Catching the Catchers: Open Source Stingray Detection in the Wild

The final talk um catching the catchers open service stingray detection in the wild by Michael Raymond.

>> Sounds like you are excited to learn about some stingrays, the most secretive of the uh police surveillance technologies. So, who am I? Get started here a little uh got a little alphabet soup for you. I got the V do CISM stuff going on. Um, those of you that spend way too much time on YouTube may recognize me. Um, I mostly worked behind the camera, but I did work with HackFive, uh, Security Forward and Nol Life there for a while. Uh, I in fact spent, I think, two or three years during the pandemic live streaming as my full-time career. Um, and I see some of y'all scanning. Uh, so those of you that like LinkedIn, there's

the LinkedIn stuff. Um, but yeah, in my free time when I'm not uh talking to people about security uh and going to all the conferences, I spend some time in the mountains and go out and touch grass occasionally. Highly encourage that behavior, too. Um, so I want to start today's talk off with a question. Uh, you see this guy following you around. He's noting down everyone you talk to, how long you talked to them, um, you know, tracking your location. Is that something you would be comfortable with? No. No. I see a lot of, you know, I think even the most law-abiding citizen would say that would feel pretty uncomfortable. Um, so it wouldn't be any different if you

didn't physically see the vehicle, right? So if they're tracking you, you still feel uncomfortable. Well, that's the point of today's talk is there is this technology that exists where they're doing exactly what I described. They're following you around, tracking your location, recording who you're talking to, and how long you're talking to them for, amongst other potential information. Um, and that technology unfortunately goes by way too many names. Um, so one name you might know it by is Stingray. Uh, Stingray is a specific brand name of technology. The other name you might know uh is Cell Sight Simulator or Rogue Cell Tower. As you can see, these look a little spiffier and new. The Stingray first

kind of popped up I think 20 25 years ago. So quite old technology at this point. Um but there are other uh companies now producing cells site simulators, rogue cell towers, building them into fancy vehicles. Um, but there is another yet another name uh for these. Uh, those of you that have watched Mr. Robot, you might have heard of a fto cell. Um, again, these are all, while technically slightly different things, they're all referring to the same general style of attack, which is a machineinthe-middle attack on the cellular network. Um, maybe you've heard of something like the Wi-Fi pineapple, for example. You're familiar with that concept. machine in the middle for Wi-Fi. It's a similar thing on the

cellular network. You have you're trying to make a call, you're trying to connect out, your phone is going and connecting to the cell tower via radio communication. Um so by popping up a fake cell tower, a cell site simulator for example, um a police or any other threat actor is intercepting those radio waves and making them pass through themselves to get to the rest of the network or to a phone. So that's pretty um not good. Sub suboptimal maybe is how I would describe having someone between me and the rest of the internet. Um so what exactly um are the capabilities that they would have access to in that state? Um so I want to start off with the most likely

things the things that we are fairly confident they could do. Uh so the big picture item is drag net surveillance. Um you know that idea that when these rogue cell towers are physically put in a location it doesn't matter if Bob, Alice, and Sue are there. all getting surveiled no matter if I was placed and targeting just Bob, right? Um, so there's a lot of haphazardness when these are set up that can catch very innocent people as well as very guilty people. And the devices almost certainly are always gathering something called the MC number. That's your uh license plate number for your SIM card is the easiest way to think about that. That's a unique identifier. So, why would

anyone want your MC number? It seems like a bit of an esoteric piece of knowledge. Well, they're able to take that and reference it to other databases. Um, so if you're law enforcement, for example, you can take that MC number, go to the telco provider and request all the information they have on that device. And since that's a unique identifier, you know, they can trace it back to any information you gave your telephone company when you signed up. So, your name, uh, your phone number, of course, uh, your address, um, and then all of the archival data that that telco provider has on you. So, to me, that's very scary. Um, and then, of course, because you're physically

attached to this rogue cell tower, any transmitted data going through it is going to get logged. Um, and some of that is less encrypted because of just the nature of cell towers and how they work. Right? If I'm putting out a call, I need to be communicating where that call needs to be routed to, right? That can't be fully encrypted. Um, so some of that information about who you're calling out to and then um simply by tracking over time how long that call was, you can ascertain certain information of who you're calling, how long you were talking to them for. You know, uh, you'll frequently see this come up in court cases. You know, it can

