BSidesSF 2026 - Gettings PCAPs from Stingrays for $20 with... (Cooper Quintin, Will Greenberg)

Hi everybody. Uh, welcome to the second talk in theater 2 today. Hope you all had a good lunch. I'd like to introduce uh, Copper Quinton >> Cooper Cooper Quinton and Will Greenberg. Um, today they're going to be talking about getting pecaps from Stingrays for $20 with Ray Hunter. Uh, quick round of applause for these guys. >> Thank you. Uh, all right. Is this on? Good. Excellent. Adjust this a bit. Thank you. Awesome. Uh, so yeah. Hi everybody. Uh, my name is Cooper Quinton. I am a senior staff technologist at the Electronic Frontier Foundation. If this is your first time hearing of EFF, we're a nonprofit. We've been around for 30 years. Our mission is to defend civil liberties and human

rights in the digital world. Uh, I've been at EFF for 12 years. Inaccurate slide. Um, and in my time at EFF, I have worked on many things such as privacy badger, state sponsored malware campaigns, researching street level surveillance, our threat lab project, um, and also mobile security, which is what we'll be talking about today. >> Hey, uh, I'm Will Greenberg. I'm also a senior staff technologist at the FF. Uh, I primarily work on SERBOT, uh, as well as on the threat lab and SLS teams. um generally reverse engineering projects uh and then also Ray Hunter which is what we're gonna talk about with you today. >> Oh, and yeah, we are the Electronic Frontier Foundation. Uh so today we're

going to talk about stingrays, also known as cells site simulators, MC catchers. Uh these are all this roughly the same thing. Uh the pedantic among you might tell me, "No, those are actually slightly different things." They are, but I don't care. I'm going to use the terms interchangeably. Um, and this is a picture of a stingray. And, uh, what a stingray does, if you're not familiar, is it's a fake cell tower that intercepts the connection between your phone and a real cell tower and tries to get your phone to connect to it instead of the real cell tower. This can be done for the purposes of tracking down a specific person, like in a manhunt or in

a search and rescue type of situation. Um or it can also downgrade your connection uh to do a man-in-the-middle attack to inject uh to inject calls or to listen to your communications. Um mostly what law enforcement uses it for is to do the uh manhunt type of situation. However, and how did EFF get interested in stingrays? So uh obviously there are some civil liberties implications to this technology. I first got interested when uh folks in 2020, was it? No, earlier than that, 2016, uh were out protesting the Dakota Access Pipeline in Mandanda, North Dakota. Uh there was a big pipeline encampment that was out there for several months. Um, and they had started to get worried that

perhaps the North Dakota police or other private uh uh private security entities out there were flying MC catchers over the area. A few people had apps that seem to indicate this. Um, and they sent us some stuff and they were worried. So, we thought we'd go and check it out because if police were using MC catchers to spy on a protest, that would be a major concern and potentially a major violation of our Fourth Amendment rights. So, I flew out there. where I gathered together a few apps that reported to detect MC catchers and some software defined radios and a few other things and flew out there to see what I could figure out on the ground. Uh got all my

equipment together, spent about a week out there and what I figured out was that I had no idea what I was doing. A lot of the apps gave a lot of information. Some of it might have been false positives. It was very unclear what it actually indicated. Um, I had brought a couple of Nokia cell phones that were old brick phones, 2G only, um, that I could record PECAPS from. And, uh, what I got was nothing because there was actually no 2G service out there. The software defined radios I hooked up, I was getting some interesting waterfall diagrams, but I didn't know what to make of those either and drew no conclusions from the whole

process. So, we went back to the drawing board. And at the time, I came up with three goals I wanted to uh, achieve. One was that I wanted to figure out how often cells site simulators were being used specifically to spy on protests but in general as well. Two, I wanted to determine what kind of attacks modern cellite simulators were using because we had a lot of research on older cells site simulators, all of a stingray which is long discontinued but not on newer ones. And three, we wanted to figure out if we could detect modern cells sight simulators reliably. So for the first goal, how often are cells sight simulators being used? This one we can figure out. It's it's there's

no direct way to figure out, but we can figure some of it out from public records. We can figure some of it out from other reporting. We know that foreign spies are using cellside simulators and presumably US spies as well, not just foreign ones. Um, but there was a lot of reporting a few years back about MC catchers being found in and around the US capital and in Washington DC. Uh there's also reporting from Amnesty USA about cyber mercenaries using IMC catchers. NSO group who makes the Pegasus malware which is uh you know one of the premier ones uh was found at least in one case to have distributed the Pegasus malware through the use of

