11 KiB
+++ title = "Workshopping Rayhunter: the EFF's new Cell-Site Simulator Detection Tool" author = "eyes" date = "2025-04-19" description = "A retrospective on eyes' rayhunter workshop at CounterSpy" tags = ["sandbox", "counterspy", "MIR"] TOC = true +++
If you saw our last post, then you know that we helped to organaize the first ever CounterSpy conference at our new hackerspace in Atlanta! This article is an adaption and retrospective on the Rayhunter workshop that I put on for this event.
What is (a) Rayhunter?
Rayhunter is a new project by the EFF to make the detection of Stingrays (and cell-site simulators more broadly) significantly more accessible. It is an open-source application for the Orbic Speed wireless hotspot which turns it into a hyper-portable, easy-to-use piece of countersurveillance equipment.
To avoid confusion, "Rayhunter" (proper noun) refers to the software project itself, while "a rayhunter" (common noun) refers to a device built for detecting Stingrays and cell-site simulators. Rayhunter turns the Orbic Speed wireless hotspot into a rayhunter.
The Rayhunter project is all about accessibility; the Orbic hotspot can be bought on Ebay for only $20-$30, and the user interface is a dead-simple binary status bar: green means all's good, red means something suspicious is going on. This is all towards the EFF's goal of putting these decives into as many hands as possible, crowdsourcing as much data on the usage and functionality of modern cell-site simulators by police and intelligence agencies, a topic which we currently know relatively little about.
What is a Stingray/What is a Cell-Site Simulator?
Simply put, a cell-site simulator simulates cell-sites. More specifically, it's a surveillance tool that pretends to be a real cellular base-station, tricking people's phones into connecting to it in the hopes of sniffing out user data such as IMEI/IMSI numbers, location information, and sometimes even call/SMS content. A Stingray is a very specific model of CSS (cell-site simulator), which at this point is pretty out-of-date and has largely been phased out. However the word "Stingray" has in itself become a colloquialism for CSSs more broadly.
The rabbithole of CSSs and Stingrays goes pretty deep, espeically when observing all the varients of these technologies in use today. Brooke Clarke over at prc68 has an excelent writeup compiling all the various forms of Stingrays, CSSs, IMSI catchers, and much more that are in use by various government and private entities today. The technology has evolved a lot since the original Stingray, with modern varients even able to work over LTE and 5G. But the specifics of how these devices are used, where they're deployed, and what exploits they utilize still remain largely a mystery.
Our friend "Irene" put together a phenomenal talk for CounterSpy on the intricacies of CSSs which goes into far more detail than I will in this article. If you didn't catch her talk live or in-person, then you can watch the recording over in the CounterSpy Archive. It's certainly worth the watch if you are interested in this subject.
While there's a lot we don't know, the biggest question on our minds is how these devices are being utilized for political repression. With novel surveillence technologies deployed against political movements and activists at an ever-increasing rate (such as the historic repression we have seen by the Atlanta Police Department against the movement to Stop Cop City, including our friends at the Atlanta Solidarity Fund), we need to know what we can do to better protect ourselves. And this is where Rayhunter comes in.
How to Setup and Use Rayhunter
As we've mentioned, you'll need yourself an Orbic Speed RC400L wireless hotspot. So long as you're on a flavor of Linux or MacOS, the installation process is incredibly simple (the Windows install script is still under development); just download the release from the Github repository, extract it, plug in your hotspot, and run 'install.sh' as root. (I know... dont run random scripts as root on your machine, but this is straight from the EFF so I promise it's fineeee. Compile it yourself if you're concerned, the instructions are in the README.)
The script will run, your hotspot will reboot, and you should be greeted with a "success" message in your terminal. Congratulations! You now have your own Rayhunter! You should see a (hopefully) green bar at the top of your hotspot's display. If it turns red, then your rayhunter has detected a likely CSS, and if it's grey, then it's not actively recording.
To access your rayhunter's dashboard and download its logs, just connect to the wifi hotspot and navigate to http://192.168.1.1:8080. You'll be greeted by an interface like this:
From here you can start or stop recording, view info and warnings from previous recordings, and download any of the recorded packet logs for analysis or for sending to the EFF.