be very enlightening to say, "Oh, why did you call this person for exactly 12 seconds at midnight, um, but right before this bad thing happened, uh, versus why did you have this two-hour conversation with this other person?" Um, and additionally, because of that nature of the fact that uh to be affected by the device, you have to be within physical proximity of it. uh gives us your location uh in a rough uh degree. So for example uh the range on rogue cell towers cells site simulators can be from hundreds of meters to a kilometer or two depending on the strength of the cell site. Um but so even just then I have your rough location to um you know let's call it a

kilometer but we can get even more accurate than that. Um because again taking advantage of certain packets and protocol um techniques we can request your geol location from your phone. not always going to work, but some attack that's fairly likely. And your phone likes to give its location to the cell tower, you know, for various reasons um to help coordinate which cell tower it needs to connect to when moving between cell towers for those sorts of things. So, the things that might be possible, the they're technically possible, um but far less likely to be encountered are um denial of service. So, for example, everyone knows that a traditional jamming attack. You shout louder than everyone else in the room, so no one

else can hear each other. Doing the same thing on radio frequency. Just putting out a bunch of loud white noise would obviously work. But what I'm talking about here with denial service is something more sophisticated than just that. It is targeted denial of service. So, I can say, "Okay, Bob, I don't like Bob's phone. I don't want Bob to be able to connect out." And uh essentially by crafting a certain packet that goes to Bob's phone and says, "Hey, I'm sorry. We don't have any service anywhere around here for you anymore." Bob's phone's like, "Oh, geez shucks. I guess I just don't have service anymore." And it will not provide service until it's rebooted again. And that's just baked

into um the protocol and how phones work. Um I believe that's present all the way up to LT and maybe even 5G. Now of course there are multiple generations of uh phone protocols, right? You started with 2G back in the day uh and then 3G, LT, 4G, uh 5G would be what we're on now. But because 2G is still old or so old, it's far less secure. Um I I got um to told off for saying that it was unencrypted the other day. It's not completely accurate to say it's unencrypted. Um but with 2G, the cell tower um has some say in what encryption is used. So it's again one of those situations where the cell tower or in

this case the broke cell tower can just say to the phone, hey, you know, I really want to give you service, but I'm sorry, the only thing I have is unencrypted 2G service. and your phone being the helpful little device it wants to be. It's just trying to give you phone connection, right? It doesn't care what it looks like. So, it says, "Okay, well, I guess I'll just take that unencrypted 2G service that you have for me." So, again, you know, you can there are various attacks um that that they could leverage to get that 2G downgrade, you know, including having the cell site physically closer to you, so it's cell signal is stronger. um and similar

things. Um but ultimately what they're trying to do is convince your phone that that 2G service is the best service that it's going to get. And the reason they want to do that is because it's either completely unencrypted or it's using encryption that is so old that it's um breakable in real time. So that's what would give them ability to listen into phone calls. Not just log your phone call and listen and break it later, but listen to your phone call in real time. um see text messages, uh any websites you're visiting, u unencrypted data, and potentially leverage attacks against that too. Again, you know, they're in the middle of that process at that point. So, um any attacks you could

imagine against a Wi-Fi network would be maybe similarly effective in that situation. So, you could imagine redirecting people to websites that uh they didn't intend to go to, fishing websites etc. Now the un theoretically possible but highly unlikely attacks that these cellers could use um are attacks that would persist over time. So what do I mean by that? I mean zero days targeting specific hardware. Um so you can imagine NSO group or one of these types of organizations coming up with zero day attacks that target the physical modem in your phone. Now, um, if you're selling nuclear secrets, yeah, okay, okay, maybe that you might be a target of that and that that might happen. Um,

but ultimately at the end of the day, it's extremely unlikely that any at any given point in time, zero day would be developed specifically for you and your phone um, and leveraged in such a way that it's going to leave your phone hacked once you leave the physical proximity of that rogue cell tower. So, all of this really only takes place when you're in that physical proximity, you know, a kilometer or so, uh, of that rogue cell tower. And I know I didn't go into much technical detail there. And some of you are really wanting the technical details. You're thirsty for it. So, this is the article you want to read. It's got all of the technical terms that will

just get jumbled up into alphabet soup in my brain. Um, really great white paper by the EFF. Got to catch them all. um goes into much more detail on how each attack works. So let's get out of the palace of the mind, right? Like okay, that's cool to talk about this in theory, but where is it happening in real life? Um so you know here I got a couple examples and you you notice a common thread here um in Southeast Asia over in Turkey there are places you know with technology it takes time to get rolled out everywhere and these are places where you know despite the fact that in the US we don't use 2G anymore and it's long gone um

