Meet Rayhunter:
A New Open Source Tool from EFF to Detect Cellular Spying

At EFF we spend a lot of time thinking about Street Level Surveillance technologies
—the technologies used by police and other authorities to spy on you while you are going about your everyday life
—such as automated license plate readers,
facial recognition,
surveillance camera networks,
and cell-site simulators (. #CSS ).

Rayhunter is a new open source tool we’ve created that runs off an affordable mobile hotspot that we hope empowers everyone,
regardless of technical skill,
to help search out CSS around the world.

CSS
(also known as #Stingrays or #IMSI #catchers)
are devices that masquerade as legitimate cell-phone towers,
tricking phones within a certain radius into connecting to the device rather than a tower.

CSS operate by conducting a general search of all cell phones within the device’s radius.

Law enforcement use CSS to pinpoint the location of phones
often with greater accuracy than other techniques such as cell site location information (CSLI)
and without needing to involve the phone company at all.

CSS can also log International Mobile Subscriber Identifiers (IMSI numbers) unique to each SIM card,
or hardware serial numbers (IMEIs) of all of the mobile devices within a given area.

Some CSS may have advanced features allowing law enforcement to intercept communications in some circumstances.

What makes CSS especially interesting, as compared to other street level surveillance, is that
so little is known about how commercial CSS work.

We don’t fully know what capabilities they have
or what exploits in the phone network they take advantage of to ensnare and spy on our phones, though we have some ideas.

We also know very little about how cell-site simulators are deployed in the US and around the world.

There is no strong evidence either way about whether CSS are commonly being used in the US to spy on First Amendment protected activities
such as protests, communication between journalists and sources, or religious gatherings.

There is some evidence
—much of it circumstantial
—that CSS have been used in the US to spy on protests.

There is also evidence that CSS are used somewhat extensively by US law enforcement,
spyware operators, and scammers.

We know even less about how CSS are being used in other countries,
though it's a safe bet that in other countries CSS are also used by law enforcement.

Much of these gaps in our knowledge are due to a lack of solid, empirical evidence about the function and usage of these devices.

Police departments are resistant to releasing logs of their use,
even when they are kept.

The companies that manufacture CSS are unwilling to divulge details of how they work.

Until now, to detect the presence of CSS, researchers and users have had to either rely on Android apps on rooted phones,
or sophisticated and expensive software-defined radio rigs.

Previous solutions have also focused on attacks on the legacy 2G cellular network, which is almost entirely shut down in the U.S.

Seeking to learn from and improve on previous techniques for CSS detection we have developed a better, cheaper alternative that works natively on the modern 4G network.

https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying

Cell Site Simulators ( #CSS ), also known as #IMSI catchers,
are among law enforcement’s most closely-guarded secret surveillance tools.

They act like real cell phone towers,
“tricking” mobile devices into connecting to them,
designed to intercept the information that phones send and receive,
like the location of the user and metadata for phone calls, text messages, and other app traffic.

CSS are highly invasive and are used covertly.

In the past, law enforcement used a technique called
“parallel construction”
—collecting evidence in a different way to reach an existing conclusion
in order to avoid disclosing how law enforcement originally collected it
—. to circumvent public disclosure of location findings made through CSS.

This technology is like a dragging fishing net, rather than a focused single hook in the water.

Every phone in the vicinity connects with the device;
even people completely unrelated to an investigation get wrapped up in the surveillance.

CSS, like other surveillance technologies, subjects civilians to widespread data collection,
even those who have not been involved with a crime,
and has been used against protestors and other protected groups, undermining their civil liberties.

️Their adoption should require public disclosure,
️but this rarely occurs.

In Massachusetts, agencies are expected to get a #warrant before conducting any cell-based location tracking.
The City of Boston is known to own a CSS. 

Dozens of policing agencies are currently using cell-site simulators (CSS) by #Jacobs #Technology and its Engineering Integration Group (EIG), according to newly-available documents on how that company provides CSS capabilities to local law enforcement.

A proposal document from Jacobs Technology,
provided to the Massachusetts State Police (MSP) and first spotted by the Boston Institute for Nonprofit Journalism (BINJ),
outlines elements of the company’s CSS services, which include discreet integration of the CSS system into a Chevrolet Silverado and lifetime technical support .

The proposal document from Jacobs provides some of the most comprehensive information about modern CSS that the public has had access to in years.

It confirms that law enforcement has access to CSS
capable of operating on 5G
as well as older cellular standards.

It also gives us our first look at modern CSS hardware.

The Jacobs system runs on at least nine software-defined radios that simulate cellular network protocols on multiple frequencies
and can also gather #wifi intelligence.

As these documents describe, these CSS are meant to be concealed within a common vehicle.

Antennas are hidden under a false roof so nothing can be seen outside the vehicles,
which is a shift from the more visible antennas and cargo van-sized deployments we’ve seen before.

The system also comes with a TRACHEA2+ and JUGULAR2+ for direction finding and mobile direction finding.

Important to the MSP contract is the modification of a Chevrolet Silverado with the CSS system.

This includes both the surreptitious installment of the CSS hardware into the truck and the integration of its software user interface into the navigational system of the vehicle.

According to Jacobs, this is the kind of installation with which they have a lot of experience.

Jacobs has built its CSS project on military and intelligence community relationships,
which are now informing development of a tool used in domestic communities,
not foreign warzones.

#Harris #Corporation, later #L3Harris #Technologies, Inc.,
was the largest provider of CSS technology to domestic law enforcement
but stopped selling to non-federal agencies in 2020.

Once Harris stopped selling to local law enforcement the market was open to several competitors,
one of the largest of which was #KeyW #Corporation.

Following Jacobs’s 2019 acquisition of The KeyW Corporation and its Engineering Integration Group (EIG),
Jacobs is now a leading provider of CSS to police,
and it claims to have
more than 300 current CSS deployments globally.

https://www.eff.org/deeplinks/2024/06/next-generation-cell-site-simulators-here-heres-what-we-know