an MC catcher downgrading a person's connection so that they could inject a redirect to a plain text HTTP website which would then install the malware. Um, we also know that ICE and DHS use used their MC catchers hundreds of times per year. Uh, from 2012 to 2019, they used their MC catcher almost 5,000 times according to public records which were gotten by the ACLU. And local law enforcement uses theirs as well. from advertising documents from Jacobs, one of the big manufacturers. We found out that the Fontana, California, and this is a suburb of San Bernardino down in down by Los Angeles. They use theirs uh 300 times between 2022 and 2023, and they've purchased three cells sight

simulators. It seems like they loan theirs a out a lot to the surrounding uh you know, neighboring agencies. Um but San Bernardino, their neighbor city, used theirs 231 times in 2017. So this is happening a lot. It does seem like MC catcher use might have changed in 2020. Uh in 2020 there was the Carpenter versus US Supreme Court decision where the Supreme Court decided that historical cell site location information did would require a warrant for law enforcement to get. And it does seem like perhaps some law enforcement agencies decided that now this applied to MC catchers as well and they would need to get a warrant to use an MC catcher. And this has curbed their use

because cops don't like having to get warrants. But uh what's going on in Fontana in that case? Unclear. Do they have a judge who's just happy to rubber stamp any warrant or do they not think that they need a warrant for this still? So lots of law enforcement has CSS uh cells sight simulators. This is a map from our Atlas of Surveillance project of every law enforcement agency in the US that has a cellite simulator. And as you can see, basically every major metropolitan area has at least one, if not more. Cells site simulators are also used to do crime. Uh there was a pretty famous story from uh Paris a couple of years ago where a woman was driving around

with a bunch of equipment in her car and got pulled over. Uh the cops who pulled her over thought it was a bomb. They called out the bomb squad. Bomb squad look took a look at it and they called out the IT squad who figured out that it was a cellside simulator. She was driving around with a Wi-Fi modem, a couple of software defined radios, and a big battery, which is what made them think bomb. Um, and she was using it to do a SMS fishing scam, basically sending out a text, downgrading people's connections to 2G, and then sending out a text message that was from the legitimate number of the help French health ministry. I don't know what

you're scamming in a place with universal healthcare, but hey, I would love to find out by having universal healthcare. So the next goal we had was figuring out how 4G cellite simulators work. Like I said, there was a lot of research already on 2G cellite simulators, the Stingray, and we knew full well what advantages 2G took took it or what two what vulnerabilities in 2G were being taken advantage of, but we really had no idea for 4G. Um because 4G had upped the game and had so in 2G phones would have to authenticate themselves to the tower as a as a real subscribed plan. But the the tower and the network never had to authenticate itself to the phone. So

it's really easy to stand up a fake network and a fake tower and route traffic. With 4G, that was not the case. The network had to authenticate itself mutually with the phone using key material that only the network should have. So we spent uh me and my colleague Yamna spent uh a few months looking at all of the literature on vulnerabilities in 4G and she synthesized it all into this really lovely paper called got to catch them all which explains what we think are the most likely attacks on 4G that MC catchers could use. And to summarize it a little bit, even though the user equipment, the phone authenticates the tower or the network, there are still several messages that

get sent, received, and trusted before authentication ever happens or without requiring any sort of authentication at all. It's not like HTTPS where you authenticate and then you start sending traffic. Some messages are authenticated, some messages are not. Many of the most important setup messages are never authenticated. Um, and this is the weak spot in which the vast majority of 4G attacks happen, including downgrade attacks to insecure protocols like 2G. Um, this is a diagram of of sort of the first three layers of the mobile network stack. Um, you have the physical layer which handles frame synchronization, basically when to connect to the radio. Then you have the RRC radio resource control layer which has system

information blocks, master information block. This handles connection and setup and like neighbor cells and how you should connect to the network. And then there's non-access stratum which is what handles actually it's what handles access which is weird. It's it's what handles attaching to the core network and authentication and all of that stuff. But all of these packets in the RRC and the NAS which are some of the most important protocols in connecting are not authenticated. Basically, you don't start authentication until you get past the attach complete step of this diagram. So, this is where we're looking. But doesn't 5G fix all this? Shouldn't we just stop all this cuz everyone's on 5G? Well, no. 5G doesn't fix it. 5G still

has problems. First of all, not everybody's on 5G. Most of the world is not. Uh, and a lot of the US is not on 5G, but there are already companies selling ways for law enforcement to get around 5G. This company, Group 2000, sells an app called the Lima 5G Cellpro, which with a piece of equipment in a uh Telos's uh building. Um, they you they can allow cops with a click of a button to turn off 5G for a whole area, downgrading everybody's connection to 4G, 3G, or 2G. Um, so no 5G doesn't fix the problem and there are other holes people are finding every day and there are a lot of native 5GMC catchers being sold now and that's

