Detecting IMSI Catchers with Rayhunter: A Practical Approach to Mobile Surveillance

TLDR: Modern IMSI catchers have evolved beyond simple 2G-based interception, moving to native 4G/LTE attacks that exploit pre-authentication vulnerabilities. The Rayhunter project provides a low-cost, open-source framework to detect these devices by analyzing Qualcomm diagnostic protocol traffic. By monitoring for suspicious tracking area updates and null cipher requests, researchers can now identify surveillance activity in real-time using affordable mobile hotspots.

Mobile surveillance has long been the domain of high-budget state actors, but the barrier to entry for deploying cell-site simulators has plummeted. While many security professionals still associate IMSI catchers with legacy 2G protocols, the reality is that modern surveillance tools have moved to 4G/LTE. These devices exploit the "glass jaw" of cellular networks: the period before a device completes its authentication handshake with a base station. During this window, a phone will blindly trust and respond to messages from any tower that claims to be part of the network, leaking hardware identifiers like the IMSI or IMEI in the process.

The Mechanics of Modern Mobile Surveillance

The core issue lies in the design of the Radio Resource Control (RRC) and Non-Access Stratum (NAS) layers. Even in 4G, where the network is supposed to authenticate itself to the device, the initial exchange of system information blocks (SIBs) and connection requests occurs before any cryptographic identity verification is finalized.

Attackers exploit this by forcing a device to connect to a malicious base station. Once the connection is established, the attacker can perform several operations:

• 2G Downgrade Attacks: Forcing the device to drop to 2G, where encryption is either non-existent or easily cracked, allowing for SMS interception or content injection.
• Null Cipher Injection: Requesting that the device communicate without encryption, which is often accepted by the phone if the network claims it is a temporary emergency or diagnostic state.
• Identity Harvesting: Sending an identity request to force the device to broadcast its IMSI or IMEI, which is then used to track the user's physical location.

Analyzing Qualcomm Diagnostic Traffic

Rayhunter works by tapping into the Qualcomm diagnostic protocol, which is exposed on many mobile modems via a /dev/diag interface. This interface provides a raw stream of the traffic passing between the modem and the base station. By capturing this data, Rayhunter parses the frames and applies heuristics to identify the tell-tale signs of a malicious tower.

The tool focuses on three primary indicators:

1. Incomplete SIB Chains: Legitimate base stations broadcast a full set of system information blocks. Malicious stations often broadcast only the bare minimum required to force a connection, leaving the SIB chain incomplete.
2. Unauthorized IMSI/IMEI Requests: A legitimate network rarely requests an identity update without a valid reason. If a base station requests this information immediately upon connection without an authentication challenge, it is a high-confidence indicator of surveillance.
3. Tracking Area Update (TAU) Manipulation: Attackers often send a TAU reject message with a specific error code to force the device to re-attach or to log the device's presence in a specific area.

If you are testing this on a device, you can monitor the diagnostic output directly. A typical command to verify your modem's diagnostic port might look like this:

ls -l /dev/diag
# Ensure you have read/write permissions to the diagnostic interface
./rayhunter --interface /dev/diag --output pcap

Real-World Testing and False Positives

Threat hunting in the cellular space is notoriously difficult because the "normal" behavior of a phone network is often indistinguishable from an attack. Legitimate networks frequently perform re-attachments, and roaming scenarios can trigger identity requests that look suspicious.

The "wallet inspector" attack—where a tower requests an identity and then immediately disconnects the device—is a classic signature of a commercial IMSI catcher. During field tests, we observed this behavior in high-traffic areas like transit hubs. When a device receives a TAU reject with an "Illegal UE" or "Illegal ME" cause code, it is a strong signal that the base station is not just misconfigured, but actively trying to identify or track the device.

Defensive Considerations

Defending against these attacks is challenging because the vulnerability is baked into the cellular protocol specifications. For most users, the only effective defense is to disable cellular data when in high-risk environments or to use hardware that allows for granular control over baseband communication. Organizations concerned about mobile surveillance should implement Mobile Device Management (MDM) policies that restrict device connectivity and monitor for unusual baseband behavior.

For the researcher, the path forward is clear: we need more data. The OpenCellID database is a vital resource, but it is often outdated. By deploying tools like Rayhunter in diverse geographic regions, we can build a more accurate map of where these devices are operating. If you are interested in contributing, the project is actively seeking developers to help with device porting and the refinement of detection heuristics. The goal is not just to detect these devices, but to demystify the "black box" of mobile networking and provide the community with the tools to hold those who deploy these systems accountable.