Catching the Catchers: Open Source Stingray Detection in the Wild

All right, welcome to the last talk of Bides Philly for the year. Uh, catching the catchers, open source stingray detection. So, who am I? Uh, my name is Michael Raymond. If you recognize me, you definitely spend too much time on YouTube and you should get some other hobbies. Um, I have appeared in a couple of videos on the security forward channel, hack five, uh, and nullbite channels. Um, but very rarely. uh primarily I work as a security consultant um consult with a lot of small and medium-sized businesses helping them understand their security posture and uh I got a little bit of alphabet soup going on there uh with CISM uh but in my free time I'm also a

mountaineer and staunch privacy advocate so today I will be talking to you about some of those privacy concerns and if you're one of the LinkedIn people you like it still uh there's my QR code and uh you can find me on there. So, let me start off with a question. Uh, this guy's following you around every day, all the time, jotting down who you're talking to, how long you're talking to them. Would you feel comfortable? Is that something you'all like? >> No. No. Okay. Yeah. Yeah. I don't know. I I don't have anything to hide, but I'd still feel a little weird if this guy was following me around all the time. Well, there's a technology out there

which essentially does the exact same thing, but instead of being a big obvious police car following you around, it's an invisible device. Um, what is that device? Well, unfortunately, it goes by a lot of different names. So, just to make, you know, set the stage and make sure we're all talking about the same thing here. Um, there's the Stingray, which is this device, very old school, uh, targets 2G uh, devices. Um, the more modern umbrella term would be uh cells sight simulator. Um, you can see a little bit a more modern, more sleek, nice uh built into a fancy SUV. Um, you'll also hear the term rogue cell tower. Um, if you've watched Mr. Robot,

you might be familiar with the term fto cell. Uh, they use that. Um, but essentially all of these names and all these terms, while there can be some minute distinctions, you know, MC catcher, um, they're all referring to the same type of device, which is a device that emulates a cell tower in order to perform some sort of attack against a cellular device. Um, if you're familiar with a Wi-Fi pineapple and you want to think about uh that as a stingray, you know, for the cellular band, not too far off the mark. essentially, you know, they're either performing a man in middle attack or spoofing a cell site uh to gather data from your cell phone in some way.

So, cool. Okay. But what what what are they actually capable of doing? Like what can these things do? Well, unfortunately, they're shrouded in a lot of mystery. So, we're we're not 100% certain, you know, set in stone. But what is likely based on the academic research available and evidence available to us is that these cells site simulators are used for draget surveillance. And what do I mean by that? So if a cells site simulator is set up in a location, it's collecting everyone that gets in radio proximity of that device. It, you know, uh it may be set up to gather information on me, Michael, but all of you in the room just because you're in that same area would

be gathered data on. So obviously some potential privacy concerns there. Additionally, that information it's gathering, the most easy, lowhanging fruit information that it can gather is something called an MC number. Uh that is a unique identifier to your mobile device. Essentially, you can think of it like the license plate number for your mobile device. Um and of course since you're operating as a cell tower you know uh to operate as a cell tower you need to know some basic information like where the traffic needs to get routed to or at least uh how long a call is going on right simply timing when a call starts and when a call ends. So on a very basic level most easy easy thing

they can do is you know get an idea of who you're calling and how long you're talking to them for while you're within proximity of one of these cells site simulators. And of course, um, on the most basic level, they can track your location. You know, in the same way that if as if you called 911, they might try to ping back to the cell tower you're connecting from. That gives them a rough location. Uh, they can also get to much more specific locations based on the GPS coordinates on your phone. So, uh, more modern communication, LTE, 5G, some of those packets will have, uh, location-based information. You know, your phone is always helpful and always

trying to do the best thing for you. And sometimes that means giving your location to the cell tower that's nearby. So what might be possible? These are things that the academic research suggests is doable. Um but the news or the research on if it's actually been deployed in the wild is a little mixed. Um so one of the easy ones is denial of service. Um, in its infinite wisdom, the LTE protocol has baked in a packet which basically says, um, hey, you know, there there's no service around here for you. There's no need to look for further service. You kind of idea being you went to a foreign country and you're trying to connect to a cell

