The Electronic Frontier Foundation (EFF) has unveiled Rayhunter, a new open-source tool designed to detect cell-site simulators (CSS) — surveillance devices commonly used by law enforcement and other entities to track mobile users.
The tool runs on an inexpensive Orbic RC400L mobile hotspot, making it an accessible solution for activists, journalists, and researchers looking to uncover the presence of these devices.
Rayhunter vs Stingrays
Cell-site simulators, also known as IMSI catchers or Stingrays, operate by masquerading as legitimate cellular towers, forcing nearby mobile phones to connect to them instead of real network infrastructure. Once connected, these devices can:
- Log IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity) numbers of all nearby mobile devices.
- Pinpoint the location of targeted phones with high accuracy, without requiring cooperation from telecom providers.
- Potentially intercept communications, depending on the model and capabilities of the device.
Despite their widespread use by law enforcement, private surveillance firms, and even cybercriminals, little is publicly known about the specific capabilities of these devices or the frequency of their deployment. In the U.S., concerns have been raised over their potential use against journalists, protestors, and religious gatherings, but conclusive data remains scarce.
Rayhunter aims to bridge this knowledge gap by providing a cost-effective, user-friendly alternative to traditional CSS detection tools, which typically require rooted Android phones or costly software-defined radio setups.
Instead, Rayhunter runs on the Orbic RC400L hotspot, a widely available device costing $20 or less, to monitor real-time control traffic between the mobile network and the hotspot. Through this, it can identify suspicious activity, such as forced downgrades to 2G networks, which are vulnerable to interception and unusual IMSI requests that could indicate CSS activity.
If a suspicious traffic pattern is detected, Rayhunter alerts users accordingly, allowing them to take protective measures like powering off their phones or notifying others nearby. Meanwhile, logs are stored in PCAP format, enabling experts to analyze the collected data for further investigation.
The user interface is designed to be simple: a green (or blue for colorblind users) indicator means no threats detected, while a red signal indicates potential CSS activity. Users can access detailed logs via a web-based interface by connecting to the hotspot's Wi-Fi network or using a USB connection with Android Debug Bridge (ADB).
EFF hopes that widespread use of Rayhunter will provide empirical data on CSS deployments, helping security researchers understand how these devices exploit network vulnerabilities. The project also seeks to inform policy discussions and enhance legal protections against unauthorized surveillance.
Rayhunter is open-source and available on GitHub under a GPL-3.0 license. While installation currently requires Linux or macOS, development instructions are provided for advanced users willing to manually set up the tool on other platforms.
Legal considerations
EFF emphasizes that while running Rayhunter is not currently illegal in the U.S., users should assess potential risks based on their location. The organization provides a legal disclaimer urging non-U.S. users to consult local laws before deploying the tool.
For those interested in contributing to the project, Rayhunter's GitHub repository welcomes developers to enhance its capabilities. By leveraging community participation, EFF aims to build a global database of CSS activity, empowering individuals to detect and defend against unlawful surveillance.
Fake BianLian Ransom Notes Delivered to Executives via Post Mail
The EU General Data Protection Regulation (GDPR) allows users from the EU to manage any data related to them. This app provides email templates to reach out to the developer. The developer has to answer within one month.