these places still have 2G that's still being used and as I mentioned 2G is incredibly vulnerable. Um, I think in Thailand, uh, specifically, it's 20% of the network is still on 2G. So, there are criminals there that will actively leverage these attacks. Um, some of y'all might have received some of those spam text messages that come through saying, "Oh, hey, you forgot to pay your toll on the road." Those sorts of things, right? So what criminals can do in these places, especially when it's just 2G, is they can go around with these cheap broke cell towers that they can make and send out those spoofed SMS text messages, you know, doing uh smishing essentially. Um there's also a

great u opportunity for gangs in those cases to take advantage of listening into the phone calls of their rival gangs etc. But the more classic example that you'll see kind of come up here is, oh wow, I see a Chinese are really wanting to spy on us, you know. So I they can leverage the fact that they have this massive manufacturing capability and massive technology capabilities um and the fact that they really want to control the South China Sea uh to really spy on everyone uh in their vicinity. Uh so they are really big purveyor of it and you know you can easily imagine how these types of information and this data could be valuable to a spy right like

listening in to the conversation that you're um spying on um you know tracking their location. And in fact, we have a really good classic example. I know it's kind of buried in the text here, but essentially what happened just a couple of years ago may remember a certain country over in Eastern Europe getting invaded by another Eastern European country. Oh yeah, Russia was invading uh Ukraine and still is. Um so we had some Ukrainian soldiers in Germany training at a US air base on Patriot missile systems and these Russian spies had this great idea. Hey, you know what? What we can do is we can set up this rogue cell tower near their training base. We'll

get these MC numbers. We'll get this information on these cell phones for these uh Ukrainian soldiers and then we'll go take it back to Ukraine, set these cell towers up and track them in Ukraine, effectively giving us the exact location of these Patriot missile batteries. Uh thankfully for the Ukrainians, um you know, the these Russian spies were caught. But that really kind of brings it um to the real world for me, right? Is like um effectively these spies were trying to target billion dollar anti-aircraft missile systems with what effectively amounts to a couple thousand dollars worth of hardware if you hodgepodge it yourself. Now that sounded like an aim problem like over there a lot of but uh it is an

US problem too. Everyone's favorite police agency, ICE, uh does love to use the uh rogue cell towers, cellite simulators at protests. You know, that would be the classic example of where a rogue cell tower might be used is at a protest because if you think about it, it just makes sense, right? Oh, I can just put this device up and I can track everyone that comes in to this protest. You know, I can track who's going to and from the protest. So maybe if it's multiple days, it's stretching into a riot. Uh you know, I can track and see, oh well, maybe these people are leadership because they're here all the time. Um and then of course the other

example, scary ads it may be, is spying on the Democratic National Convention. So you can imagine in a political situation where it may be advantageous to know uh where delegates are, what they're talking about. Um, you know, you could potentially swing an election or interfere an election that way. Um, so there's a lot of different use cases for these. Um, and you know, I want to present to you again where these are, at least that we know of. So this is the atlas of surveillance. It's a wonderful tool if you all haven't heard of it. And you can filter down to um cell site simulators. There are 84 on this map in just the US.

These are all dots for police agencies which are known to have cells site simulators. This is not a comprehensive list. I would expect that there are many more than just this. But from publicly available uh information, court filings, etc. These are the ones we know have them. And at this point, if you're anything like me, you're like, "Oh my god, you know, can I just like move to the wilderness and forget about all of this?" Um, in fact, no, you cannot move. Uh, Alaska has one down there, too. Um, so, okay, I know there's a certain segment of y'all that are very interested in this, and I I just want to make one of these. I don't care about

the detection part. I just want to make one. Well, if you got about $2,000 in uh softwaredefined radio, you can go and use SRS RAM and you can make your own rogue cell tower. That's not what the talk is about today, but I figured uh someone would be very upset at me if I didn't mention that. Um, and there's actually a pretty good talk on that from Defcon recently. Um, if you just search on YouTube, uh, Ray Hunter Defcon, one of the first talks that'll come up is from the RF village, uh, where they did a 30 minute talk on setting up your own cell simulator as a means of testing the device I'm about to talk about.

