Rayhunter – Rust tool to detect cell site simulators on an orbic mobile hotspot(github.com)

177 pointsby stefankuehnel8 months ago10 comments

derac8 months ago
I can see why they'd write it for a specific cheap device. Is this stuff possible with a typical phone modem, though; or does it rely on some special features? Forgive my ignorance. :)
- bri3d8 months ago
  Possible, yes, it's just looking at various 3GPP network messages and parsing out a few common anomalies. Accessible, not all the time.
  This project uses QMDL (Qualcomm debug logging) on a device with an accessible modem debug port and debug logging enabled. Most older Qualcomm devices have this form of debug logging available by default, but on newer devices, the debug interface is usually more locked down, requiring some degree of shenanigans to access.
  Take a look at SnoopSnitch (similar project for Qualcomm Android phones), QCSuper and MobileInsight (tools capable of capturing signaling data from QC and Mediatek phones), and SCAT (capable of capturing signaling data from some Samsung basebands).
  Other vendors usually have similar debug modes for their modems, but they often aren't reverse engineered or as easy to access as the Qualcomm ones.
  - 8 months ago
    undefined
  - derac8 months ago
    Amazing reply, thank you!
- windhaven8 months ago
  In the blog post[0], they mention it being possible with rooted Androids - so likely possible, just requires more access to what the modem's doing than the OS normally provides. [0]: https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-ope...
- 8 months ago
  undefined
- JKCalhoun8 months ago
  I see the devices vary quite a bit in price on eBay: Verizon, Unlocked, etc. Anyone know if it matters whether locked, Verizon, AT&T, etc.?
aerostable_slug8 months ago
How would one test this device to know that it works? It would seem actual cell site simulators would be rare in the wild for many HN readers.
- edm0nd8 months ago
  You could bring it to a large festival or even a protest. Law enforcement deploys them all the time. I found one using SnoopSnitch on an Android phone while at a large festival here in Louisiana.
  - rtkwe8 months ago
    Does that work by comparing known cell sites to found cells sites? I know some StingRay detectors use that method and it's prone to false positives around large events where mobile carriers or 3rd parties bring in legitimate temporary cell sites to improve cell service at the venue and provide more capacity.
- evandrofisico8 months ago
  Here in Brazil criminals are starting to use those to send phishing SMS, exploiting our ubiquitous mobile payment system (pix) or pretending to be a second authentication factor for banks.
- d4mi3n8 months ago
  They are quite common in some municipalities. There are folks who talk about this at length in cybersecurity circles every year at conferences, it’s been an issue for a long while and the scope of the problem continues to grow.
  The EFF also writes in the topic from time to time. See: https://www.eff.org/deeplinks/2024/06/next-generation-cell-s...
  - toomuchtodo8 months ago
    Is it possible to detect these using SDR networks?
    https://www.rtl-sdr.com/kiwisdr-tdoa-direction-finding-now-f...
    d4mi3n8 months ago
    I have no idea. I'm not an RF expert, but I'll ask this the next time I run into one. Great question!
- alienthrowaway8 months ago
  Visit Washington, DC.
transpute8 months ago
iPhone Field Test Mode can be informative, https://www.xda-developers.com/how-access-field-test-mode-io... when combined with open data on cell tower identity, https://opencellid.org
```
  Dial *3001#12345#*
```
It can sometimes be informative to turn off Data Roaming in cellular settings.
(e)SIM password can provide an additional layer of control over when the phone contacts a cellular tower.
- slicktux8 months ago
  Wow! Thanks for the information! Very neat!
ofrzeta8 months ago
What's inside the Orbic? Any chance to make this work on a different device. Orbics don't seem to be very easy to get in Europe.
edm0nd8 months ago
You can buy these off eBay for pretty cheap.
Unlocked RC400L's are going for ~$19.99
Gunna look into getting one and making one of these to play with.
jsiepkes8 months ago
Pretty cool!
I'm wondering if using an imsi catcher is still effective? Most of the time I'm using calling over wifi (VoLTE) or I'm in a car (where an imsi catcher isn't really practical).
- thephyber8 months ago
  The purpose is to track the location of a specific phone using triangulation based on the closes cell towers which receive the phone’s signals. The phone maintains a connection to the nearest cell tower(s) to be on the network in case a call is initiated.
  It’s not necessarily intended to intercept, although I believe there were some that downgraded G3 to G2 to be able to potentially do that.
  I don’t know whether downgrade attacks are still viable (or needed).
  - fc417fc8028 months ago
    Note that if you are being specifically targeted then a warrant to the provider would presumably net the equivalent of real time 911 location data.
    As far as I understand, outside of active interception the only use for these things is warrantless dragnet surveillance of location. (And active interception is increasingly not possible due to better security practices.)
- banku_brougham8 months ago
  From what Ive read about stingrays here on HN, the device is fooling your cell phone to make a tower connection using the movile network. This does not depend on you making a call, the cell phone is normally doing background activity to connect to cell towers all the time.
  IIRC even with airplane mode the stingray can capture phone info, IMEI, GPS location, etc.
  - bri3d8 months ago
    > IIRC even with airplane mode the stingray can capture phone info, IMEI, GPS location, etc.
    No. Airplane mode turns off the cellular radio's emissions, that's the whole point. A cellular base station emulator isn't going to do anything in that situation.
ChrisArchitect8 months ago
Blog post: https://news.ycombinator.com/item?id=43258620
- 8 months ago
  undefined
curtisszmania8 months ago
[dead]
fdsafd8 months ago
[dead]
fdsd8 months ago
[flagged]