carrier that's not there. Well, it's unencrypted and unauthenticated. So anyone that has the right radio set up can just send that packet to your phone and say, "Hey, you know, we don't have any service for you. There's no need to look for it here." So it's very easy in theory to set up a denial of service attack like that. I haven't heard any stories of that, but it is possible. Uh the other primary one that you do hear about more frequently is what's called a 2G downgrade attack. Um that is when the rogue cell tower or cell site simulator attempts to tell you uh to use 2G. Uh there's a couple of different ways they

can try to achieve this. Uh they can basically say uh the 2G service has higher priority and your phone might believe that or uh essentially they can you know make your phone believe that the only service available uh in its proximity is 2G. And of course your phone and its infinite wisdom and helpfulness wants to give you service because we wouldn't want you to be disconnected for 5 seconds. Uh so it'll go and be like I guess I'll take that 2G service from you. But unfortunately, that is the worstc case scenario. If a 2G downgrade attack is successful, then you've pretty much got a man-in-the-middle attack situation going on. Um, there can be encryption on 2G.

Um, but the encryption used 99% of the time is so easily crackable that it's crackable in real time. So there wouldn't be even any delay in doing things like listening to your voice uh calls or your text messages assuming you're just using the number uh normal you know phone call text messaging systems. Also any data going back and forth that's unencrypted uh would be interceptable and you could perform any attack that you would if you had a man in the middle type situation. So you know you could start spoofing websites and redirecting traffic all those sorts of things. And another interesting scary scenario there as well is if you think about the prevalence of cellularbased

IoT products. Uh think about smart meters. Um you know everything that's out there that's running on cellular you could start intercepting that traffic or manipulate it in some way. So any um cellular IoT device is potentially vulnerable to some of these cells site simulator attacks. Again I haven't heard any stories of it being used in the wild. That's why I kind of label it under maybe. Um, the attacks that are unlikely are anything that persistently hacks your phone. So, in theory, an SO group or someone like them might have a multi-million dollar zero day they're sitting on that is able to use purely radio communication, you know, LTE 5G um, normal packets to hack your modem in

a way that's persistent. Um, but that I find highly unlikely. Uh so whenever you encounter a cell site simulator you're getting surveiled but only for the time that you're in within proximity and that proximity is usually somewhere around like a kilometer or so. Um you know similar to a normal cell tower uh but generally less range because they're usually smaller more compact devices except in the case of the big old SUV. And I know I did not go into a bunch of technical detail about how those attacks work, but if you are interested in, you know, okay, well, what, you know, how do I manipulate this management frame to to get these effects, uh, go read catch the

catchers or got to catch them all. Um, and that will give you a lot more technical detail on the exact packets and how they're um, structured. But, okay, that's enough theoretical. Okay, let's dive into the real world. Like, okay, where are these things getting used? Well, one of the first couple of cases is they seem really popular in kind of Southeast Asia and parts of the Middle East. Uh, places where 2G is still commonly used. Uh, of course, there are criminal elements there. Uh, I don't know why they might want to listen in to phone calls going on around them, but it seems like very interesting data for them. um you know and then also there are elements as well

of you know you may have received text messages um that are smishing that are like oh you haven't paid your toll yet those sorts of things you know normally that might be um a phone farm that they're sending those from but also cells site simulators could potentially be used in that same way there was a case in France and I believe Paris did a couple years ago where a lady driving around in her car with a cellite simulator in the back just sending out all these spam text messages. Um, funnily enough, the the authorities thought it was a bomb in her car. No, it's just fancy technology. Um, but you know, it's not restricted to just

criminals. Uh, you may start seeing a pattern here. Uh, China in particular really loves this technology and and they kind of are in a sweet spot in that a lot of uh, Southeast Asian countries kind of still have at least some substantial 2G service. So that means that it's very very easy for them to intercept that those calls uh with this technology. You know, here in the United States, 2G is not used anywhere. Uh there are more protections. Um so there are a lot of use cases where nation states can spy on people. In fact, my favorite one is recently from the Russian Ukraine war. Um so a bunch of Russians had this great idea. Okay, well

there's all these Patriot missile batteries in Ukraine. it'd be really cool if I could figure out where those are. Um, so what they did is they took some cells site simulators and they set them up around the bases in Germany where those crew were training to operate Patriot Patriot missile batteries. Uh, their idea was, you know, I will then take that MC number, that data that I collect on those phones uh, back in Germany and then I'll go do it in Ukraine. And by doing that, I can track the location of these Patriot missile batteries, call in a strike, do whatever. Uh fortunately in this case uh that plot was thwarted and didn't happen. But this actually this case gave

