Last updated:

📡 IMSI Catchers and Stingrays: How They Work and How to Detect Them

Fake cell towers that harvest your identifier and track your location. What they actually do, why 2G downgrade is the tell, and how EFF's $20 Rayhunter spots them — plus an honest account of what detection can't prove.

Key findings

An IMSI catcher impersonates a cell tower to harvest your IMSI, locate you precisely, and sometimes intercept traffic. It works because phones connect to the strongest tower and older protocols never made the tower prove who it is — a design property, not a bug, which is why the problem persists. EFF's Rayhunter detects them on a $20–30 Orbic RC400L hotspot, analysing only control traffic — never your calls, messages or web requests. The tells it watches for: a tower forcing a 2G downgrade (2G lacks modern encryption), or requesting your IMSI under odd conditions. Green line = nothing seen; red = anomaly. Hard constraint: it needs Qualcomm's /dev/diag interface, which most consumer modems don't expose — the Orbic is currently the only cheap device known to work. Green does not mean safe. It means nothing it looks for was observed.

Until recently, detecting a cell-site simulator meant a rooted Android phone or an expensive software-defined radio. EFF changed that with a tool that runs on a hotspot you can buy for the price of a takeaway. This page covers how the attack works, what detection genuinely gives you, and the constraints nobody mentions until you've already ordered the wrong hardware.

Everything here is passive and lawful. Detection analyses your own device's connection to the network. Operating an IMSI catcher is a serious offence nearly everywhere — this page is about spotting one, not building one.

How the attack works

The vulnerability is architectural. Your phone is built to connect to the strongest available tower, and in older cellular protocols the tower never has to prove it is legitimate — authentication runs one way. A device that broadcasts loudly enough therefore wins, and everything follows from that.

📶 ImpersonateBroadcast as a tower with a strong signal. Nearby phones prefer it and attach.
🆔 HarvestRequest the IMSI — the unique identifier on the SIM. Now every device in range is enumerated.
📍 LocateSignal strength and timing give a position far more precise than normal tower records would.
⬇️ DowngradePush the connection to 2G, which lacks modern encryption, opening the door to interception.
The 2G downgrade is the signature. There is no legitimate reason for a modern tower to force your phone down to 2G in a well-covered area. It is the single most reliable indicator that something is wrong — and it is exactly what detection tools watch for. It's also why disabling 2G outright, where your device allows it, is the cheapest defensive step available.

Rayhunter — EFF's $20 detector

Rayhunter (github.com/EFForg/rayhunter) is a Rust tool that runs on an Orbic RC400L mobile hotspot and watches the signalling conversation between that hotspot and the towers around it.

PropertyDetail
HardwareOrbic RC400L hotspot, roughly $20–30 on Amazon or eBay
What it readsControl traffic only — signalling between hotspot and tower
What it never readsYour web requests, calls or messages. It is not a wiretap.
Watches forForced 2G downgrade, suspicious IMSI requests, rogue tower behaviour, identity-request anomalies
InterfaceGreen line = normal. Red = anomaly. Connect to its Wi-Fi for detail and PCAP export.
Hard requirementQualcomm /dev/diag diagnostic interface — most consumer modems do not expose it
Read this before you buy hardware. The /dev/diag requirement is strict and it is where most people waste money. Consumer cellular modems — the SIM7600G-H in a ClockworkPi being the common example — do not expose Qualcomm's diagnostic interface, so they cannot run Rayhunter regardless of how capable they otherwise look. The Orbic RC400L is currently the only cheap, widely available device known to work. Check the project's own docs before ordering anything else.

What detection can and cannot tell you

This is the part that deserves more honesty than it usually gets:

  • Green is not a clean bill of health. It means nothing Rayhunter looks for was seen. A sophisticated CSS may not trip its heuristics at all.
  • Red is not a conviction. Networks do odd things. An anomaly is a lead to investigate, not proof of surveillance.
  • It is an instrument, not a verdict. EFF's own framing: investigative and educational, not forensic proof.
  • The point is partly collective. One of EFF's stated motivations is that almost nobody has empirical data on how widely these devices are actually deployed. Cheap detection turns that from an advocacy question into a dataset.

The other tools — and why star counts mislead

A pattern worth internalising: in this field, GitHub stars measure historical popularity, not current function. AIMSICD has thousands and may be dormant. Crocodile Hunter has over a thousand and is formally archived. Rayhunter has fewer and is the one that works. Always check the last commit before you trust a security tool — the exploit surface moves faster than the README.

Reducing your exposure

1Disable 2GThe single highest-value setting. Forced 2G downgrade is the main attack path; Android exposes this toggle and GrapheneOS makes it prominent. Costs you nothing in most countries.
2End-to-end encryptionDoesn't stop the catch — makes it yield metadata rather than content. Signal, or equivalent.
3Airplane mode genuinely worksA radio that is off cannot be tricked into attaching. Unsubtle, completely effective, occasionally the right call.
4Be realistic about threat modelA CSS is a targeted, physical-proximity technique. If one is aimed at you, so is everything else about being physically followed — and a hotspot with a red light is the least of it.