a that's a potential direction of future research for us. So the next thing we wanted to figure out is can we detect native 4G cellite simulators? So there were a lot of detection methods for the Stingray and other 2G cellite simulators, but the Stingray is long out of date. This is a product from the 90s and early 2000s. Harris stopped selling it and it upgraded to 4G native. Key uh had taken over L3 Harris's market when they stopped selling to local police and their device is 4G native. So, can we figure out how to detect 4G cellite simulators? Our first at this attempt at this was a project called Crocodile Hunter. Um and and if if you've used

Crocodile Hunter, I'm sorry. Crocodile Hunter uh ran on Linux and this was the hardware stack for it. You required a Edetis B200 software defined radio which runs for about $1,000. Um, and you needed a Linux laptop. You needed to be able to com compile a C program. Um, and you needed a bunch of antennas which you put on top of your car which totally didn't make you look suspicious when you were driving around Black Lives Matter protest in 2020. Um, this is a uh this is the user interface for it. Now, as you can see, what we were doing with Crocodoner was trying to map out the location of every cell tower and using fox hunting, looking for anything

suspicious, and then trying to track down the tower. It was one of those ideas that is really cool in theory, but only works for me. And when I tried to give it to anybody else, it turns out journalists don't want to compile C. They sure as hell don't want to buy a thousand software to find radio. Um, and they don't really want to install Linux for that matter. So, there were some problems with it. It was also really difficult to set up and it was hard to interpret the results. There were a bunch of little black skulls on that last slide and every one of those is just something that we thought was maybe a suspicious

tower. Now, there weren't 50 suspicious towers during Dreamforce. There weren't 50 MC catchers running around downtown San Francisco. So, this was really hard to figure out for people who were journalists, for lay people who didn't want to go, you know, kind of vibes-based, not vibe coding, but vibes interpret the results of this and figure out which ones were worth looking at. Um, so we went back to the drawing board and thought, can we do better? Will, can we do better? >> Yes. Uh, yeah. So, Ray Hunter, uh, in some ways, uh, can be thought of as Crocodile Hunter 2.0. Um, and the project got started when a friend of the EFF, Matthew Garrett, tipped us off to a

pretty cheap mobile hotspot called the Orbit. Um, which, uh, runs Android, uh, runs a Qualcomm bassband, which will be important in a second. Um, and was very easy to route. Uh, and so we figured that this might be a great device for an upgraded version of Crocodile Hunter. Um, so Ray Hunter is easy to install, at least relatively relative to Crocodile Hunter. Um, you basically have to just go to our GitHub page, download our like release zip and run a script, then you have croc or uh then you have ray hunter installed. Um, it also exposes a pretty simple UI to the user so that even if you don't know much about telekcom or 4G, you can know if something suspicious

was going on. Um, we also wrote it in Rust because we're in a very memory constrained uh environment on this device. Uh, so it's it's also just more ergonomic than writing in C. Um, and Ray Hunter the name, we like the name. It's it was like number five on our list. The first four were trademarked. So our lawy lawyer said that we could not use them. Um so here's the web UI. This is basically what uh since it's a mobile hotspot, it has a Wi-Fi network and you can just attach to it um and go to the gateway address col880 and then we expose this UI to you. Um so at the top left of the screen here, you can see uh

Ray Hunter is currently recording uh 4G traffic. It has detected zero warnings. Um and you can download uh the um packet trace basically in two different formats which we'll talk about in a bit. And then it also shows uh historically all the other recordings uh stored on the device. Um so you can see this top one in the history section has two warnings associated with it. And if you clicked on that little arrow, it would explain kind of what we think was suspicious about it. Um and importantly you can download any of these samples and then send them to us basically or another telecom expert that you trust uh so that we can analyze them see what's going on

and maybe even improve our heristics. So, our goals for this project, um, similar to Crocodile Hunter, we were trying to we this project started in late 2023, early 2024, uh, when there was a spate of, uh, protests going on in the United States for some reason. Um, and we wanted to get a sense of whether or not law enforcement was using cellsite simulators to sort of do draget surveillance on these protests. Um, so the goal was to get this in the hands of a lot of people, as many as possible, get a lot of data about uh sort of possible CSS use AC across the country. Um, and also get a clearer picture of how cells site simulators are being used

outside of the US. Um, because you know, other law enforcement agencies around the world may have looser restrictions about using them or as we've explored, they're also used uh for various uh crime related purposes. Um, this because Ray Hunter lets you download actual 4G packet traces, we can also learn more about the actual exploits that these uh cells site simulators use uh to attack uh user equipment or phones. And ultimately, our goal is to uh clear up like fear, uncertainty, and doubt about how often these things are being used. Um, and that would allow activists, journalists, everyday people to develop more accurate threat models for going out and, uh, doing what they want to do.

