Recording PCAPs from Stingrays With a $20 Hotspot

Presented at DEF CON 33 (2025), Aug. 8, 2025, 1:30 p.m. (45 minutes).

What if you could use Wireshark on the connection between your cellphone and the tower it's connected to? In this talk we present Rayhunter, a cell site simulator detector built on top of a cheap cellular hotspot. It works by collecting and analyzing real-time control plane traffic between a cellular modem and the base station it's connected to. We will outline the hardware and the software developed to get low level information from the Qualcomm DIAG protocol, as well as go on a deep dive into the methods we think are used by modern cell-site simulators. We’ll present independently validated results from tests of our device in a simulated attack environment and real world scenarios. Finally, we will discuss how we hope to put this device into the hands of journalists, researchers, and human rights defenders around the world to answer the question: how often are we being spied on by cell site simulators? References: - [link](https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks) - [link](https://github.com/srsLTE/srsLTE) - [link](https://arxiv.org/pdf/1710.08932.pdf) - [link](https://www.usenix.org/system/files/conference/woot17/woot17-paper-park.pdf) - [link](https://seaglass-web.s3.amazonaws.com/SeaGlass___PETS_2017.pdf) - [link](https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf)

Presenters:

• Cooper "CyberTiger" Quintin - Senior Staff Technologist at EFF
  Cooper Quintin is a senior public interest technologist with the EFF Threat Lab. He has given talks about security research at prestigious security conferences including Black Hat, DEFCON, Shmoocon, and ReCon about issues ranging from IMSI Catcher detection to Femtech privacy issues to newly discovered APTs. He has two children and is very tired. Cooper has many years of security research experience on tools of surveillance used by government agencies.
• oopsbagel
  oopsbagel is not a bagel but may be eating one while you read this. oops loves contributing to open source software, running wireshark, reversing, hardware hacking, breaking Kubernetes, and floaking.

Similar Presentations:

• DEF CON 32 (2024) / Watchers being watched: Exploiting the Surveillance System and its supply chain
• DEF CON 32 (2024) / Laundering Money
• DEF CON 33 (2025) / Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software