us a lot of the information we know now about cells site simulators and how they're used. Um because the commercially available information or the information available to the public on these devices is incredibly thin. And of course you know that sounded like a them problem but it is an US problem too. Uh we do have cases of cells site simulators being used in the US. Uh you may have heard of it being used around the DNC. So obviously you know there's a very good use case uh at least from a red team perspective of establishing patterns of life, right? If you set one of these up in an area, you know who's going to and from a building, what times

uh you could also get information about the phone calls and who they're calling and who they're communicating with. Um so really easy to establish patterns of life. And then obviously there's a lot of police use cases. Um so for instance, you can imagine a SWAT team. If they're serving a search warrant for a high-value individual, you really want to be certain that that an individual is in that building before you serve that search warrant or you perform a SWAT raid, right? So one of the ways they're able to achieve that is set up a cell site simulator outside, ping the cell phone that they know is connected to that individual, and then all of a

sudden, you know, okay, our targets in this building. Go, go, go. Um so there is some evidence that ICE is using that in some of their rates uh as well you know if they're able to gather information. So one of the questions then is okay well where is this used like is it just used in New York um in big cities or is it used everywhere? Well this is the atlas of surveillance. It is a project set up by the EFF. And what I have here, all these dots represent cities in the US who are known to have cell site simulators thanks to FOYA requests. So a Freedom of Information Act requests. Um, you know, thankfully when a police

agency has to buy one of these, usually there's a request for bids or requests some some kind of documentation out there that can be foyed. Um, this certainly would not be an all-inclusive list, but this kind of gives you an idea of like where these devices are used and where they might be. Um, so if you're like me, I imagine like half the crowd is like, you know, I'm kind of sick and tired of technology. I would rather just get away from it all, move out into Alaska and become a mountain man. Well, good news for you. There's one there in Alaska for you as well. Um, it did get pointed out to me today that there

aren't any in Hawaii that we're aware of. So, you could become a tropical person. Uh, at least for the time being. Um, and now I know the other half of you are like, "Oh, that sounds like super dangerous, cool technology. How can I get one? Give me one now." Um, in which case you need about $2,000 uh in software defined radio. Uh, that's kind of just a nebulous number. Um, there's a number of different open source projects you could use for that. Uh but the primary one I'm aware of is SRS ran. Uh it's not plugandplay in the sense that you you know get install and then you're off to the races. Um, but if you do

watch this Defcon video, um, the open-source cellular test beds, um, that actually he sets it up and and goes into a lot more detail about, uh, using cells site simulators because I know some of y'all will. Uh, now my lawyer advises me that I should remind y'all that setting up a cell site simulator would be highly illegal and the FCC, it will bring all the SEC boys to the yard. Um, so let's maybe not do that or at least not make me aware of it. Okay. Um, so we kind of want to know where these are. Like the atlas of surveillance kind of gives us a rough idea like, oh, these cities, these departments own this technology, but it

doesn't give us any information about, okay, it's on this block uh from noon to 12 every Saturday, right? Um, so there's this problem with secrecy and opacity in that the commercially available units. We have a little bit of information here and there from some of those foyer requests, but generally we don't know who's selling them, how often they're selling them. Uh we don't know all the departments that own these, when they're using them, where they're using them, you know. Um we don't know if it's only truly like high-V value um SWAT teams that are using this to, you know, catch awful people or if they're setting them up at every protest and just getting everyone that's attending a no kings

protest because they don't agree with the views of the protesters. Uh so there's a lot of problems there. And then also it goes even deeper than that into some of the manufacturers. So, I talked about the Stingray, the original Stingray back in the day, right? L3 Harris. Um, they were so secretive about the technology and working with the Department of Justice. The Department of Justice for many years would drop entire court cases because it would have made them reveal in those court cases that they were using these stingrays, this technology to surveil people. Um, and so what they actually started doing is doing something called parallel construction. So, they'd use uh stingrays or other secretive methods to

gather intelligence, uh figure out who done it, and then they'd use all the other publicly known sources of gathering information to build a legal case that they could argue that proves Bob is who done it without ever having to reveal the use of the Stingray technology. Um, there was a problem with that. the uh loose lip sync ships. Uh you know uh police departments had loose lips apparently and L3 Harris was like we do not like that. We're going to stop selling to y'all. Uh now of course when there's a vacuum other commercial providers come into that vacuum you know as time evolved uh other um technologies evolved uh LTE 5G etc. But moral of the

