Last updated:
📡 IMSI Catchers and Stingrays: How They Work and How to Detect Them
Fake cell towers that harvest your identifier and track your location. What they actually do, why 2G downgrade is the tell, and how EFF's $20 Rayhunter spots them — plus an honest account of what detection can't prove.
Key findings
An IMSI catcher impersonates a cell tower to harvest your IMSI, locate you precisely, and sometimes intercept traffic. It works because phones connect to the strongest tower and older protocols never made the tower prove who it is — a design property, not a bug, which is why the problem persists. EFF's Rayhunter detects them on a $20–30 Orbic RC400L hotspot, analysing only control traffic — never your calls, messages or web requests. The tells it watches for: a tower forcing a 2G downgrade (2G lacks modern encryption), or requesting your IMSI under odd conditions. Green line = nothing seen; red = anomaly. Hard constraint: it needs Qualcomm's /dev/diag interface, which most consumer modems don't expose — the Orbic is currently the only cheap device known to work. Green does not mean safe. It means nothing it looks for was observed.
Until recently, detecting a cell-site simulator meant a rooted Android phone or an expensive software-defined radio. EFF changed that with a tool that runs on a hotspot you can buy for the price of a takeaway. This page covers how the attack works, what detection genuinely gives you, and the constraints nobody mentions until you've already ordered the wrong hardware.
How the attack works
The vulnerability is architectural. Your phone is built to connect to the strongest available tower, and in older cellular protocols the tower never has to prove it is legitimate — authentication runs one way. A device that broadcasts loudly enough therefore wins, and everything follows from that.
Rayhunter — EFF's $20 detector
Rayhunter (github.com/EFForg/rayhunter) is a Rust tool that runs on an Orbic RC400L mobile hotspot and watches the signalling conversation between that hotspot and the towers around it.
| Property | Detail |
|---|---|
| Hardware | Orbic RC400L hotspot, roughly $20–30 on Amazon or eBay |
| What it reads | Control traffic only — signalling between hotspot and tower |
| What it never reads | Your web requests, calls or messages. It is not a wiretap. |
| Watches for | Forced 2G downgrade, suspicious IMSI requests, rogue tower behaviour, identity-request anomalies |
| Interface | Green line = normal. Red = anomaly. Connect to its Wi-Fi for detail and PCAP export. |
| Hard requirement | Qualcomm /dev/diag diagnostic interface — most consumer modems do not expose it |
/dev/diag requirement is strict and it is where most people waste money. Consumer cellular modems — the SIM7600G-H in a ClockworkPi being the common example — do not expose Qualcomm's diagnostic interface, so they cannot run Rayhunter regardless of how capable they otherwise look. The Orbic RC400L is currently the only cheap, widely available device known to work. Check the project's own docs before ordering anything else.What detection can and cannot tell you
This is the part that deserves more honesty than it usually gets:
- Green is not a clean bill of health. It means nothing Rayhunter looks for was seen. A sophisticated CSS may not trip its heuristics at all.
- Red is not a conviction. Networks do odd things. An anomaly is a lead to investigate, not proof of surveillance.
- It is an instrument, not a verdict. EFF's own framing: investigative and educational, not forensic proof.
- The point is partly collective. One of EFF's stated motivations is that almost nobody has empirical data on how widely these devices are actually deployed. Cheap detection turns that from an advocacy question into a dataset.
The other tools — and why star counts mislead
Reducing your exposure
Frequently asked questions
What is an IMSI catcher?
An IMSI catcher — also called a Stingray, after the best-known Harris Corporation product line, or a cell-site simulator (CSS) in the literature — is a device that impersonates a legitimate cell tower. Phones are designed to connect to the strongest available tower and, in older protocols, to do so without the tower proving who it is. That asymmetry is the whole attack. Once your phone connects, the operator can harvest your IMSI (the unique identifier on your SIM), locate you with far more precision than a normal tower would allow, and depending on the device and protocol, intercept metadata or communications. They exploit fundamental properties of how cellular networks are designed, which is why they are hard to eliminate rather than merely hard to build.
What is Rayhunter and how does it work?