So, okay, clearly these are bad things. We want to know where they are and how they work. Well, there's a problem uh and that is multifaceted. Uh first part is kind of the security through obscurity. So y'all may have heard that saying and you may be familiar with the idea that security through obscurity is no security at all. Unfortunately, that's not completely true in this case. They have successfully obscured things to such a degree that we don't have complete knowledge. And what I mean by that is the manufacturers of these devices have held these as highly closely guarded secrets um to the degree which the justice department has historically dropped cases because they would have had to reveal information

about how rogue cell towers or cells site simulators work. Um in fact um again another saying loose lip sync ships. Well, it turns out the cops had loose lips and it got so bad to a point that um L3 Harris, the main manufacturer of the Singray uh and some of these cells site simulators just stopped selling to local law enforcement because uh they were revealing too much of the super secret spy technology, you know. Um so the there's been a lot, you know, even with law enforcement, uh they would do something called parallel construction. So, you know, they they knew that they couldn't tell people about this and how it worked. So, what they would do is they would use a

self-sight simulator to gather the initial information. Uh, so they would know, okay, someone done Naughty's thing. Um, and then they would build a whole court case without that information. they they would use that to inform um their decisions, inform the research and build that other court case, that parallel construction, and then they would present that other court case without any of the cells site simulator um being included. So that allowed them to circumvent any disclosure rules in court. So they wouldn't have to talk about these things. So there have also been some technical barriers. So historically, you know, uh there have been many attempts to detect these uh rogue cell towers, cells sight simulators. Um kind of first started off

with some rooted Android apps. Uh Snoop Snitch you may have heard of. Um there's just some problems with these. Um they didn't always work super well. They certainly weren't reliable. If you took three uh cells sight simulator app detectors and ran them all in the same area, you get three different results kind of thing. Um, so not exactly useful or reliable, uh, but they were open source, uh, so they get something for that. Fact that they run on, you know, rooted uh phones uh automatically precludes them from everyone wanting to do that. Not everyone wants to. Then comes Crocodile Hunter. Um, so software defined radio. Really cool way to work with radio. Gives you a lot of

flexibility. problem with SDRs is unless you're just getting like an a little cheap RTL SDR, these things can get bit get a bit bit expensive. So, you're easily talking, you know, a th00and $2,000 uh to run crocodile hunter to detect these rogue cell towers. And again, iffy iffy reliability and as I talked about with cellsite simulators, it is a big umbrella term, right? In the same way you might say Wi-Fi hacks, right? it it it's somewhat informative, but it's not truly in uh informative. And so there are all of these very specific attacks that happen all the way back from legacy 2G attacks all the way up to modern uh you know 5G and LTE attacks. Um so a lot of those

old apps uh and to a lesser degree, you know, some of the STR uh setups were designed to alert on 2G attacks, 2G downgrade attacks. Um, but as I discussed earlier, those are sometimes likely but not the most likely attacks you would run into. And so this results in this scenario where as a research community, we don't have any research. We have very minimal research. There are some papers here and there from the academic side talking about theoretically how these attacks work and we might be able to detect them. Uh but ultimately what this results in is a situation where uh lawmakers, policy makers are only hearing one side of the story. They have L3 Harris whispering sweet nothings in

their ear about how great and awesome this technology is and how it's going to stop all crime and no one's ever going to be able to do anything bad ever again. Um but we don't have any information. We don't know who's using them, where they're being used. We have some rough ideas. Um, but we don't know if it's just the New York City police departments of the world that can afford this technology or if it's little Bridgeport, Connecticut has, you know, these cells site simulators on every street corner, right? >> Um, so this leaves us in this awkward situation where we have no evidence. We don't even know what's really going on. So that's where uh Ray Hunter comes in

and the EFF, the Electronic Frontier uh foundation. I think I got that one right. Um, yeah. And so they wanted to answer those exact questions. Um they had previously worked on Crocodile Hunter. Um but they wanted to make something more massacceptable. Um so something like a cheap mobile hotspot like this one that some of y'all may have seen outside earlier. Um and they wanted to answer those questions of who, what, when, where, how are these devices being used so we can be more informed. you know, at at the end of the day, we may not be able to impact policy. Um, but you can't have an informed policy decision if half of the information is

missing. And so, uh, they were able to develop this open-source firmware, uh, using Rust because it's trendy and cool and memory safe. Um, and it goes on these commercially available hotspots, you know, relatively affordable hardware. Um and in fact it can be ported to a lot of different uh mobile hotspots as long as they support this uh dev diag command which is a development feature built into many Qualcomm modems. Um then they can access using that um diag protocol the management frames going back and forth between these physical modems and the cell tower they're attached to which gives you the great capability to start building some of these detailed horistics um in a way where you're not doing it on a thousand