An open question at this point is whether or not an activated SIM card is needed for detection of CSSs. This is an open issue on the Github, and nobody has an answer to this yet (namely because we dont yet know how modern CSSs really work). It certainly needs a SIM card to connect to any kind of cellular base station, but maybe not an activated one. We can collectively answer this question simply by getting more people with rayhunter out into the field detecting CSSs, using both activated and inactivated SIMs.
What we Learned from Workshopping Rayhunter
At CounterSpy 2025, we gave away 50 Orbic Speed hotspots to the audience for them to setup Rayhunter themselves and learn how it works. This ended up being pretty successful! In the end, we only had about seven left, and everyone ultimately left with fully-functional rayhunters.
The audience all shared six Linux Mint computers between themselves to conduct the installs. There were a few small issues with the install process resulting from running multiple device installations from the same download. This might pose a problem for others trying to mass-install Rayhunter as we were, but we got past this easily by just running the install script multiple times, which eventually resulted in a successful installation.
One of the bigger takeaways I had from putting on this workshop had to be the sheer amount of interest I received from the audience on this topic. I found this interest to be universal regardless of whether any given person had a technical background or not. Maybe it was just that they were excited to go home with a cool device, or maybe Stingrays and CSSs are particularly notorious and subject to hearsay, or maybe people were just vibing with the event. I think it was likely a comination of all of these factors, but either way, this is a promising sign that the EFF is seeing success with their goal of getting as many people as possible out into the field conducting data collection on CSSs.
Time will tell if people actually use their rayhunters to conduct countersurveillence, or if they'll just end up lost in a dusty drawer. I know that I'll personally take mine to do some casual reconnaissance, and we'll also be setting up a permanent rayhunter mounted to our server rack at Sandbox to be constantly gathering data. If we end up finding anything, we'll make sure to post an update about it.
Rayhunters and You
If you're involved in political organizing or mutual aid work at all and you're considering picking one of these up, I'd say it's probably worth getting one to throw in your bag just in case. That being said, you should know that these shouldn't be relied on to tell if you're under suveillence or not. There will almost certainly be false negatives, because the EFF only built their detection methodology around CSS attacks that we currently know about. There are likely many exploits used by modern CSSs that are currently unknown, which is yet another reason we need to be gathering more data to improve our detection capabilities.
Police and intelligence agencies are constantly utilizing newer, higher tech ways of conducting illegal surveillence on social movements and on the broader population. We need to be dynamically responding to this ever-changing threat, and Rayhunter is a very enticing project to help us accomplish this with regards to a very specific form of surveillence technology. Ultimately though, the state surveillence apparatus certainly has plenty of additional means to monitor people's cellphones beyond just CSSs, many of which are more straightforward and can derive more thorough information. After all, why would police set up such a complex and expensive piece of equipment for political repression when protestors will self-identify through personal social-media accounts or through location data gathered by Apple or Google?
Your rayhunter is just one piece of a much larger security model and posture. I've made a point in this article to stress that it is a data-collection tool first, and a security tool second. I think Stingrays/CSSs have gained a certain notoriety among activists, so the idea of a "Stingray detector" is a particularly enticing tool for many people who've become scared from stories about this technology. But CSSs at protests wouldn't be a problem if people just didn't bring their phones. They wouldn't be able to read your text messages or listen to your calls if you exclusively use Signal for your communications. And they can't check your phones DNS queries to see what webpages you've been visiting if you use a secure proxy for all your network traffic.
So use your Rayhunter to go out and collect some useful data for the EFF and their amazing team of security researchers (or for yourself if it happens to be your field). It's not going to give you any additional security or privacy in itself (If you want to know how to properly protect yourself from state and corporate surveillence, the EFF has some invaluable resources for you), but it might gather some vital data that will lead to better protection for us all in the long run.
I'm excited to see how this project develops and what data people manage to collect. I would love for Rayhunter to result in a better collective understanding of CSSs and better protections from their various attack methods, and I love that regular, non-technical people are now able to help forward that goal themselves.
Special thanks to everyone that came to CounterSpy and to those that took part in my Rayhunter workshop, and thank you to the EFF for developing and maintaining this tool! If you've gathered any interesting data with your Rayhunter you want to share, if I've made a mistake in this article, or if you have anything you want to share, feel free and reach out via email, signal, or on Mastadon!