So, how does this thing actually work? Um, this is the Orbit on the screen. Um, like I said, it runs a Qualcomm bassband chip. Um, and this is important because Qualcomm uh, uh, cell phones um, expose this very handy diagnostic protocol that they call diag creatively. Um, and if you know how to use it, you can basically get raw radio data frames uh from the chip. So, Ray Hunter enables that parses these into the RC and NAS messages um which uh we then uh parse into Rust data structures that our uh various huristics can analyze and look for anomalies in. And then it reports uh the results to the user either through the web UI that I showed you earlier or

this is the screen that's on the device. There's a little green line at the top of the screen. Uh that's just we're bashing out green pixels to the frame buffer. That basically indicates that we haven't seen anything weird yet in this recording. It turns red if it has. So if you're just like walking around, you can take it out of your pocket and be like, "Oh, hey, something weird's going on." Um so this is kind of a overflow, an overview of the data flow um through Ray Hunter. So on the left hand side, uh, dev diag is a file that Qualcomm exposes to the Linux kernel, um, and lets you basically interact with the Diag protocol with. Um, so we'll go into

how we enable DIAG logging in a bit, but um, we're basically reading this on a loop to get the the raw radio data frames. Um, we then immediately spit those out into a QMDL file. QMDL is an extension that, um, Qualcomm uses for their actual packet traces. And uh it we'll we'll talk a bit about why that's important in a second. But having this raw data file is very important for ray hunter's operation. Um then we take the unpared frames as just binary uh buffers that uh we haven't parsed yet and we dump them also into a pcap file because the fine folks at the open-source mobile consortium I forget osmoomcom uh the they're a fantastic community of people

who do reverse engineering for telecom devices. Um they put together a like wire sharkark dissector for 4G and 3G I think also 5G. Um, and in order to uh put these put this data into a pcap file, you just have to attach a like fake GSM tap header. And you can think of this as like in the same way that like UDP data is prefixed by a UDP header. Um, telecom data is prefixed by a GSM tap header. Um, and then we also uh parse all that data, put it into rust data structures that our uh analyzers can actually uh check. So uh enabling the dev diag file for logging. This is something that also

osmicom has our back with. Uh they've basically reverse engineered how this works. Um we are also building on a lot of prior art from applications like snoopn snitch. Um and really all we're doing is throwing a couple octals to the dev diag file. This tells uh the bassband we would like to enable diagnostic logging. Um, and then we also write a uh encoded request saying here are the types of things that we would like to have logged. So for example, we're interested in RC and NAS messages. Um, and then basically we just read this file on loop. Uh, and then that's how we get the data frames. One second, please.

Um, and because we're like reading and writing a lot of binary buffers, we also use this like fantastic library called DEU. It's a declarative Rust library that lets you say like, "Hey, I've got this like Rustruct and I would like to uh serialize or deserialize this to binary." Um, I use it all the time. I love to shout it out. Um so yeah, we're interested in these RC messages and NAS messages. RC is a spec that's defined in something called ASN1, which is the uh abstract syntax syntax notation. Uh it's the same syntax uh that excuse me um that like X509 and like certificates are specified in. Um NAS messages are in a much less friendly

format called CSN, concrete syntax notation. Um, basically the long and short of it is, uh, ASN1 is much more widely used and we were able to find a Rust parser generator for it. Um, so what we do is we basically run, uh, this parser generator on the exact spec that comes from 3GPP, which is the consortium that like standardizes all Telecom um, uh, protocols, and it spits out like 50,000 lines of Rust code that we have to compile every time we compile Ray Hunter. um NAS messages are we can't do that with that. Um so instead we wrote this thing called Pyrate RS which um utilizes an existing Python library. Um sorry I'm forgetting to breathe. Uh so

it uses this uh existing pi uh Python library called Pyrate. Um it's basically the standard for open source telecom parsing. Um, and what Pyra RS does is it loads that Python like parsing class, traverses the the class metadata and outputs a ton of Rust code that we can then parse uh NAS messages with. Um, so this is uh the trait that sort of defines how we do our uh heristics. Um, so if you're writing a heristic for like determining whether or not a message is suspicious, you would just like implement this in Rust. Um, so you expose a couple like basic bits of metadata like the name and description of what your warning is uh detecting.

