EFF’s Rayhunter: Open-Source Tool to Detect Cellular Spying
▼ Summary
– The Electronic Frontier Foundation (EFF) has released Rayhunter, an open-source tool to detect cell site simulators (CSS) that mimic cell towers to collect data.
– Rayhunter is designed to run on low-cost mobile hotspots like the Orbic model, keeping the barrier to entry low for researchers and privacy advocates.
– It monitors control traffic and metadata for suspicious network behavior, such as protocol downgrades or unusual IMSI requests, without capturing user content like calls or messages.
– The tool provides a simple interface with a green line for normal activity and a red alert for potential CSS detection, plus downloadable PCAP files for deeper analysis.
– Rayhunter is available for free on GitHub and supports multiple hotspot models across different regions, aiming to map CSS presence and support privacy accountability efforts.
The Electronic Frontier Foundation (EFF) has introduced Rayhunter, a powerful open-source utility engineered to identify cell site simulators—devices that impersonate legitimate cell towers to intercept mobile communications. This tool empowers researchers, activists, and journalists to monitor cellular networks for signs of unauthorized surveillance, providing a critical layer of transparency in an era of increasing digital monitoring.
Developed with accessibility in mind, Rayhunter operates on affordable, widely available mobile hotspot hardware. At its initial release, the EFF team successfully implemented the software on an Orbic hotspot, a device retailing for approximately $30, ensuring that cost does not prevent individuals or organizations from participating in network oversight.
Rayhunter functions by analyzing control channel communications between the hotspot and nearby cellular infrastructure. It deliberately avoids capturing personal data such as voice calls or browsing history, concentrating exclusively on metadata and behavioral anomalies. The system flags irregularities—such as a tower urging a connection downgrade to a weaker encryption standard or requesting subscriber identifiers in an abnormal manner—which often indicate the presence of an IMSI catcher.
Users interact with a straightforward visual interface: a continuous green line signifies normal activity, while a shift to red serves as an alert to potential surveillance. When alerted, individuals can connect to the hotspot’s local Wi-Fi network and access a built-in dashboard to review detailed observations. For further analysis, packet capture files in PCAP format can be downloaded and shared with technical experts.
Although Rayhunter cannot disable cell site simulators, it offers a means to document their usage and frequency. By aggregating detection data over time, the tool may help expose patterns of deployment and encourage greater accountability among entities using surveillance technologies.
The software has been rigorously tested on several device models, including the Orbic RC400L (also sold as the Kajeet RC400L) and the TP-Link M7350. Additional compatible devices span various regions.
Wingtech CT2MHS01 – AmericasRayhunter is freely available for download on GitHub, reinforcing the EFF’s commitment to accessible and practical privacy tools.
(Source: HelpNet Security)
