EFF's 'Rayhunter' Device Shines a Light On Cellular Spying

The world’s near-ubiquitous reliance on digital technology means there are more ways to spy on someone today than, say, half a century ago. What isn’t new is that many of these modern surveillance techniques are wielded by law enforcement, private security contractors, and federal agencies. These entities are reluctant to admit to the public just how prevalent license plate readers, facial recognition software, cameras, and so-called cell-site simulators (CSS) really are, making it difficult for researchers to capture the extent of the 21st-century surveillance landscape and for journalists, activists, and others to protect sensitive information.
To shine a light on today’s sneakiest forms of digital surveillance, the non-profit digital rights group Electronic Frontier Foundation (EFF) has created a device that detects nearby CSS. Consisting of a cheap mobile hotspot, Rayhunter circumvents the need for a rooted Android smartphone or a specialty radio rig, allowing users to uncover suspicious activity in real time.
CSS are small mobile devices that masquerade as cell towers. Once an artificial cellular network has been deployed, cellular devices in the area connect to it as they would a regular tower. Without the device owners’ knowledge, the artificial CSS network then collects those devices’ data, from their unique identifiers to their movements (if multiple CSS are used, like checkpoints throughout a specified area). Some CSS units, such as L3Harris’s Stingray, can even track a device’s call metadata and the contents of their unencrypted text messages.
In an article published last week, EFF noted that there currently “is no strong evidence either way about whether CSS are commonly being used in the US to spy on First Amendment protected activities such as protests, communication between journalists and sources, or religious gatherings.” But the fact that US law enforcement and scammers are known to use CSS at all (and that the former won’t say just how much it uses the technology) has the EFF wary of how CSS might impact individual freedoms in the US and beyond. Hence Rayhunter.
Rayhunter is an open source tool designed to run on the Orbic RC400L mobile hotspot. After Rayhunter has been installed, this small device—which costs about $11 online—runs the tool whenever it’s powered on. As it analyzes the traffic between itself and the cell tower to which it’s connected, it looks for suspicious activity, like an attempt to downgrade the user’s connection to 2G (which makes a device more susceptible to attacks) or a request for a device’s International Mobile Subscriber Identity (IMSI), the unique identifier attached to the device’s SIM card. A green line on the Orbic device indicates that no suspicious activity has been identified, while a red line suggests a CSS might be active nearby.
For some users, it might be enough to know that they’re at risk of being caught in a CSS net. (EFF recommends these users simply put their device in airplane mode and/or leave the area if they’re worried about their data.) For others, like security researchers, a closer look at the potential threat might be necessary. These users can connect to the Orbic device via Wi-Fi or USB to record and analyze a threat.
EFF emphasizes that while its researchers believe Rayhunter doesn’t violate any US laws or regulations in the US, users still leverage the tool at their own risk, whether they’re in the US or outside of it. Still, the tool might be useful when it comes to determining just how widespread CSS usage really is.
© 2001-2025 Ziff Davis, LLC., a Ziff Davis company. All Rights Reserved.
ExtremeTech is a federally registered trademark of Ziff Davis, LLC and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of ExtremeTech. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.

source