In this article, we will explore what Rayhunter is and the specific surveillance issue it was designed to address

Welcome back, aspiring cyber warriors

For several decades, law enforcement agencies around the world have been using IMSI catchers, also known as Stingrays, to eavesdrop on and track suspects. These IMSI catchers function as portable cell towers, intercepting cellular traffic, identifying the International Mobile Subscriber Identity, tracking its location, collecting metadata and Internet traffic, and eavesdropping on voice conversations.

To help users detect if they are being spied on, the Electronic Frontier Foundation has developed a tool called Rayhunter. In this article, we will explore what Rayhunter is and the specific surveillance issue it was designed to address.

Whether you are a security researcher, an activist, a journalist, or simply someone concerned about privacy in public spaces, this article will provide you with the knowledge to understand why Rayhunter is important and how to start using it. Let’s get rolling.

What Is Rayhunter, and What Problem Is It Solving

Rayhunter is an open source Rust program that runs on inexpensive, off-the-shelf mobile hotspot devices. Its sole mission is to monitor the cellular signals these devices receive and flag patterns consistent with a cell-site simulator’s behavior. The project is hosted publicly on GitHub at github.com/EFForg/rayhunter.

The initial release in March 2025 targeted the Orbic RC400L mobile hotspot, a device available for roughly 20-30 USD. Subsequent releases broadened hardware support to additional hotspot models, and the tool now has an installer GUI to simplify deployment for non-technical users.

The Problem: A Surveillance Blind Spot

IMSI catchers have been used by law enforcement and intelligence agencies for decades, yet the general public has had almost no ability to detect or document their use. Previous detection approaches required either a rooted Android smartphone running specialized software or a sophisticated, expensive software-defined radio rig operated by a trained researcher. Neither option scaled to everyday use.

A further limitation of legacy detection tools was their exclusive focus on attacks against the 2G GSM cellular standard. Modern IMSI catcher equipment has evolved to operate across 3G, 4G LTE, and even 5G networks, leaving significant coverage gaps. Rayhunter was built from the ground up to address contemporary network threats, not just historical ones.

The core problem Rayhunter aims to solve can be summarized in three points: the widespread lack of empirical evidence about how IMSI catchers are deployed in practice, the inaccessibility of detection tools to the non-technical public, and the evolution of IMSI catchers beyond the 2G era into 4G and 5G territory, where existing tools offered no coverage.

Hardware: Affordable by Design

Hotspots are specialized cellular radio devices that come with accessible firmware and open diagnostic interfaces. Importantly, they are not the user’s primary phone, enabling passive detection alongside regular phone use. The device can be carried in a bag or pocket and continuously logs cellular connections without requiring user interaction.

Who Is the Electronic Frontier Foundation

The Electronic Frontier Foundation is widely regarded as one of the world’s foremost digital civil liberties organizations. The EFF works across three broad areas: legal advocacy in courts and legislatures, policy work to shape law and regulation, and technical projects that directly empower individuals to protect their digital rights.

The EFF’s technical and research program spans a wide range of tools and initiatives. Notable examples include Privacy Badger, a browser extension that blocks invisible trackers; Certbot, a free tool that automates the installation of HTTPS certificates for websites; Cover Your Tracks, an online tool that reveals how uniquely identifiable your browser is; and the Atlas of Surveillance, a publicly searchable database mapping the deployment of surveillance technologies by law enforcement agencies across the United States.

The Street Level Surveillance project is the EFF initiative most directly related to Rayhunter. SLS maintains a detailed public resource cataloguing the technologies, including facial recognition, automated license plate readers, drones, and IMSI catchers, used by police in day-to-day operations, and advocates for greater transparency and legal accountability around their use.

Rayhunter is, in many ways, the natural evolution of the EFF’s long-running IMSI catchers research, moving from documentation and advocacy to building a practical, community-powered detection system that can produce primary data on where and how these devices are deployed.

What Is a Stingray and How Is It Used for Tracking

An IMSI catcher is a device that masquerades as a legitimate mobile phone tower. When switched on, it broadcasts signals that cause nearby mobile phones and other devices with SIM cards to connect to the IMSI catcher rather than a real carrier tower. The device exploits the fundamental design of cellular networks: phones are programmed to seek out and connect to the strongest available signal, without independently verifying the authenticity of that tower.

The range of information an IMSI catcher can gather depends on its configuration and the cellular technology it targets. At a minimum, an IMSI catcher performing passive surveillance can identify every mobile device within its operating radius by capturing the International Mobile Subscriber Identity (IMSI) number stored on each SIM card and the International Mobile Equipment Identity (IMEI) hardware serial number of each handset.

With this information, an operator can determine who is present in a given area without ever placing a call or sending a message. More sophisticated devices can go further: they can force nearby phones to downgrade from a secure 4G or 5G connection to a legacy 2G connection, where communications can be intercepted without encryption. Some IMSI catcher systems can also silently deny service to targeted phones, effectively jamming their cellular connections.