story there is that uh there's no clear-cut way to really detect these things uh for the most part on at the beginning. So there have been attempts over time. Um but they had various barriers to entry. Uh so there was a really good app for a while. Snoop snitch uh relied on an rooted Android phone. Um slight problem there. Not everyone uses Android and not everyone is a fan of rooting their phone. There might be other security implications to rooting your phone. Um, I'm a radio nerd. I'm sure some of y'all are radio nerds. I'm sure that some of y'all have some SDRs, software defined radios just floating around. Um, but SDRs are expensive. So, there there have been

some attempts previously to use SDRs to detect these things. Um, that was a prior project by uh the EFF called Crocodile Hunter. Um, I think there was some protests around some pipelines uh out west. a number of years ago and that's kind of where that originated is, you know, trying to figure out if these cells site simulators were specifically being used against protests uh to track who was attending the protests. Um and then of course there's other complications too. Uh specifically Snoop Stitch and some of the apps historically have only really looked at like those 2G downgrade attacks. Um, but there's so many other different attack styles that can fall under that umbrella of cellite

simulators. And all of this kind of culminates in this situation where the community doesn't really have any insight into what devices are being used, where, how they're being used, or when they're being used. And this results in a situation where we have policy makers, lawmakers, uh, making policies and setting laws uh, without two sides to the story. All the only person that would ever talk to them are the police and the manufacturers of this equipment. And of course, they're going to say, "It's great. We should use it all the time, right?" Um, but when you don't have any of that transparency, it's hard to do any of the uh bug bounty, you know, analyzing uh how these are used

and the legal and privacy implications. And then you can't even begin the conversation with those policy makers to say, hey, you know, maybe let's hold our horses. We should have some, you know, rough bounds about how this technology should be used. So that's where Ray Hunter enters. So Ray Hunter is a project started by the EFF kind of following up on the crocodile hunter. You know, uh the problem with crocodile hunter, too expensive, STRs, blah blah blah. They wanted something that's easy enough for you to hand to a protester and say green good, red bad, right? Uh and also be affordable. You know, it'd be great if I could hand all 10,000 people at a No

Kings protest, you know, uh, a device and let them know that they're being tracked by surveillance, but that's maybe not always practical. Um, so what they found is they found some commercial hotspots. And what they discovered is that the Qualcomm modems in those hotspots had this dev diag command. Essentially, it's a development feature intended for, you know, uh, your software developer working on your hotspot or cell phone. uh you need to be able to analyze those packets going back and forth between the cellular device and the tower. And you can take advantage of that to analyze those uh packets. And if you are able to get your hands on a cellite simulator, which EFF being the awesome people they are, they

got their hands on a cellite simulator, a real one, commercial one, which also happens to go for like $100,000. So like, how the hell? Anyway, very impressive. Um, so they were able to get that and then they were also able to, you know, analyze all the literature out there, the academic research and figure out what are the most likely techniques, you know, what exactly um, you know, in the um, network stack are they abusing? Which packets are malformed? You know, which packets are just they're leaving off the last half of the handshake kind of situation. Um and through that process they were able to develop a number of heruristics and uh being a bunch of rust heads they developed some

rust firmware and rooted some of these commercial hotspots. So now you get to a situation where okay we've got some of these hotspots. So this is the most popular one the Orbit uh 400L. Um there's also the TPLink. Uh but you can use these hotspots now, you know, relatively affordable. Um, and you can use them to track the cell site simulators. And you know, the part I love is it's got a green bar at the top. You know, very easy to understand for a lay person. But, um, they're not useful everywhere because unfortunately the problem with some of those cheap hotspots is they don't support every uh, frequency band used worldwide. you know, uh, the US bands used for cellular

technology are very different from the European ones and the ones in Asia, for example. Um, so the Orbit works well here in North America. TPLink works well in kind of Africa, Eurasia. Um, and the Pine Phone right here in the bottom corner. It actually does work well everywhere. Just a few minor problems. Um, it's like $300. Not too expensive for a phone. Um, but it also is a little weird to use. But if you're going to be traveling worldwide very frequently and you're concerned about cells sight simulators, uh that is the one you want. Um essentially it has all the bands worldwide. Um only quirk is that you've essentially hacked the modem in the phone but not the phone itself. Um so

