Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying
At EFF we spend a lot of time thinking about Street Level Surveillance technologies—the technologies used by police and other authorities to spy on you while you are going about your everyday life—such as automated license plate readers, facial recognition, surveillance camera networks, and cell-site simulators (CSS). Rayhunter is a new open source tool we've created that runs off an affordable mobile hotspot that we hope empowers everyone, regardless of technical skill, to help search out CSS around the world:
CSS operate by conducting a general search of all cell phones within the device's radius. Law enforcement use CSS to pinpoint the location of phones often with greater accuracy than other techniques such as cell site location information (CSLI) and without needing to involve the phone company at all. CSS can also log International Mobile Subscriber Identifiers (IMSI numbers) unique to each SIM card, or hardware serial numbers (IMEIs) of all of the mobile devices within a given area. Some CSS may have advanced features allowing law enforcement to intercept communications in some circumstances.
What makes CSS especially interesting, as compared to other street level surveillance, is that so little is known about how commercial CSS work. We don't fully know what capabilities they have or what exploits in the phone network they take advantage of to ensnare and spy on our phones, though we have some ideas.
We also know very little about how cell-site simulators are deployed in the US and around the world. There is no strong evidence either way about whether CSS are commonly being used in the US to spy on First Amendment protected activities such as protests, communication between journalists and sources, or religious gatherings. There is some evidence—much of it circumstantial—that CSS have been used in the US to spy on protests. There is also evidence that CSS are used somewhat extensively by US law enforcement, spyware operators, and scammers. We know even less about how CSS are being used in other countries, though it's a safe bet that in other countries CSS are also used by law enforcement.
CSS (also known as Stingrays or IMSI catchers) are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower.
CSS operate by conducting a general search of all cell phones within the device's radius. Law enforcement use CSS to pinpoint the location of phones often with greater accuracy than other techniques such as cell site location information (CSLI) and without needing to involve the phone company at all. CSS can also log International Mobile Subscriber Identifiers (IMSI numbers) unique to each SIM card, or hardware serial numbers (IMEIs) of all of the mobile devices within a given area. Some CSS may have advanced features allowing law enforcement to intercept communications in some circumstances.
[...] Until now, to detect the presence of CSS, researchers and users have had to either rely on Android apps on rooted phones, or sophisticated and expensive software-defined radio rigs. Previous solutions have also focused on attacks on the legacy 2G cellular network, which is almost entirely shut down in the U.S. Seeking to learn from and improve on previous techniques for CSS detection we have developed a better, cheaper alternative that works natively on the modern 4G network.
[...] Rayhunter works by intercepting, storing, and analyzing the control traffic (but not user traffic, such as web requests) between the mobile hotspot Rayhunter runs on and the cell tower to which it's connected. Rayhunter analyzes the traffic in real-time and looks for suspicious events, which could include unusual requests like the base station (cell tower) trying to downgrade your connection to 2G which is vulnerable to further attacks, or the base station requesting your IMSI under suspicious circumstances.
Originally spotted on Schneier on Security.
(Score: 3, Interesting) by Anonymous Coward on Sunday March 09, @03:21PM
I might notice them if they don't use the same GSM cell IDs as the Telco's. More so if they use a different Cell ID style[1]. I have configured Tasker on my phone to guess various locations based on Cell ID. My Tasker scene also logs Cell IDs.
https://tasker.joaoapps.com/userguide-donut/en/variables.html [joaoapps.com]
[1] Different telcos can have different Cell IDs styles. So if my guessed/cell location suddenly goes to "Unknown", and the Cell ID looks kinda different from my Telco's usual, I'd continue behaving the way I normally do, since I'm a typical law abiding citizen.
(Score: 3, Informative) by VLM on Sunday March 09, @04:25PM (1 child)
There seem to be a LOT of cell phone tower mapper apps and sites and the real story here seems to be avoiding mentioning any of them while reporting the EFF is getting in on the act.
I like this one:
https://www.cellmapper.net/ [cellmapper.net]
I use what boils down to a re-seller of tmobile (google fi) and its interesting to see where my towers are around my city. Where I live, tmobile really likes smokestacks and water towers and we have relatively few "Tower" towers, at least for tmobile.
I admit I'm lazy and sometimes when I'm doing RF stuff I'll use cell towers as a distant beacon. So there's a water tower pumping out data on LTE band 66 a few blocks away from my house, I used to (probably still do) see traffic from 2110-2200 on my spectrum analyzer, cool. I can't demod it, but sometimes all you need to do is verify a feedline is not full of water or something is not unplugged or a TR relay is not stuck, so as long as you see "mush" above the noise floor in the same spot as usual on the analyzer, then I know what I'm messing with is probably OK. What these guys are talking about is a step beyond, actually demod and analyze the received traffic. My phone can do that, not my spectrum analyzer LOL.
This idea of crowd sourcing tower data is "old stuff" even if its new to have EFF support, which is cool.
(Score: 1, Informative) by Anonymous Coward on Sunday March 09, @05:48PM
interesting, and thanks for the note that there are maps already.
However this site doesn't work. In Palemoon with uMatrix it opens to a white page with a toolbar. Even enabling various javascript CDNs, it still shows a banner across the bottom about advertising, and still doesn't show anything more than the toolbar. (It wants to include Google Tracking all over the place, though, and recaptcha?!?)
Maybe there's a better one -- I'll take a look.
(Score: 3, Interesting) by Mojibake Tengu on Sunday March 09, @04:43PM
This is excellent hack. I understand the original Orbic hardware is locked to Verizon services, just the possibility for the people of having a free firmware is exciting.
Fine with me.
Here is what I can say of similar experience on the previous generations of GSM chips:
Most of these standalone GSM chips were just modems. Really. Down to their AT command set, with lots of obscure extensions, but still just modems.
When you get I2C to these chips, and proper datasheet docs, you can control them directly with AT, just exactly like ancient boxed modems.
There is no magic in this. There are AT commands for voice dial and for data connection for example.
Today's GSM may become integrated with CPU but I am sure the mechanic of modem control is still the same.
For enumerating visible networks/cells without connecting to them, there is an AT command. Simple as that.
Long ago, I used this trick on Arduino with only a 2G GSM shield, with it was possible to enumerate visible cells and their signal strength even without a SIM (or with expired SIM). This is exactly what your phone usually does before it picks the strongest known cell to connect to.
I used to see an obscure GSM network then-operated by local railways, they used to have their own strategic asset for traffic control. Not visible on commercial phones. Later they sold it to commercial providers.
I am pretty sure this Rayhunter is just an exemplary of such approach to network observation.
This should be also possible to do on many other hardware. Cheap dumbphones usually have working serial bridge on USB, for example, and behave as modems on that port for sending SMSs.
Rust programming language offends both my Intelligence and my Spirit.