Um, you also like specify a version so that we can see if uh like a log from this heristic is out of date. Um, and then you write this analyze information element function which here's an example. This is like pretty much the shortest one I could find. Um, this is looking at an information element which is kind of the telecom term of art for a packet. And what this is doing is looking for um it's sorry if you don't speak Russ but like this is dstructuring the information element to see if it's a 4G packet which is the LTE um if it's a broadcast synchronization uh downlink packet which is BCC HDL um and then checking to see if it's a SB

one block which is kind of metadata that cell towers just blast out to all cell all uh user uh equipment around them And if that SIB block um basically doesn't specify like how to read subsequent SIB blocks, we would consider this kind of weird. So we in this case just emit like anformational log message. So this is just saying like hey the SI message was like kind of weird. Um if this was more of a smoking gun heristic, which Cooper is going to talk about in a second, um then it would emit like a warning and this would actually get shown to the user. Uh so I'm going to pass back to Cooper to talk about the other

heristics. >> Yeah. So we have four sorry we have four main categories of huristics so far. Um and one of our design goals for this one of our design goals for this has been to produce as many sorry as few false positives as possible. We really don't want to alert people unless we're fairly sure that something weird is going on. So the first heristic we have is 2G downgrade. downgrading you to a um to a to an insecure protocol. This is the attack that MC catchers could again use if they wanted to inject content like inject fake SMS messages or intercept your content, intercept your phone calls or something like that. Um for this we monitor some

of the RC packets for either a redirect to 2G or a tower that's advertising 2G towers at a higher priority than a 4G tower. This should pretty much never happen. Um, and we we had done this one wrong at first. We got the priorities mixed up. But now this works everywhere. Even in countries where 2G still exists. Even in country, even in those countries, your 4G tower should not be advertising 2G at a higher priority. Um, and especially in countries like the US where 2G towers have all been decommissioned. Um, this should raise some significant alarms if you see it because nobody is operating a legitimate 2G tower here. Uh we also look for null

cipher use. So typically the like I said many of the packets between your uh phone and the tower you're connected to are encrypted again between the phone and the tower. This is not end to end encryption. Um but one of the ciphers that the tower can suggest the network can suggest using is a null cipher. Basically exor your thing with all zeros. The output the ciphered output of hello would be hello right. Um, and this is useful for if you're making a 911 call, right? And you don't have a SIM card or your SIM card doesn't have key material. It's outdated. The network doesn't have a key for you. You still need to be able to connect to the

network and make a 911 call under any circumstances. And that's what null ciphers are used for. They're also used for content interception or content injection because if you're encrypting with nothing, anything can uh suggest that. So, if you're not making a 911 call and this pops up, we think it's pretty suspicious. The other one we look for, and this one's not as good, is missing neighbor cells. Um, but we put this one in here because, uh, it's something we saw in the real world. Basically, that MC catcher developers are lazy. They don't end up sending the packets that would specify neighbor cells that pretty that most legit cells do. This one's not very good on its own. Sometimes you find a

lonely cell that just literally doesn't have any neighbor cells. But in conjunction, especially with the next one, um it's a good indicator that something suspicious is going on. The identity request for MZ or IMEI. MZ, by the way, if I didn't define that, is the uh unique ID that's associated with your SIM card. Basically, it's how the phone network knows who to bill to. Um and the IMEI is the unique identifier for your equipment, international mobile equipment ID. Um and what we do is we look for when the network requests your MSY or IMEI uh in a message that happens and does not have any authentication followup. Usually the network will say, "Hey, give me your identity. Give me

your MY or IMEI." And then kick you off without authentication. Unfortunately, this happens a lot of times for legitimate reasons. Uh it happens often when roaming and this is by far our biggest source of false positives. If you're roaming on networks which you do not belong to, um they will sometimes ask for your ISY because they're trying to figure out if they really should give you service or not and then kick you off without any uh you know unceremoniously kick you off the network. But we have this one because MC catchers what they do is they catches and we know that it's used by commercials catchers. Um but we're we're we are still trying Oh, I messed up my

own talk. Oh well. Anyway, we're still trying to to figure out better ways to look for this. Um, and at first we had some pretty uh naive ways of just alerting every time the MZY got sent out. This is all also if you have a Pixel 10 that'll alert you uh when your MC is sent out, this is what they're doing. They're just looking for anytime the MC is sent out. And that's not really useful because again, this happens a lot for legitimate reasons. Um, but when there's no authentication and then a detach and it's on your home network, that's what we find especially suspicious. Um, and it's it's hard to find MC catchers. This has been a hard problem.

