RF and IMSI Catcher Detection (Rayhunter)

RF and IMSI Catcher Detection (Rayhunter)[edit | edit source]

Identifying unauthorized surveillance through mobile network and radio frequency anomalies.

Overview[edit | edit source]

IMSI catchers (also known as stingrays or cell-site simulators) are surveillance devices that mimic legitimate cell towers to intercept mobile phone traffic and metadata. They can be used to:

• Track device locations
• Intercept or block calls and messages
• Log IMSI/IMEI numbers for future targeting

These tools are often deployed covertly during protests, around activist hubs, or by law enforcement and intelligence agencies. Detecting their presence can help mitigate surveillance, protect movement networks, and improve situational awareness.

What is Rayhunter?[edit | edit source]

Rayhunter is a DIY, open-source project aimed at detecting rogue cell towers and radio anomalies using inexpensive hardware like RTL-SDR (software-defined radio) dongles. It provides basic alerts about suspicious changes in mobile networks, such as:

• Sudden changes in signal strength
• Unexpected tower identifiers (Cell ID, LAC)
• Unusual network behavior (forced 2G downgrade, no encryption)

While not foolproof, Rayhunter and similar tools help expose likely IMSI catcher activity and prompt defensive action.

Hardware and Tools[edit | edit source]

• RTL-SDR USB dongle: Low-cost, wideband software-defined radio receiver
• Rayhunter software: Can be installed on Linux systems (e.g. Raspberry Pi)
• Alternative projects: SITCH (Stingray Catcher), AIMSICD (Android), Osmocom
• Mobile apps: Cell Spy Catcher, SnoopSnitch (Android, root required)

Use Cases in Activism[edit | edit source]

• Detecting mobile surveillance during protests or sensitive meetings
• Monitoring government surveillance near community centers or organizing hubs
• Alerting organizers to potential data interception risks

Detection Tactics[edit | edit source]

• Look for cell towers that:

 * Have unusually strong signals with poor quality
 * Force phones onto 2G or no encryption
 * Change Cell IDs or broadcast inconsistent location codes

• Compare tower fingerprints with known safe baselines
• Use multiple devices or directional antennas to triangulate sources

Best Practices[edit | edit source]

• Conduct scans regularly, especially before/after events
• Combine tools — software + crowdsourced observation
• Store logs securely in case of legal or forensic analysis
• Share detections with trusted digital security networks

Disclaimers and Limitations[edit | edit source]

• **Detection is not confirmation** — false positives are common
• **IMSI catchers can rotate IDs and hide activity**
• **Many mobile apps require root access or special configurations**
• **Real-time alerts may not always be reliable**

Always pair technical detection with operational security: use encrypted messaging, Faraday bags, and don’t rely on phone communication in sensitive moments.

Ethical Considerations[edit | edit source]

• Don’t use detection tools to target individuals or harass law enforcement
• Use findings to protect and inform communities — not escalate unnecessarily

Related Topics[edit | edit source]

• RF and Bug Detection Tools
• Faraday Enclosures and Signal Blockers
• Operational Security Basics

Resources and Further Reading[edit | edit source]

• https://github.com/rayhunter – (Check GitHub or similar sources for community forks)
• https://osmocom.org – Open source mobile communications tools
• EFF Surveillance Self-Defense: https://ssd.eff.org

Legal Disclaimer[edit | edit source]

This page is for educational use. Using or even possessing some RF detection equipment may be regulated in certain countries. Always verify local laws, avoid interference with authorized systems, and use detection tools responsibly for defensive purposes.