SDR. So um and then also part of the goal too is u making it simple and easy to use right um maybe you maybe I uh we can run terminal we can use an SDR we can you know do all this fancy Linux stuff that if our grandma saw it she'd think we were super cool hacks or um but what about journalists what about privacy advocates like what about uh your friend who's going to a no kings day protest and just wants to stay safe right do you expect them to be able to do that? No, not necessarily. Um, so part of the goal of the project too was to make something that's very easy to understand. So like

when I hold this up and I say, "If it's green, you're safe. If it's red, turn your phone off." It's very easy for anyone to understand, right? I can hand it out at a protest or um if you know we're going somewhere that we need to be more secure, it's very easy to understand. Um, and what I thought was really badass and cool, uh, because the EFF has a lot of interesting friends, they were actually able to get a hold of a commercial cell site simulator, the same thing that the police might buy. Uh, so they were able to test against that commercial cell site simulator and build those horistics and detect those attacks. Um, is it foolproof? Is it

going to detect every attack? Probably not. They only had the sample size of one, which as you can imagine is not a great sample size. Uh, but that's a hell of a lot better than a lot of the other commercially or the open source projects done before. And one of the things I'm always a big advocate of as well is the fact that, you know, the EFF um has backing and has funding to research this. They have tons of lawyers. They have awesome technologists. So, um, it's gives me a lot more faith that it's going to be maintained over time and still be around and useful a year, 3 years from now in a way that some of

these, uh, you know, Android apps and other methods you might use historically could kind of just peter out because the dev just wasn't interested in things anymore. And additionally, I know there's a bunch of us that are big nerdy boys or girls. Um, so the does log pcap files um to the mobile hotspot. So, you know, I was talking about those communication protocol going back and forth between the device and the tower. So, it's logging all of that on the uh mobile hotspot which is running Linux thanks to the Qualcomm modem and then serving that up via a Wi-Fi web page. So, I think we'll take a look at that in a moment. Um, but there are a couple of hotspot

options uh that this runs on. Uh the first one is the Orbit RC 400L. That's what it was originally developed for. Uh there is one caveat with that though. It really only works in the Americas. And the reason for that is the way the RF spectrum is cut up amongst different countries and different continents. It's not all the same. There is some overlap, but there are different frequency bands that are used in different parts of the world. And so there are some major regions here. And so unfortunately the oric was specifically developed for the America region and doesn't really support um other places. So if as you can imagine you're a journalist and you're going to the Middle East and

you're concerned that maybe one of these Middle Eastern countries might be snooping on you while you're there, uh the Orbit is not going to be that helpful for you. That's where the TPLink comes in. Um so that's a similar device that they were able to route uh which works in other parts of the world, Africa and Europe mainly. Um unfortunately problem is orbit really cheap. Uh this one far less cheap. I hear if you're in Europe maybe you can find it on the equivalent of eBay a little cheaper. Um but it's almost an order of magnitude more expensive. Fortunately there is a device that actually looks like a phone is a phone and works in the entire world. Uh that

is the Pine phone if you all have never heard of that. Um it is a really cool device. It costs like $300. Um but it supports global um LTE 5G bands. So in theory that would work all over the world. Um the only problem with that currently is the way it's set up. Um you kind of have to access it in a hacky way uh through terminal. It's not just like a cool little app that you have on your phone like you would imagine. But, you know, this is a relatively new project. It's less than a year old. Um, so there's already a diverse number of methods. And these aren't the only hotspots available that the software can

run on. Um, there are a number of other hotspots available. And hopefully some of y'all find folks that maybe like Rust programming or rooting uh devices uh will help us expand that list of hotspots that are usable. So, all right. Okay, enough talking. What What the heck have we found? Give me the meat and potatoes here. So, surprise Pikachu. Um, that no protests have had cellside simulators to the best of our knowledge that have been fed to the EFF. And this just came out hot off the presses like two weeks ago. Um, EFF made a post on some of this uh information that they've been aggregating. Um, so you know, I was convinced before that every protest