Frequently asked questions

What is an IMSI catcher?

An IMSI catcher — also called a Stingray, after the best-known Harris Corporation product line, or a cell-site simulator (CSS) in the literature — is a device that impersonates a legitimate cell tower. Phones are designed to connect to the strongest available tower and, in older protocols, to do so without the tower proving who it is. That asymmetry is the whole attack. Once your phone connects, the operator can harvest your IMSI (the unique identifier on your SIM), locate you with far more precision than a normal tower would allow, and depending on the device and protocol, intercept metadata or communications. They exploit fundamental properties of how cellular networks are designed, which is why they are hard to eliminate rather than merely hard to build.

What is Rayhunter and how does it work?

Rayhunter is a free, open-source tool released by the Electronic Frontier Foundation to detect cell-site simulators. It runs on a cheap Orbic RC400L mobile hotspot — around $20 to $30 — and monitors the control traffic between that hotspot and nearby towers. Crucially it does not touch user traffic: no web requests, calls or messages are captured, only signalling. It looks for behaviour that legitimate towers do not exhibit, such as a base station trying to downgrade your connection to 2G (which lacks modern encryption and opens the door to further attacks) or requesting your IMSI under suspicious circumstances. The interface is a traffic light: a green line means nothing unusual, red means something is. When it alerts, you connect to the hotspot's Wi-Fi, open its built-in web page, and can inspect what it saw or download a PCAP.

Why does it need that specific hotspot?

Because of a hard constraint most write-ups skip: Rayhunter needs access to Qualcomm's diagnostic interface at /dev/diag, and that is only exposed on particular hardware. The Orbic RC400L is currently the only cheap, readily available device known to work. Ordinary consumer cellular modems — the SIM7600G-H in a ClockworkPi, for example — do not expose the diagnostic interface at all, so they cannot run it no matter how much you want them to. EFF chose the Orbic precisely because it is affordable, widely available and portable, not because it is special. Other Linux/Qualcomm devices may work; the project's own documentation is the place to check before you buy anything.

Is using Rayhunter legal?

In most jurisdictions, yes, and the reason is structural: it is passive. Rayhunter only analyses the traffic between your own hotspot and the towers it talks to. It does not transmit, does not impersonate anything, and does not intercept anyone else's communications. EFF's position is that it is lawful in the US when used responsibly. That is not legal advice and frameworks differ by country — some jurisdictions regulate radio monitoring more tightly than the US does. Operating an IMSI catcher, as opposed to detecting one, is a serious offence almost everywhere.

If Rayhunter shows green, am I safe?

No, and this is the most important caveat on the page. Rayhunter is a detection tool, not proof of absence. Sophisticated cell-site simulators can behave in ways that do not trip its heuristics, and a green line means only that nothing it looks for was observed. Equally, a red line is an anomaly, not a conviction — legitimate network behaviour can occasionally look suspicious. Treat it as an investigative and educational instrument that produces evidence worth examining, not as a forensic verdict. EFF built it partly to gather primary data on how widely these devices are actually deployed, because almost nobody has that data.

What about AIMSICD and the other detection apps?

AIMSICD (Android IMSI-Catcher Detector, at github.com/CellularPrivacy/Android-IMSI-Catcher-Detector) is the best-known project in this space with over 5,000 GitHub stars, but check its commit history before relying on it — it has been dormant for a long time, and several write-ups describe it as archived. SnoopSnitch works on rooted Android phones with Qualcomm basebands. EFF's earlier Crocodile Hunter project is explicitly archived on GitHub; Rayhunter is its successor and is where EFF's effort now goes. SeaGlass, from the University of Washington, took a different approach entirely — city-wide sensor networks rather than a single device. The pattern is worth noticing: this is a field where tools go stale fast, and star counts are a poor proxy for whether something still works.

What actually reduces the risk?

Nothing eliminates it, because IMSI catchers exploit the design of cellular networks rather than a bug in them. But several things help. Disable 2G entirely if your device allows it — Android has this setting and GrapheneOS exposes it prominently — because forced 2G downgrade is the most common attack path. Use end-to-end encrypted messaging so that intercepted traffic yields metadata rather than content. Airplane mode genuinely works, because a radio that is off cannot be tricked into connecting. And understand that location tracking via a CSS is a targeted, physical-proximity technique: if it is in your threat model, so is everything else about being physically followed.

Why does this belong on an OSINT site?

Because street-level surveillance is exactly the sort of thing open-source research exists to document, and because the deployment picture is genuinely unknown. Agencies rarely disclose CSS use; some have gone to considerable lengths to avoid disclosing it in court. EFF's Street Level Surveillance project catalogues these technologies — facial recognition, ALPR, drones, IMSI catchers — precisely because the public record is so thin. Rayhunter is the point where that documentation work becomes a community-powered dataset instead of an advocacy paper: cheap enough that ordinary people can contribute primary evidence.