In a recent discovery, the Electronic Frontier Foundation (EFF) identified suspicious activity indicative of a Cell Site Simulator (CSS) possibly being deployed at the 2024 Democratic National Convention (DNC). This breakthrough was made possible thanks to advancements in CSS detection developed by EFF with support from us at Cape. By reanalyzing wireless signal data collected during the event, EFF's Rayhunter tool detected irregular control plane data flow—a telltale sign of a CSS.
A Cell Site Simulator (CSS)—also known as a Stingray or IMSI catcher—is a device that mimics a legitimate cell tower. When deployed, it tricks nearby phones into connecting to it, allowing the operator to collect sensitive information like subscriber and device identifiers (IMSI and IMEI) and location data, or even intercept communications. The ability to detect these devices in high-stakes environments like the DNC is significant, as they can be used for undisclosed surveillance by authorities, foreign governments, or others.
The detection at the DNC was the result of years of dedicated work by EFF. Recognizing the shortcomings of existing detection methods, EFF set out to create Rayhunter, a tool that modernizes CSS detection by focusing on 4G IMSI catchers. Previous solutions primarily targeted outdated 2G networks, leaving a significant gap in detecting today’s threats.
EFF’s Heuristics for Detecting CSS
Rayhunter employs several heuristics—or behavioral patterns—to identify fake cell towers. These include:
- 2G Downgrade Detection: Identifying instances where devices are forced to switch from 4G to 2G, a common tactic for intercepting and injecting data.
- Null Cipher Use: Detecting when a base station disables encryption, exposing communications to interception.
- IMSI Attach (IMSI is requested or exposed): Flagging situations where a tower requests IMSI numbers unnecessarily or in suspicious contexts.
The IMSI attach heuristic, in particular, showed great promise but required significant testing and refinement to ensure reliability and minimize false positives.
Refining the Heuristics
We at Cape were fortunate to work with EFF to refine the IMSI attach heuristic. Using our simulated attack environment and data collection under Cape’s operational network, we conducted extensive tests to help validate and improve its accuracy. Our team simulated two types of CSS attacks:
- IMSI Attach Triggering: We tested scenarios where a malicious base station convinced a device that it lacked a valid temporary identifier or status, prompting the device to send its permanent IMSI.
- Identity Requests: In these simulations, a base station explicitly requested the IMSI via identity requests, a tactic known as the "wallet inspector attack."
These tests provided practical insights. For example, in one simulation, a malicious base station successfully sent an identity request regardless of the phone’s status, followed by a reject message—a pattern consistent with CSS behavior. In addition, we utilized Cape service-enabled Rayhunters to collect real-world signaling data and help reduce false-positive cases. This controlled environment, combined with the real-world data we collected, allowed EFF to refine the heuristic and ensure its reliability in real-world scenarios.
Revisiting the DNC Data: Detecting CSS's IMSI-Catching Activity
Armed with the refined heuristics, EFF revisited data previously collected by WIRED reporters during the DNC. While initial analysis revealed no clear evidence of CSS activity, the new heuristic flagged a troubling sequence:
- Devices carried by WIRED reporters switched abruptly to a new tower near a hotel housing Democratic delegates.
- This tower requested IMSI numbers from the devices and immediately disconnected—behavior highly indicative of a CSS.
Although not definitive proof, this pattern is unusual and suggests the presence of a CSS at the DNC, underscoring the importance of these advancements in detection.
At Cape, we’re proud to have supported EFF in this important work. By contributing our expertise and resources, we’ve helped advance the fight against hidden surveillance. These efforts are vital not just for protecting privacy but for ensuring the security of sensitive civic events and activities.
This blog post was authored by Sangwook Bae, Security Researcher at Cape.