How IMSI Catchers Are Used for Tracking

Law enforcement agencies use IMSI catchers for several overlapping purposes. The most straightforward is locating a specific phone whose IMSI number is already known from a warrant or prior intelligence. By deploying an IMSI catcher in an area where the target is believed to be, an operator can detect the target device’s presence and narrow its location to within metres.

IMSI catchers are also used for area sweeps, which capture the identifiers of all devices present at a given location or event. This use case raises significant civil liberties concerns because such sweeps inevitably collect data on large numbers of bystanders who are not the target of any investigation. There is circumstantial evidence that IMSI catchers were deployed at political protests in the United States, raising questions about the surveillance of First Amendment-protected activity.

Location data harvested by IMSI catchers overlaps with a broader ecosystem of commercial location tracking. As the EFF has documented, data brokers actively sell location records derived from mobile advertising networks, including visits to sensitive locations such as reproductive health clinics, places of worship, and immigration services. The combination of commercially available location data and law-enforcement IMSI-catcher deployments creates a comprehensive, largely invisible surveillance infrastructure.

How Rayhunter Works

Rayhunter is a Linux daemon written in Rust. It runs directly on supported mobile hotspot hardware, leveraging the cellular modem’s built-in diagnostic interfaces to capture raw signalling data. The core of its operation is the analysis of QMDL (Qualcomm Mobile Diagnostic Log) packets, low-level data streams produced by Qualcomm-based cellular modems that record the handshakes and control messages exchanged between the device and cell towers.

This approach is significant for two reasons. First, it does not require any modification to the mobile phone the hotspot is connected to. The analysis happens entirely within the hotspot device. Second, it gives Rayhunter access to signalling data that is not normally visible at the application layer, the kind of data that can reveal IMSI catcher behavior even when the IMSI catcher is operating against 4G networks, not just legacy 2G.

Detection Heuristics

Rayhunter uses a set of heuristics, or pattern-matching rules, to identify cellular behavior that is inconsistent with legitimate tower operation and suggestive of an IMSI catcher. These heuristics are documented openly in the repository and are designed to be extensible by the community.

One of the primary detection signals is a network downgrade request. A real carrier tower has no operational reason to ask a 4G-capable device to reconnect using 2G. An IMSI catcher, however, may issue exactly this request to move a target onto a protocol that is easier to intercept. Rayhunter flags this as a high-confidence indicator of potential IMSI catcher activity.

A second major heuristic involves IMSI harvesting requests. Under normal operation, a base station does not repeatedly request a device’s IMSI. That identifier is exchanged once during initial registration and then managed through temporary credentials. Unusually frequent or out-of-sequence IMSI requests are a well-documented signature of IMSI catchers probing nearby handsets.

The Web Interface and User Experience

One of Rayhunter’s design priorities is accessibility. The daemon exposes a local web interface that is accessible from any device connected to the hotspot’s Wi-Fi network. The interface displays real-time status and a color-coded alert system: green indicates no anomalies detected, while red or amber indicates that one or more heuristics have been triggered.

Legal Implications

Rayhunter operates on fairly solid legal ground in the United States. The tool is purely passive; it listens to openly broadcast radio signals in public space and records metadata about cellular handshakes. It does not intercept the content of any communication, which is the main criterion for violating federal wiretapping laws (specifically the Electronic Communications Privacy Act / 18 U.S.C. § 2511). Receiving publicly transmitted radio signals has long been considered legally permissible, and courts generally agree that there is no reasonable expectation of privacy for signals that are intentionally transmitted over the air.

A more nuanced question arises: Does detecting law enforcement equipment create any legal complications? There is no federal law specifically prohibiting the detection of IMSI catchers, and no court has found that using passive detection software alone constitutes obstruction of justice. However, if an officer believed that someone was deliberately alerting a surveillance target, an obstruction theory could be pursued, even if such a case would likely be weak.

State laws add a layer of complexity. A few states have enacted laws against “counterterrorism surveillance detection” or have broadly worded statutes against interference with surveillance. However, none have been tested against a passive listening tool like Rayhunter.

Outside the United States, the legal landscape shifts significantly. Several European countries impose stricter regulations on radio monitoring equipment than the US. In the UK, the Wireless Telegraphy Act 2006 prohibits the use of certain radio devices without a license, although passive monitoring of signals received is a grey area. Germany has stricter privacy laws, but also provides stronger protections for privacy tools designed to defend against surveillance. In authoritarian states, the risks become much more pronounced; running detection software could be framed as interfering with state security operations, regardless of whether such claims have any legal standing.

Anyone considering deploying Rayhunter outside the United States should consult local telecommunications and privacy laws before doing so.

Summary

For the first time, there is an affordable, open-source, and technically accessible tool that can monitor IMSI catchers’ activity on modern 4G networks, not just on older 2G networks.

In this article, we explored what Rayhunter is and the specific surveillance issue it was designed to address.

If you’re interested in learning more about Signals Intelligence (SDR), consider looking into our training program.

Source: HackersArise
Source Link: https://hackers-arise.com/sdr-signals-intelligence-for-hackers-discover-rayhunter-an-open-source-tool-by-eff-for-detecting-cellular-spying/