Like I said, we're we are trying to make the smallest number of false positives as we can. But what we're doing at the end of the day is threat hunting. And if any of you are threat hunters, uh, you might know it's it's a little bit vibes-based, right? It's an art and a science, right? Uh things happen in the network sometimes that are just weird. The cell phone network is a standard defined by 300 companies and 100 governments who all hate each other. Um and every company implements it slightly different. The standards are vague in many places. Um and this ends up creating a false a lot of false positives. But we do feel good about our

heristics. um because we have actually tested them against commercial MC catchers in a lab. So our friends at the uh mobile phone company Cape um came to us and said, "Hey, uh we have we have access to a commercial catcher that law enforcement uses uh through some friends of ours at a university which shall not be named. Uh would you like us to test Ray Hunter out?" Well, hell yeah, we would. Uh that sounds amazing. Yes, please do. So they brought Ray Hunter around and tested it out and this is what we got. Uh it did detect it. It did in fact work. Um so we have this pcap of um of the commercial MC catcher working.

And uh I won't bore you with the details, but basically it pretends to be from another area which gives it a new uh location area code which makes the phone think that it's in a new area. uh it's then uh sends a tracking area update request to which a valid response is to send an identity request. So the tower sends an identity request asking for the phone's IMSY. The phone sends back its MC. Oh, here you go. You you need this. This all seems to be in order. And then the tower unceremonously kicks it off from the network, says update area illegal illegal user equipment. Um and sends it back to the old tower. So this is how a commercial

IC catcher used by law enforcement works. And did Ray Hunter detect it? Yes, of course it did. So this is the logs from our from our command line tool, Ray Hunter check, which just implements Ray Hunter's uh heristics for the command line and can scan a pcap. Um, and as you can see, we have four alerts for this. uh three of which are the tower not having any neighbor cells and then disconnected after an identity request without any follow-up au authentication. So we know Ray Hunter works in a lab setting, but we also have results from the field. So far we've received about 160 reports from people all over the US and in several other

countries. 23 of those reports were ones that we considered highly suspicious. we cannot disprove them as being an MC catcher. Every report I get, I try to do vaguely good science and disprove my hypothesis. I start out with the theory this is not an MC catcher, right? And then I try to and I try to disprove it. So 23 we think are highly suspicious. I can't prove that they are not MC catchers. 30 uh what I call need further analysis. Basically um these are ones that I'm on the fence about. they might be false positives, they might not. Um, we have 40 which I think are which I'm much more sure are false positives. Uh, we have 31

which we received which were definitely false positives which we have since fixed and we have about 30 uh non-alerting recordings, negative results that people have sent us uh for our own uh, you know, continued knowledge and edification. It's good to have alerts that don't trigger because the really cool thing about Ray Hunter is that it's creating all of these pecaps which we can then once we have these records if we find out that one of our tests was incorrect which we have or if we find out you know if we write a better test we can rescan a negative pcap and maybe we find something new or if we have something suspicious and we figured out that we wrote the wrong

signature we can rescan it and maybe it turns out that it wasn't ever suspicious in the first So, uh, let's go over a couple of the most suspicious things that we found out in the field. So, this is from a run in downtown Chicago in uh, May of last year. Uh, and this was apppropo of nothing. Uh, this guy was running around downtown running some errands. uh ended up in a cafe and suddenly over the course of about an hour he got dozens of warnings of a tower requesting his identity and then disconnecting over and over and over again. And this is exactly the same behavior as we saw from the commercial MC catcher in our lab. So we feel pretty

good about this one. Chicago does own an Chicago PD does own an MC catcher and they have it is suspected that they are a bit uh let's say liberal with their use of it um and their and their ideas about whether or not they need warrants. So having looked at this pcap we feel pretty good about one uh about that one. An even more fun one and sorry I have different formats for each of these is uh from Toronto, Canada. So in this case, what we saw was a MC catcher or what? Well, we saw a tower um that does a tracking area update, gets the device to connect to it, asks for its IMY, then

suggests using a null cipher uh to to have a plain text conversation, and then finally suggests downgrading to 2G. This triggers almost every heristic we have. Um and it's pretty awesome. We also know that the Mounties have catchers that they again are pretty liberal with using. Uh, and so we feel pretty good about this one being a real MC catcher. Again, this was downtown during the day. Um, you know, apppropo of nothing in particular going on that was noteworthy. Uh, at least from a from a civil liberties perspective. We don't know why they would have been using it. We have another super fun one that I got recently from Los Angeles. Um, and this was around the time of the uh of

