TLDR: Detecting Stingrays is pretty trivial, they are active in a lot of places.
I use a software defined radio, mostly to have a cool map using ADS-B… but it also can receive in the ghz frequency bands and capture the unencrypted header information for cellular data.
That information is largely useless because modern cellular communications don’t expose anything private. However, most cellphones will automatically attempt to use a downgraded connection (5G -> 4G) if they lose connection with the tower.
Stingay/IMSI catcher/Cell Site Simulator take advantage of this by forcing phones in an area to downgrade their connections to older and less secure frequencies and then exploiting that downgrade to get information about the phones in the area.
You can detect these downgrade attacks by listening to the traffic and analyzing the packet captures.
I noticed that my cellphone was losing connection to the tower and I was trying to see if maybe the tower was rebooting or something odd.
I tuned into the frequency bands and saw that it was still transmitting a strong signal while my phone showed no connection. If I restarted the connection it would connect to the tower, but if not it would lose the connection for 15-20mins. It always happened towards midnight but, oddly, not always at the same time.
That made me curious so I found the software to packet capture the cellular data and detect downgrade attacks. Sure enough, I’d get a downgrade attack detection and my phone would drop connection.
After a bit more research I discovered that the connection dropping was a feature, not a bug. GrapheneOS can prevent your cellular modem from downgrading in order to mitigate these kinds of attacks.
TLDR: Detecting Stingrays is pretty trivial, they are active in a lot of places.
I use a software defined radio, mostly to have a cool map using ADS-B… but it also can receive in the ghz frequency bands and capture the unencrypted header information for cellular data.
That information is largely useless because modern cellular communications don’t expose anything private. However, most cellphones will automatically attempt to use a downgraded connection (5G -> 4G) if they lose connection with the tower.
Stingay/IMSI catcher/Cell Site Simulator take advantage of this by forcing phones in an area to downgrade their connections to older and less secure frequencies and then exploiting that downgrade to get information about the phones in the area.
You can detect these downgrade attacks by listening to the traffic and analyzing the packet captures.
I noticed that my cellphone was losing connection to the tower and I was trying to see if maybe the tower was rebooting or something odd.
I tuned into the frequency bands and saw that it was still transmitting a strong signal while my phone showed no connection. If I restarted the connection it would connect to the tower, but if not it would lose the connection for 15-20mins. It always happened towards midnight but, oddly, not always at the same time.
That made me curious so I found the software to packet capture the cellular data and detect downgrade attacks. Sure enough, I’d get a downgrade attack detection and my phone would drop connection.
After a bit more research I discovered that the connection dropping was a feature, not a bug. GrapheneOS can prevent your cellular modem from downgrading in order to mitigate these kinds of attacks.
And, also, that you don’t have to buy expensive software defined radios and do all of the annoying packet capture and analysis to detect these things. You can do it with cheap ($20) hardware and free software from the EFF: https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying
I turn off legacy connections. Worst case, I get DoS’d.