hngopher.com

       [HN Gopher] Rayhunter - Rust tool to detect cell site simulators...
       ___________________________________________________________________
        
       Rayhunter - Rust tool to detect cell site simulators on an orbic
       mobile hotspot
        
       Author : stefankuehnel
       Score  : 77 points
       Date   : 2025-03-06 19:04 UTC (3 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | ChrisArchitect wrote:
       | Blog post: https://news.ycombinator.com/item?id=43258620
        
       | derac wrote:
       | I can see why they'd write it for a specific cheap device. Is
       | this stuff possible with a typical phone modem, though; or does
       | it rely on some special features? Forgive my ignorance. :)
        
         | bri3d wrote:
         | Possible, yes, it's just looking at various 3GPP network
         | messages and parsing out a few common anomalies. Accessible,
         | not all the time.
         | 
         | This project uses QMDL (Qualcomm debug logging) on a device
         | with an accessible modem debug port and debug logging enabled.
         | Most older Qualcomm devices have this form of debug logging
         | available by default, but on newer devices, the debug interface
         | is usually more locked down, requiring some degree of
         | shenanigans to access.
         | 
         | Take a look at SnoopSnitch (similar project for Qualcomm
         | Android phones), QCSuper and MobileInsight (tools capable of
         | capturing signaling data from QC and Mediatek phones), and SCAT
         | (capable of capturing signaling data from some Samsung
         | basebands).
         | 
         | Other vendors usually have similar debug modes for their
         | modems, but they often aren't reverse engineered or as easy to
         | access as the Qualcomm ones.
        
         | windhaven wrote:
         | In the blog post[0], they mention it being possible with rooted
         | Androids - so likely possible, just requires more access to
         | what the modem's doing than the OS normally provides. [0]:
         | https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-ope...
        
       | edm0nd wrote:
       | You can buy these off eBay for pretty cheap.
       | 
       | Unlocked RC400L's are going for ~$19.99
       | 
       | Gunna look into getting one and making one of these to play with.
        
       | aerostable_slug wrote:
       | How would one test this device to know that it works? It would
       | seem actual cell site simulators would be rare in the wild for
       | many HN readers.
        
         | edm0nd wrote:
         | You could bring it to a large festival or even a protest. Law
         | enforcement deploys them all the time. I found one using
         | SnoopSnitch on an Android phone while at a large festival here
         | in Louisiana.
        
       | transpute wrote:
       | iPhone Field Test Mode can be informative, https://www.xda-
       | developers.com/how-access-field-test-mode-io... when combined
       | with open data on cell tower identity, https://opencellid.org
       | Dial *3001#12345#*
       | 
       | It can sometimes be informative to turn off Data Roaming in
       | cellular settings.
       | 
       | (e)SIM password can provide an additional layer of control over
       | when the phone contacts a cellular tower.
        
       ___________________________________________________________________
       (page generated 2025-03-06 23:00 UTC)