you have to like term go onto the terminal on your cell phone and terminal remote into your modem on the same device uh to connect to it which I find a little strange. Uh but that is what it is for now. Um but the lovely thing about Ray Hunter as well is they made this nice fancy UI page. So you know you're getting the basic alert uh alerting on those horistics when it believes there's a cell site simulator nearby. It's kind of what the web page looks like and it can give you some warnings like this. And those warnings can take various forms. You can kind of see under the analyzers, there's a number of different specific

attacks they're looking for. By far the most common one that we'll see in the wild is this one that says uh basically MC requests uh in spec suspicious manner. Um unfortunately that can also be the one that has the most false positives. I'd give it about a coin flip in my experience so far. Um but essentially what that was saying is that category I said most likely, right? And that is when a cell tower is saying, "Hey, give me your MC number. Give me your identifier number." And normally the rest of the process would be like, "Oh, okay. Here, uh, you know, I want to connect you to the service or I'm going to reject you." Uh, but in this case,

it's suspicious because there's go away. Shoo. We don't want you around here anymore. Or, you know, uh, basically just doing nothing with that information. Um, there are a number of other attacks, uh, heruristics you'll see as well, such as this one. Uh this one is the one I was talking about that's very dangerous, the 2G downgrade attack. Um so you know very uh suspicious things that you want to look out for um and be aware of. You know that's the lovely thing about Ray Hunter is um for 20 years now. Uh cells sight simulators have been attacking people indiscriminately that would go near them and you'd have no way of knowing that it's happening. Um, and now you at least

have a fighting chance of knowing uh that something's happening. And it's all open source. It's available on GitHub. All of those hotspots I mentioned, you can just go on GitHub and flash the code. So, what are some of the findings so far? You know, part of the goal of this project was let's get them all out in the hands of people. Let's get some these detectors out here and figure out where they're getting detected, where they're not getting detected. And you know, the thing we were sure about going in is, oh my god, they're using them at all these protests. No, Kings, you're definitely getting your phone scanned. And the biggest finding so far is no. In

fact, they are not used at protests. At least none of the ones that we've had Ray Hunters at so far, which when I heard I was, you know, surprised Pikachu face. Um, that's not at all what I expected. Um but our hypothesis is that there are more effective and cheaper alternatives for police to use uh for the purposes of surveilling protests. Uh for example, there is something called a geoence warrant. That's essentially when you take a warrant to the telco provider, uh, whoever owns the tower, uh, and say, "Hey, we want all the cellular devices that attempted to connect to your network, you know, Wednesday from noon to 3, whatever time the protest is within these geographical

coordinates." And the telco provider is like, "Yes, sir. I will give you that information right now." Um, sometimes maybe not even need a warrant. Um, but so I suspect that's what's being used instead. you know, that's a lot cheaper than $100,000 cells sight simulator. Um, but there are also other technologies that are likely being used around protest. Um, body cameras are being worn. You can run facial recognition software against that. There also flock cameras or light basically license plate reading cameras. Um, again, similar to the cells site simulator, if those were set up in a place, you can establish a pattern of life. Who's going to and from? Okay, well, these new people came for the protests. Maybe they're

interesting. this guy went to and from the protest five times. That's really suspicious. Let's look into them. So, some of the actual findings we've done with Ray Hunter is we have kind of confirmed to some degree what I was talking about say with like the SWAT teams or um basically that when they're used, they tend to be in a specific spot and transitory. So, there was a detection in Chicago, you know, a guy was basically just sitting with his ray hunter at a cafe. uh pops up nearby, goes away a couple hours later, you know, he goes into to and from that cafe all the time, no other detections. Um so again, bit hypothesizing there, but

again, I believe that's one of those scenarios of serving a search warrant or some similar activity providing short-term surveillance and confirmation of who's in a room or who's in a building. Uh I've also personally got detections up in New York. Um, I imagine somewhere most of y'all have been through at some point in your lives. Any any guesses where uh cells site simulator might be permanently set up in New York? >> Time Square. >> Close. >> Uh, central station. Yeah, like a pin station is the one I got the detection at. Um, so my hypothesis is it could be a false positive. it could uh but if it is true um I think there might be a

level of surveillance going on on non like non-traditional travel methods right if if you can't travel via airplane for whatever reason you know you might be traveling via rail or bus bus bus station so if you had cells sight simulators at these locations you know you'd have a higher chance of picking up on people who maybe have warrants or um whatever so I believe that might be some of the uh thought process going on there. Again, it could be a false positive detection, but um I do get hit on the Ray Hunter at Penn Station every time I go through there. Um and then also, if any of y'all are feeling like a Mediterranean cruise,

