙄. eyerolls
Do you know what a military combat communication squadron is capable of.
Obviously not, eyerolls
I knew John McAfee wasn’t really dead!
GPS spoofing is the easiest things to do on this list, but they still know what tower you connected to, so utility is restricted.
As for the rest, mic/etc. disabling cell data will actually work, especially on older connections where there is no effective way to pretend not to use it.
TLDR; turn off your phone and remove the battery when you aren’t using it if this is a serious concern, which needn’t involve the state.
Yes, but this can still prove who was in an area. Run this at a protest and get a list of malcontents. Maybe run it lower powered on each side of a protest and see who was nearer to one side or another, and then if something happens see who was close. Then you have a list of people to get the dl photos for to matching them to the security photos. Or run that list and see if there were any foreign students at a protest who you could lean on them because of visa problems…
It’s not just the data.
It’s not proof, but yeah you have the right idea because all that’s necessary is an accusation, as we have seen lately. This is never about criminal activity, but surveillance.
Seems a bit pointless given the phone companies just give the police the data from the real towers when asked…?
Depends not all police have stingrays
If you suspect a stingray on your phone
You probably have the FBI, cia, or federal government agency watching
The police have to lease sting rays from the military, they down own em, they have a detailed NDA contract on how it supposed to be legally used.
And they charge the state 100x the bomb cost for em
Just remember north Carolina paid 250,000 USD just for one lease, and that was the old model
They don’t actually cost that much to build
100x the BOM
Not 100x Manhattan project cost, they can’t afford
I can’t recall the date, IIRC it was early 0s.
The DC cell networks (all of ’em, same day, strange that.) stopped working for most of a day.
All the different three letter agencies and foreign governments running stingrays screwed it up real good.
Government stingrays have IMSI (and all the security) and will forward data to actual towers or their own backhaul (depending on generation and model).
But when the ‘actual tower’ the stingray is using for backhaul is also a stingray?
Theory is:
That all the stingrays formed some sort of interagency rivalry circle ping.
Nobody that knows for sure can say.
Why not go to the cell companies with a warrant?
Not even FISA judges will sign a warrant for the NSA to bug the NRO (substitute alphabet soup at will).
But they do spy on each other, everyday…
Splitters!
One of the joys of having so many American ‘intelligence’ agencies fighting over a limited pool of freshly printed money/power/influence.
Also if they serve a warrant they have to tell you that they have a warrant to seize that data etc….
If not it’s illegal, and can be considered wiretapping and stealing cables, invasion of privacy
They can site almost anything as justification and don’t even have to mention you specifically. And if it is illegal? Good luck attempting to use that information anywhere of you have already been picked up as a “dissident”, or whatever the flavor of the year is.
heh i absolutely don’t care about my privacy but if i did, instead of carrying more devices, i would carry fewer.
Yep. Or none.
They did a number on people it seems: As they still mistake privacy for secrecy. Privacy is a human right. And nothing wrong about keeping e.g. trade secrets either. The state is encroaching and the watchdogs need to be leashed and kennelled again. If you cannot solve it via classical legal police work it should never be court admissible.
Better thing to say: I got nothing that incriminates me, but still bugger off. My private life is private, period.
The old stingrays could intercept calls, and more secure protocols like 5G prevent that. However, the value for modern Stingrays is they can collect the IMSIs from all the cellular devices in its proximity, especially from 4G and older devices. Think of the ramifications of having a list of all the people at a protest event or a political rally.
IMHO, the real trouble is not with the stingrays, but with who is using them and to what ends.
Meaning, just like “ghost g**s”, there could be them bad guys faking they are the good guys under disguise to catch the bad guys, and we wouldn’t know for sure.
Call me paranoid, but I’d very much rather NOT use my cell phone for things like banking or placing orders. If they (bad guys) want to know my info, they probably already have it just the same, but why making sure it is spread even wider.
In my other HO, it is just a matter of time someone sets up a ChatGPT bot to generate thousands of fake “profiles” in all kinds of shoddily written systems, hoping at out of few thousand one may appear legit and work for some while before being detected and shut off. To me that’s a far larger and more complex threat ever thought of, and stingrays are actually the atomic level kind of threat compared with the systemic approach at the large scale (ie, beyond molecular level). I am also pretty sure this had already been thought of, created and tested, and probably the initial targets weren’t average Sams, but rich folks that are not in the news, say, the tax-avoiding shady “owners of the offshore accounts”, which is easier – no IRS would run any background checks to make sure. But eventually it will boil down to my level, just I wouldn’t know when and how.
Thank you for saying “these days” as opposed to “nowadays 🤮”. You’ve restored my faith.
Now we just need a stingray locator. Maybe a drone that flies around with one of these and homes in by signal strength.
To all those saying “what’s the point”. Well clearly there’s some point, or the police wouldn’t be using them all over the place.
Just one idea: getting data from the cell phone company creates a paper trail. If you’re going to track people under legally dubious circumstances better to just set up a stingray and don’t share who you’re tracking or why.
The people and/or courts cannot object to a violation of the constituion if they don’t know about it.
I got one of the Verizon Orbic hotspots new in box from an eBay seller for $11.96 with free shipping (in the US). Although that was 2 months ago, so maybe the hackaday effect will change that availability.
Have yet to do anything with it, so maybe the fact that it is from Verizon will prevent it being useful? No idea if it is network locked or not.
Spent some time poking at it, after installing RayHunter on it. Yes, it is network locked. It also has some weird setup where after connecting via adb, and running /sbin/rootshell, there are still things that you don’t have permission to do, like opening a socket, or running “chown”. Something about running via setuid that it doesn’t like. I haven’t been able to figure that out yet, although I did install dropbear (static binary), and start that from an initscript to get a proper full root shell.
Oh, and of course it is an acient Linux kernel:
Linux mdm9607 3.18.48 #1 PREEMPT Sat Sep 19 17:38:58 CST 2020 armv7l GNU/Linux
Sigh!
Can a phone without a sim still be tracked? Thinking of the phone as a head to a lora node. Plenty of old phones around still capable of bluetooth, and wifi. Could meshtastic be a more secure option yhan burner phones?