would have a cell site simulator. You're instantly detected every time you go. And that simply does not seem to be the case. It seems um, you know, there's some reading the tea leaves here that other surveillance technologies available to police are more effective or more affordable to use for protests. What other technologies might I be referring to? Well, simple things like facial recognition, um, license plate readers. you know, you can put a camera up and just see what cars are going into and out of the area. But unfortunately, the most common one would be a geop. That's simply where they go to, you know, the Googles of the world and say, "Give me every Android device that was

in within these coordinates at this time." And assuming they have a warrant, um, and Google's feeling nice, which they often are, they'll just give them that list of, okay, well, there's all those devices. Um, so unfortunately uh Ray Hunter cannot detect that uh yet. Um, but so you know surprise Pikachu sad no no protest but it is a it is positive. You know this is what we're looking for right to better understand where they're used. Now I got a couple other lists here. Uh Chicago. So they're one of the more confident detections that the EFF has was just at a random cafe in Chicago. um don't know why it was there um but it was likely due to

police operations and when um some of the an anecdotal evidence I've heard around this that you know um I wouldn't be surprised if this were the case is police when serving search warrants for example they want may want to verify that the person they're interested in is in that building that they're about to serve a no knock warrant or something like that so they could potentially set up a cell sight simulator nearby I confirm ah yes that you know um Bill the drug dealer's phone is in this building. So I'm going to go in there and I'm going to rest. Now the next one is in New York. I actually passed through this one on my

way up here for this conference. Uh many of y'all living in this area. I'm almost certain that y'all passed through this one. Anyone want to take a wild guess? No cheating for anyone I talked to earlier. Tunnel. >> What tunnel? close. You're on the right track. Any other guesses? >> Um, it is in New York City. Um, in Manhattan. >> Yeah. At Penn Station. Um, so a big transit hub. Essentially, um, the detection again was in Penn Station. Um, and as you can see at the bottom Frankfurt airport is another detection I had recently when I was going over to Saki in Sweden. And I just personal hypothesis here is that some of these major transit hubs, especially ones that

have trains or other modes of transit where you wouldn't normally need to ID yourself in any way, you wouldn't need to go through a TSA or anything like that. uh I suspect they might be leveraging this technology to keep an eye out for human trafficking, drug trafficking, these sorts of activities. You know, you can imagine if you have these devices set there over a period of time, you can monitor um habits and wonder why. Oh, why does a certain device come through here every Tuesday at 2 am, right? Um and pick up on that sort of thing. And uh quite possibly the weirdest detection that the EFF got reported to uh was in some Turkish

islands. Um it apparently set off literally all of the heruristics possible which to to the point where the UF thought that this was rigged. This was u you know not true. But fortunately um because no one believed him at first I guess um he put all of his logs up on GitHub. So there if you are interested in looking at um some of the pcap files and you don't want to run around and find your own cell rogue cell tower there are some GitHub uh documents uh with those pcap files again if you go to that post recently by the EFF uh it's linked in that document but so some pcap files for you to dig through if you got

nothing to do tonight. So I talked about the interface being pretty I think this is pretty interface. This is the interface that you get when you go uh to the um website hosted on the device. You can see here's your pcap files uh QMDL files and you can have some zips. You got your time and you got your analysis. So what does a warning look like? It looks a little something like this. Uh this is kind of the uh thing I got hit on when I was going through Penn Station. uh this IMEI um number requested in a suspicious manner. Uh basically you can imagine this as something like wallet inspector, right? Come up to a person, ask them for

their wallet. Wallet inspector, give me your wallet, run away. Uh that idea. Basically, it's just a cell tower is asking for this uh identifying number for my device and then it's doing nothing with it. It's just taking off and leaving. Um, so this unfortunately is the problem child of all the detections available. Um, as you can imagine, if you're going through a tunnel, if you're going through somewhere where you're rapidly changing cell towers, there is a distinct possibility that you get a false positive, where you're just jumping from cell tower too quickly. Um, so it it's a little ambiguous there. Um but here at the bottom you can see many of the other um curistics that have been developed

looking at those various attacks and you know I talked about Frankfurt airport and this is the one I got hit on at Frankfurt airport and essentially th what this is uh talking about is uh that 2G downgrade attack that I was referring to earlier. uh basically the cell tower there telling my phone, hey, you know, this 2G service is the best we got for you. Please take it. Um so I found that you know again very suspicious but ultimately not damning. Uh there is always the chance of false positives here. So um you know what would be the most damning evidence and if you're getting multiple hits on multiple different horistics simultaneously that would be a very very strong indicator