probably you want to reconsider that. Um so, uh the devs over at the EFF, this is uh the Turks and uh islands over there. Um th that is by far the worst weirdest um report basically they got basically you know I showed all the horistics all the horistics flag and what's this QR code? Um that QR code is those pcap files on GitHub. So I know some of y'all nerds uh want to get some pcap files and just like dig through them. Uh so if you're curious about what a CellSight simulator attack looks like, uh that GitHub page has exactly what the worst case scenario uh attack looks like. I don't know what was going on in some of those islands,

but apparently a couple cells site simulator set up. I don't know if they're spying on billionaires or what. Um but definitely, you know, maybe don't take your phone there. Okay, so we got at least a basic understanding of what cell cells site simulators are, how they work, uh, and where they might be used. Um, okay, Ray Hunter tells me, cool, I I'm near a cellite simulator. What do I do? Well, first part is thinking about signals intelligence and and doing some threat modeling, right? Uh, if you're a soccer mom taking her kids to the game, you know, maybe your threat model doesn't need to include cells sight simulators. You might get caught in some dragnet surveillance, but ultimately

that's just in incidental, you know, uh, no one's really looking for you. If you're a soccer mom taking our kids to the game and you also happen to be sailing nuclear secrets to North Korea, then maybe your threat model needs to include cellite simulators. Um, so you know, on the most basic level, you can always just pretend that it's the 80s, that cell phones don't exist. You just go live your life, uh, probably a happier life and [laughter] you just don't use a cell phone. That would completely negate all of these attacks and you would be happy happier ever after. Um, but that's maybe not realistic for all of us. So then you can start looking at your apps. Um, so I

know I might sell like uh sound like one of those salesmen on the YouTube videos trying to sell you a VPN, but this is actually one of the use cases for a VPN is if you were targeted by that 2G downgrade attack, same as if you're on a sketchy Wi-Fi network, that VPN would help protect you uh from that at least the data uh being uh detected or decrypted. Um so particularly useful against um 2G downgrade attack. You can also disable 2G. Um, most modern Androids and iOS devices allow you to disable 2G. Uh, if you're in the US, basically, you're just going to live your life as normal and that's never going to cause any problems. If you do

go overseas, it might cause some troubles, especially when you're in more rural areas. Uh, you might not have service. Um, but again, maybe not the end of the world, but definitely consider that, you know. Um, I think both of those things are things you can easily do without impacting your day-to-day life. um and very little cost. Now what happens if I do go into an area I am hit by a cell site simulator uh what can you do at that point? Well um you really can disable your cell you know you can put it in airplane mode. I I discourage airplane mode just because there is history of airplane mode lying to you. It doesn't

exactly always do what it says on the 10. You think it turns everything off and is still transmitting um or looking for signal. Um, so, um, if you can disable your cellular, Wi-Fi, Bluetooth, GPS, etc. Um, when you know you're in the proximity of a cell site, that is going to go a long way. You know, that will, uh, take them from being able to say, "Michael is standing at this end of that room to he's within this, you know, mile radius." Um, the other thing you can do is if you have a Faraday bag, I know everyone carries around a Faraday bag all the time. Basically, this is a metal device that prevents radio signals

from going out. So, if you're able to shove your phone in a Faraday cage, you're guaranteed that no radio signals are going out and you're protected at that point. Uh, fun fact, that's actually what the police will use against you if you're ever arrested. Uh, so if you're ever arrested and they take your device away, they're going to use that same technology, a fairday bag, to put your phone in a little hidden box somewhere. So, that way you can't remotely wipe your phone. You can't do all these things. So you can use their own technology against them sometimes, even if it's as simple as a tinfoil hat. Basically, that's what a Faraday cage is. Um, and then right of boom. So after

the fact, um, the only thing kind of left at that point is you could swap your SIM card. That would change your IMI number. Um, but there are other, um, identifiers on your cellular device that they may have gotten already. So, that has dubious usefulness, but certainly wouldn't hurt anything. Um, and then of course, the best one of all, a burner phone. Again, completely relies on your threat model. If you're soccer mom, maybe don't need it. If you're selling nuclear secrets, definitely need it. Um, but a burner phone would just be a spare Android device. You could easily get one for under $100. Uh, if you're going to a bunch of protests, probably a wise idea.