the ICE invasion of Los Angeles. It was maybe maybe a little before or a little after. It wasn't during the height of the of the protesting and and of the law enforcement rioting, but it was it was close to it. But in this case, uh, this guy is home at night and, um, all of a sudden, Ray Hunter lights up with a null cipher request appropo of nothing in the middle of the night. Now, like I said, null ciphers should never happen unless you're calling 911, and it will only happen for your equipment. So, this one I find very sus. Oh, sorry. and it's a null cipher request. And it also then asks for his IMEI, which is his

equipment ID, which is sort of the gold standard we're hearing. Um, because you can change your SIM easier than you can change your phone. Um, so this one is super interesting to me. It's the first time I've seen a null cipher used in the US and this is not one that we've seen like false positives of either. So really curious what's going on there. Also again, Los Angeles jurisdiction we know has several MC catchers floating around and of course ICE uh we know has MC catchers as well. But what about protests? So we had a lot of people bring these out to the No Kings protests uh over the course of the last summer and what we found was nothing. Many

people sent us their recordings from the No Kings protests and there was not a single recording that triggered any heristics which we found really interesting. So, it seems like maybe, you know, it's again the data is limited, but so far we haven't found any data that shows that law enforcement are currently using these to spy on protests, which is great. That's what we want. If law enforcement is only using these to, you know, do mannuts or make sure that the the they have the right house before they do a SWAT raid. I I mean, I don't want to live in a world with SWAT raids anyway, but I if they are going to be SWAT raids, they it'd be

good if they had the right house, right? I could raise issues with this, but I have bigger fish to fry if that's all they're using it for. Uh, we also had a lot of people using these in Minneapolis. Hundreds of these got distributed in Minneapolis uh this this winter when ice was invading that city. Um, and again, we found nothing uh that we got several recordings, several uh negative controls from Minneapolis, but nothing that was positive uh for for um detection. So, so great, right? like maybe maybe ICE is being a little more sparing with these, but I don't trust them. I don't trust ICE and I want us to keep bringing these around so that we

can know if law enforcement does start using these again. We have a lot more results. Uh like I said, there are some that are more ambiguous and analysis is hard. Um but we're going through all of them and we're trying to figure out how we can publish some of what we found in a more accessible way. But again, we don't want to, you know, violate the privacy of anybody who sent us these. Um, when when was I handing it off to you again? Now? No, not now. Later. All right. Uh, we still have a lot more to do on the project. Um, oh yeah, I think you take it. >> Yeah. So, plenty of stuff to do still.

Um, we would love to have a more user friendly guey installer. Um, so that no one ever has to open a terminal to use Ray Hunter. Um, that would be a huge boon for us. Uh, there's tons of UI improvements. Um the web UI I showed you uh that's already a huge improvement uh from where we started which was very programmer art and just a white background with black text on it. Um but we could still uh have a lot more uh improvements of that and also uh device specific uh screen UI would be extremely useful so that you can check ray hunter results on the go. Um yeah, getting better uh signatures on like known

attacks that would be very great having uh known attacks that we could run our bevy of analyzers against. Super useful. Um international support. Uh the orbit does not work everywhere in the world. Um and generally speaking, we kind of need to do bespoke exploits on these devices as we support more and more of them. So uh if there's a known device that's easily exploitable uh elsewhere in the world, let us know about it. We would love to hear that. Also, 5G support. Uh we have not even begun analyzing 5G CSS attacks. So, um if there is a good candidate for a cheap 5G device with ideally a screen and maybe even a speaker, uh that would be

awesome. Um and as for how people can get involved, um >> yeah, specifically if you're not programmers, um an obvious answer for if you're programmers, check out our GitHub. We got plenty of issues that could use addressing. Um so device porting like I said we often need to do bespoke uh attacks on new devices to port Ray Hunter to them. >> Sorry for >> yeah uh we we are limited in the sense that we do rely on the Qualcomm DIAG protocol. So it needs to be a Qualcomm device. Um gooey installer support again fantastic if no one ever has to look at a terminal um and the other things I've already mentioned. Yeah, having an app

would be a huge uh usability improvement because connecting to this device and then going to like, you know, 19216811 on your browser. It's terrible. Um, it's really bad UX. So, having an app uh would both be a UX improvement and also allow us to associate GPS coordinates with uh the recording, which would greatly assist in figuring out like the sort of forensics of what happened in this trace and also allow us to do, for example, fox hunting. we could figure out where the the fake cell tower may have been. Um, and yeah, uh, more more data more better. Uh, keyboard war driving. Um, one thing I forgot to mention because I got too nervous was,