that what you're seeing is truly uh cell site simulator and not just some weird uh cell tower configured in an odd manner or um you know some other related false positive. So what can you do if it's red? Well, thankfully by here being here in this talk and learning information, you're already ahead of 99% of people, uh, you you can do a little learning on signals intelligence, how radio protocols work. And that's where I was talking about some of that distance. Um, obvious choice would just be pretend that it's 80s and just go around with no phone. I would love to do that, but that would be impossible. It would trigger all my 80. So, you can do a couple

things on your phone. Uh, you can consider using a VPN. Um, I'm not the guy always trying to sell a VPN. I think this is one of the use cases that actually makes sense. It would protect you from a 2G downgrade attack, at least on the data layer. Uh, I would solidly consider using Signal. That would encrypt your text messages end to end. Um, if you don't use Signal and you don't know about it, what are you even here for? Like, don't use Signal. Most modern phones support disabling 2G service. Um, if you have a Pixel um or an iPhone, you should be able to just go in your settings and disable 2G service. Um, so definitely definitely recommend

doing that. No reason you should ever connect to 2G in the US. Um, okay. Let's say you have a Ray Hunter and you do get hit. Is it too late? No, not necessarily, right? Um, you know, normally if you didn't know about it, you would continue your day and potentially be in the vicinity of a rogue cell tower for quite a period of time. So, if you do get a detection and you see it early, you can disable your self uh cell phone service, Wi-Fi, Bluetooth, GPS. Usually, that would be airplane mode. Airplane mode can't always be trustworthy. Sometimes you put your phone in airplane mode and it's still shouting out for cell service occasionally. Uh so, that's where

something like a Faraday bag would come in. We can actually steal the police's own technology. Fun fact, if you ever get arrested or they ever take your phone away from you, what are they going to do with your phone? They're going to throw it in a Faraday cage or Faraday box. This is just a metal enclosure or something like this. You know, just metalized fabric. And the reason they do this is to prevent signals from going in and out so that you couldn't remotely wipe your phone. Similarly, we can put our phones in a Faraday bag so that their cell broke cell tower can't see our device. Um and then of course um if it's really late after the fact and you

know you're far after um maybe you could swap SIMs that might be helpful that would effectively change your MC number uh because you would be using a different device. Uh it would not change your IMEI. Um but it could be helpful. Uh the most helpful thing you could do uh if you really are concerned is have a burner phone that's you know a cheap $50 $100 Android device that you use once or twice or on the rare occasion that you need it. Um definitely not required. Uh there's some opportunities to get involved. Sorry, I'm going to speed up here. I've got my time's running out. Um but you can add GPS. Uh the things that

Ray Hunter could use in and this is opportunity for y'all to get involved is adding GPS. Um those files currently don't log GPS. They just log the pecaps. Um taking these things and going war driving overseas. You know, take a backpacking trip through the Europe uh and take a ray hunter with you, please, and send all the data back to the EFF. um you know there's more false positives uh in other parts of the world because Ray Hunter was developed for uh America and some of the detections just are not up to snuff there yet. Um and then also if you like rooting devices we need more mobile hotspots rooted make them cheaper get other ones that use different bands

etc. Um, and for the love of God, if you have access to a cell site simulator, please discreetly message the EFF and get them access to it so we can detect it. And it's not security through obscurity anymore because we have facts, hard evidence that we can legitimately detect that Cellside simulator. So, I want to make some acknowledgements to the EFF and all the hard work they've done. They've really put a lot of development into this. um as well as the counter spy conference conference that happened for the first time uh this year. They had some really amazing talks on understanding MC catchers uh and uh setting up Ray Hunter uh really helped me getting started. And then the talk I

mentioned earlier, open source cellular test beds um from Ronald at the RF village at Defcon this year really fantastic on setting up a cell site simulator to test rate hunter. Uh, so yeah, that's about all I had. You know, I really want y'all to get involved. Um, I have some orbits pre-flashed. If you want them, uh, just come talk to me after. Um, and I can get you one. Um, but yeah, get them, take them out in the wild. Uh contribute some of those logs when you find them and uh support the ongoing mission of detecting surveillance.