Full Report
The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. [...]
Analysis Summary
# Tool/Technique: Rayhunter
## Overview
Rayhunter is an open-source tool developed to help users detect the use of Stingray devices, which are used for cellular surveillance (often called IMSI catchers). Rayhunter achieves detection by capturing, storing, and analyzing control traffic (signaling data) between the mobile hotspot it runs on and the connected cell tower, specifically looking for suspicious communications that indicate a Stingray is impersonating a legitimate cell tower.
## Technical Details
- Type: Tool
- Platform: Linux/Qualcomm devices (specifically tested on Orbic RC400L mobile hotspot)
- Capabilities: Intercepts and analyzes cellular control plane signaling traffic in real-time to identify Stingray activity. Provides visual and log-based alerts.
- First Seen: Information not explicitly provided in the text beyond its announcement by EFF.
## MITRE ATT&CK Mapping
(Note: Stingray usage primarily relates to monitoring victims, which aligns with Reconnaissance/Collection, though Rayhunter itself is a defensive tool.)
- TA0043 - Indicator Intrusion
- T1590 - Acquire Infrastructure
- *Note: While Stingrays are used for data collection, Rayhunter is a countermeasure detecting this activity.*
## Functionality
### Core Capabilities
- Intercepts, stores, and analyzes control traffic (signaling data) between the mobile hotspot and the cell tower.
- Does **not** monitor user traffic (e.g., web requests).
- Visual Alert system: Changes the default screen color (Green/Blue) to Red upon detecting potential Stingray activity.
- Data Logging: Keeps PCAP logs of suspicious events on the device for forensics.
### Advanced Features
- Detects suspicious requests, such as a base station attempting to force a connection downgrade to 2G (which is vulnerable to further attacks).
- Detects abnormal requests for sensitive information, such as the IMSI (International Mobile Subscriber Identity).
- Operates on an inexpensive, portable device (Orbic RC400L, costing around $20).
## Indicators of Compromise
(Rayhunter detects IoCs associated with Stingray activity rather than having them itself.)
- File Hashes: N/A (The artifact is the software/configuration on the hotspot)
- File Names: PCAP logs (details not specified)
- Registry Keys: N/A
- Network Indicators: Suspicious signaling communications patterns (e.g., forced 2G downgrade requests, suspicious IMSI requests). Defanged: Specific C2/network indicators are not applicable as the tool monitors local radio traffic patterns.
- Behavioral Indicators: Detection of abnormal control traffic signaling against the connected device.
## Associated Threat Actors
- **Associated with Stingray deployment (The target of Rayhunter):** Law enforcement agencies or potentially sophisticated threat actors using IMSI Catcher technology.
- **Developer:** Electronic Frontier Foundation (EFF).
## Detection Methods
- Signature-based detection: Based on analysis of known malicious signaling sequences characteristic of Stingrays (e.g., specific location update requests or paging procedures).
- Behavioral detection: Analyzing deviations from expected cellular protocol communication patterns, especially regarding connection downgrades or identity requests.
- YARA rules: N/A (Tool analyzes raw radio traffic, not endpoint files, absent specific Rayhunter binary analysis).
## Mitigation Strategies
- Ensure devices are configured to resist 2G downgrades where possible (if the OS permits disabling 2G).
- Using Rayhunter provides an early warning detection mechanism.
- Forensic analysis of collected PCAP logs after an alert.
## Hardening Recommendations
- Users should refer to the EFF's GitHub repository for installation instructions on compatible Linux/Qualcomm devices.
- Legal consultation is recommended before deploying the tool, as legality varies by jurisdiction.
## Related Tools/Techniques
- Stingray / IMSI Catchers (The technology being detected)
- Other detection methods mentioned: Those requiring rooted Android phones and expensive Software-Defined Radios (SDRs).