uh, QMDL files are kind of upstream of any Ray Hunter analysis. They're like what verbatim what the Qualcomm chip is reporting to Ray Hunter. So if you provide that even if our you know uh heruristics are buggy at the time of recording we can rerun the QMDL through future versions of Ray Hunter as if the recording was happening now. So having that data alone even if you're using an old version of Ray Hunter super useful for us. Um so yeah uh we would love for uh more volunteers to help the project out either by getting a device and sending us recordings or um >> okay uh helping us with uh the software side of things. Also if you know any

like telefan experts we are not that. So uh we would love to talk to people who know more about and 5G um to help us sort of test our assumptions um and look at our heristics. Um, and if you want to, if you feel willing to get a bunch of these devices and flash them all to distribute to your networks, that would also be great, especially if you joined our mattermost and let us know about it. Um, hit us up hit us up on Signal. Um, and with that, I'll leave you with the most important message from Cooper. >> Um, actually, before I go into this message, um, I'll just say that if you if you are interested in getting one of

these devices while you're here, uh, some don't go to the EFF booth. We don't have them. Uh, somebody up on the third floor, and I've forgotten the name of the table now. Uh, if you're in here, shout it out. >> Script Kitty. >> Script Kitty. Yeah, the Script Kitty table. Um, they have some devices for sale. You can go check one out out there. Um, there's that's all them. We're not involved in any way, but I'm glad they're doing it. Um, so yeah, in conclusion, um, I want to give you some advice from my kid. This is River. He's six years old. He's too cool. Um, so I was telling him about this talk, um, and

you know, explaining. He was like, "What is your talk about?" And I was like, "Well, I'm uh giving a talk basically about this uh technology that law enforcement uses to spy on people's cell phones and I'm worried that they, you know, might be doing that at protests and stuff." And he goes, "Oh." And he thinks about it for a minute. He goes, "Dad, why don't you just tell those hackers to turn off their phones?" So, great advice, kid. Honestly, that's that's So, yeah, turn turn your phones off. It's uh you'll you'll live better. Thanks you all for coming out. Uh we we we stand on the shoulders of giants here. Matthew Garrett for uh originally

showing us the route of Sanguk Bay and Rudy Wang and Cape for helping us with testing. Um a lot a lot of other folks uh helped us out. Matthew Garrett has a talk tonight at 3:50 in one of the theaters. So go check that out if you want. And we're giving two more EFF talks. One uh ask the EFF tonight if you want to ask us other questions or uh tomorrow at 1:00 or something. Um, I'm giving a talk about how hackers can fight back against ICE. So, come check that out as well. And thank you all so much for being here. >> So, guys, we do have uh two three minutes left and we have two questions.

>> Awesome. >> So, we may have time for one. >> Okay. >> The first question is, is there a way to enable bot mode for these devices to automatically report so you could just throw one in your bag and forget it? >> Oh, yeah. So um that that is a great question. We do have uh we we are these devices can talk to notify.sh NTFY.sh which is a open-source mobile notification thing but only if they have a data plan in the SIM card inserted. Um so if you have that you can have it send push notifications to your phone. I don't know what bot mode means exactly but that's that is something we have. Uh

we're working on like Wi-Fi client mode so that you could connect it to your um you know if you don't have a data plan you could connect it to your phone like tether it to your phone and get notifications that way. Um we're also you know that would also working on like a way to be able to automatically upload the data to a server if that's something you're concerned about. But yeah these are all get on the GitHub and help us out man. We we we need we need plenty of help. So that's that's my answer. Be the change you wish to see. >> Amazing. Thank you. And the second final question, we still have 2 minutes, is

what kind of usage does a warrant entitle law enforcement to? Does it have to be targeted slash constrained to specific geoloc? >> I'm not a lawyer. Um so that that one is hard for me to answer. Generally though, we believe that warrants should be very tightly constrained um to a specific person and to a specific area to be searched. like that is that is the standard that I think that pretty much all civil libertarians want to see. We don't want to see and you know specifically we would be concerned about very broad warrants right that say we want to even if they were getting a warrant to spy on a protest that would require a warrant that says we want to

spy on everybody who goes into the broad area of this protest which I think would be a very bad warrant and I would be very disappointed with any judge who signed off on that. So yeah, that's that's what we want to see, but we don't know what the warrants for MC catchers look like because they keep those very secret. Um, so it's it's hard to say. >> Amazing. Well, let's give these guys another round of applause. >> If you want to ask us any other questions, we'll be out at the EFF booth up on the mezzanine or uh you can come across us in the hallway here until we become a fire hazard and then we'll have

to move along. But thank you all so much for