Um but this technology would allow you to completely um negate any cell site simulators uh because typically they rely on getting some more information from telco providers. So if you're using a prepaid SIM card on a burner phone, nothing really to gather there. Um so a lot of anonymity and flexibility there, but again only if it fits your threat model. So what opportunities for growth exist in the Ray Hunter project? Um, so adding GPS, unfortunately, the Orbit doesn't have built-in GPS, and most mobile hotspots don't have built-in GPS. Um, so you can get one of those little red bars and walk around half the day and not realize that you've been through cells site simulator, try to look back, and

you have no idea where where it was. Um, so there are workarounds. You know, you can log your GPS location on your phone and just correlate the time. Uh, maybe not the most easy thing to do. Uh so if y'all do want to contribute to the Ray Hunter project, one of the areas that could use some development is an iOS Android app uh that's able to take some of those notifications uh or or link up with the hotspot uh give you notifications, log uh GPS coordinates, do that sort of information. Um there is a new feature um where you can get some push notifications, so it's just not reliant on you staring at this little

mobile hotspot all day. um that does end up requiring you to have an active SIM card and it's a little wonky but not too hard to set up. Um some of the other things are uh continuing the deployment in the war driving, right? Um this is a relatively new project. It's only been out there uh about a year at this point. Uh so we've certainly made some developments, you know, realize that they're not being used at protests like we thought they were. Um but there's still a lot of places to confirm or deny whether they are there right like uh typical example would be around embassies right but it's expected that many embassies have cells sight

simulators nearby uh so that they can monitor who's going to and from them um but a lot of the places we've tested so far have been you know in the US maybe a handful of places in Europe um but there's a lot of places so if you're traveling overseas definitely get a ray hunter take it with you and then report it back to the EFF so we can get a better understanding of where they're being used. Um, and that kind of ties into the next part which is uh the EFF is collecting these reports, you know, of where cell simulators are encountered. Uh, but there's no kind of map or there's the atlas of surveillance, but that only gives you a

city based location. Um, if you're familiar with Wiggle, you know, you can go on Wiggle and say, "Hey, this cell tower is here. This access point's here, uh, to a street corner." Uh but there's nothing like that for cells sight simulators. I would love for something like that to exist. Uh but that hasn't been made yet. Um so there are some privacy concerns there. The reason the EFF hasn't just jumped on that is um the PCAP files captured by the ray hunter that get sent in do have some level of personally identifiable information um on the device. U so there's potential risk there. And you know the EFF doesn't want to be the people that collect all

that data and then aggregate it and then get hacked and every everyone's PII got leaked because the EFF got hacked, right? Um, additionally, um, it's only available on a handful of devices currently. You know, I talked about that dev diag command. That command is supported by like 90 or plus percent of Qualcomm modems. Um, so if you find a hotspot or a cell phone that matter that runs a Qualcomm modem, in theory, it could be rooted and hacked and we could use that uh command to run ray hunter on it. Um, unfortunately, you know, it's a small team. So, if you like rooting devices, uh, definitely think about contributing there. Um, and then also if

you are one of those awesome people that does have access to a cell site simulator, uh, then if you could talk to the EFF so we could actually test against, you know, we we had the one commercial one we were able to test against, but not everyone available. Um, so getting some more test data there would also be incredibly useful. Um, and so I want to make some acknowledgements to the EFF, the ones who really developed and pushed the uh, open source firmware. um counters spy conference where I learned a lot more information about this. Uh those two talks are really great as well. Um and then the open source cellular test beds talk by

Ronald Broberg I talked about earlier as well. So if you want to get involved I do have some ray hunters uh on me as after the talk you can talk to me. Otherwise you can get some on Amazon, eBay, flash them. Uh, but now I want to open the floor a little to any questions because I know I did did a big info dump there. >> Yeah, >> two quick ones for you. Um, would it be possible for them to drive these >> absolutely they are very transitory because you got to think this is a $100,000 asset like so for most police departments uh that's a fairly big investment. Um, so while in use, they're

unlikely to be mobile while in use, but certainly it would be like I'd go set one up in a certain place for a day, a week, however, and then I'd take it to my other area of interest and set it up. Um, you could have it in motion, um, such as on an airplane. So, there have been reports that, you know, you take a little Cessna, fly around a city, you got much better line of sight at that point. Um, you could collect more information that way. Um, but that would be more on just the MC side. You would just be gathering some of that location data. If you wanted to do the 2G downgrade attack, that would maybe be a