Rayhunter is a free, open-source tool released by the Electronic Frontier Foundation to detect cell-site simulators. It runs on a cheap Orbic RC400L mobile hotspot — around $20 to $30 — and monitors the control traffic between that hotspot and nearby towers. Crucially it does not touch user traffic: no web requests, calls or messages are captured, only signalling. It looks for behaviour that legitimate towers do not exhibit, such as a base station trying to downgrade your connection to 2G (which lacks modern encryption and opens the door to further attacks) or requesting your IMSI under suspicious circumstances. The interface is a traffic light: a green line means nothing unusual, red means something is. When it alerts, you connect to the hotspot's Wi-Fi, open its built-in web page, and can inspect what it saw or download a PCAP.
Why does it need that specific hotspot?
Because of a hard constraint most write-ups skip: Rayhunter needs access to Qualcomm's diagnostic interface at /dev/diag, and that is only exposed on particular hardware. The Orbic RC400L is currently the only cheap, readily available device known to work. Ordinary consumer cellular modems — the SIM7600G-H in a ClockworkPi, for example — do not expose the diagnostic interface at all, so they cannot run it no matter how much you want them to. EFF chose the Orbic precisely because it is affordable, widely available and portable, not because it is special. Other Linux/Qualcomm devices may work; the project's own documentation is the place to check before you buy anything.
Is using Rayhunter legal?
In most jurisdictions, yes, and the reason is structural: it is passive. Rayhunter only analyses the traffic between your own hotspot and the towers it talks to. It does not transmit, does not impersonate anything, and does not intercept anyone else's communications. EFF's position is that it is lawful in the US when used responsibly. That is not legal advice and frameworks differ by country — some jurisdictions regulate radio monitoring more tightly than the US does. Operating an IMSI catcher, as opposed to detecting one, is a serious offence almost everywhere.
If Rayhunter shows green, am I safe?
No, and this is the most important caveat on the page. Rayhunter is a detection tool, not proof of absence. Sophisticated cell-site simulators can behave in ways that do not trip its heuristics, and a green line means only that nothing it looks for was observed. Equally, a red line is an anomaly, not a conviction — legitimate network behaviour can occasionally look suspicious. Treat it as an investigative and educational instrument that produces evidence worth examining, not as a forensic verdict. EFF built it partly to gather primary data on how widely these devices are actually deployed, because almost nobody has that data.
What about AIMSICD and the other detection apps?
AIMSICD (Android IMSI-Catcher Detector, at github.com/CellularPrivacy/Android-IMSI-Catcher-Detector) is the best-known project in this space with over 5,000 GitHub stars, but check its commit history before relying on it — it has been dormant for a long time, and several write-ups describe it as archived. SnoopSnitch works on rooted Android phones with Qualcomm basebands. EFF's earlier Crocodile Hunter project is explicitly archived on GitHub; Rayhunter is its successor and is where EFF's effort now goes. SeaGlass, from the University of Washington, took a different approach entirely — city-wide sensor networks rather than a single device. The pattern is worth noticing: this is a field where tools go stale fast, and star counts are a poor proxy for whether something still works.
What actually reduces the risk?
Nothing eliminates it, because IMSI catchers exploit the design of cellular networks rather than a bug in them. But several things help. Disable 2G entirely if your device allows it — Android has this setting and GrapheneOS exposes it prominently — because forced 2G downgrade is the most common attack path. Use end-to-end encrypted messaging so that intercepted traffic yields metadata rather than content. Airplane mode genuinely works, because a radio that is off cannot be tricked into connecting. And understand that location tracking via a CSS is a targeted, physical-proximity technique: if it is in your threat model, so is everything else about being physically followed.
Why does this belong on an OSINT site?
Because street-level surveillance is exactly the sort of thing open-source research exists to document, and because the deployment picture is genuinely unknown. Agencies rarely disclose CSS use; some have gone to considerable lengths to avoid disclosing it in court. EFF's Street Level Surveillance project catalogues these technologies — facial recognition, ALPR, drones, IMSI catchers — precisely because the public record is so thin. Rayhunter is the point where that documentation work becomes a community-powered dataset instead of an advocacy paper: cheap enough that ordinary people can contribute primary evidence.