little harder from a mobile platform because also you don't maybe know where the target is for sure. So, they could move outside of the radius. One question, but have you tried and still? >> Um I have not I I in theory if your phone's off it's off but again it could be airplane mode again. Uh >> yeah. Um you know that's where my if you are in a place that you're very concerned about cells sight simulators like if you're in a skiff right don't take a phone in there to be right right or or put it in a Faraday bag. Um but certainly there are uh emissions from cellular devices uh when it's in airplane mode and potentially when it's

off. Although you could always I I wish phones came apart like they used to and you could just unplug the power uh the battery but unfortunately those days are gone. Um any other questions? Yeah. >> I just learned about um DAS or distributed antenna systems that are installed in like warehouses to kind of proxy self signal. How does one of these behave with those? Does it look like it's being >> so it wouldn't detect that because essentially that is just relaying like that that that's as if you know uh if you ever played the telephone game, right? It's just like passing the message along. It's not interacting with the message. So what he's describing, you know, is you know you're in a

warehouse, you're in essentially a big Faraday cage. You need to get have an antenna outside. Then you have run some coax cable to the inside and you have a tennis antenna on the inside. So that way that signal gets from outside, radiates back inside, and uh that way you can connect on your phone. Um that would basically be transparent. Um as far as I'm aware, unless you were like to physically tap into that coax cable, like there there's no attack there. Um that's kind of just passing the message along. Uh the cells site simulators, what they're doing is actively manipulating uh those packets and that's what we're detecting. Great question. Any other questions? Yeah, >> you mentioned that one of the things you

could do once you were in range to turn off your signal and that could reduce [snorts] the location accuracy. >> Uh >> so you know if you turned your phone off or at least turn GPS off then they would just be reliant on okay they're in this general area so they are close enough to have cell signal right um because without GPS they wouldn't be able to get your your exact corner. Um, mind you, there's other attacks that could come into play there. You know, triangulation based on self there there are other ways they could try to get your location. Uh, but generally speaking, best bet, um, you know, turn your phone off. Um, if

you don't have a ray hunter, if you don't have some method of detecting it, I would just be cautious in certain scenarios. If you're going to a sensitive meeting, you know, if you're going to a protest, I would still just turn my phone off, maybe not take it. Um but yeah any great any other questions >> do we have any kind of idea like what the radius of these >> so so it's okay uh starting off point would just be the same radius as a normal cell tower so a mileish maybe a little more maybe a little less um certainly it's going to be on the lesser extent of that because these devices tend to be smaller mobile devices um you

know you get stuff that's briefcase size to like a small server rack size Um, so like that SUV that I showed, like I would expect that to have a several block radius within a city. Um, but certainly not u, you know, miles. U so they are fairly proximal. Um, you're you're not going to do citywide surveillance unless you do do something like fly a Cessna over the city and then there's other ways to detect that kind of behavior. >> Yeah. Uh, was there a question in the back? >> Yeah. Um, let's say somebody Um I don't know about where you would actually buy the materials, but basically you just want um like myar type like you could literally just get

like an emergency blanket like myar aluminiz that maybe not not like literally the cheapest thing would just be aluminum foil. Uh like uh I I don't know how much you all know about this, but um shoplifterss, what they'll do is they'll just take a bag and they'll line it with aluminum foil. Uh and that's how they'll steal stuff out of shops when they have the the the scanners at the doors. Uh so certainly a similar thing could work. Um the Faraday bag, you know, I have is kind of like a a mylar typeish material, a metallized fabric. Um the problem is sometimes those aren't all they're chocked up to be. They're good at weak signals like NFC or key fob

type stuff, but um your phone again in its infinite wisdom trying to help you all the time. If it can't get a signal, you know what it does? It talks louder and it talks louder and louder and louder until something can hear it. And so sometimes that can uh find the weaknesses in a Faraday bag and and can break out. So that's why I don't say that it's foolproof. Uh but certainly if you're going to somewhere where your threat model suggests that there might be danger, uh wrapping in aluminum foil won't hurt anything. You'll look like a weirdo, but who cares? We're all weirdos for something like um Yeah, great question. Uh any other questions?

Awesome. Yeah. Um so again, I've got some ray hunters up here available now if you want one. Otherwise, get one on Amazon. Yeah. Thank you. [applause]