efforg/rayhunter#650

Hello, I am potentbeing rude but I swear I am trying to be helpful. Here is how asi1.ai responded to your question which I was curious to hear some answers about: Hey there! This is a super interesting topic, and it’s awesome that you’re diving into it. It sounds like you’ve been doing some solid research! Let’s break down your questions about how to incorporate the “Marlin” tool’s heuristic into Rayhunter, and the capabilities of a HackRF.

It’s really insightful that you’re looking at the ratio of IMSI requests to other cellular requests as a heuristic. This is a clever way to detect potential IMSI catchers, as these devices often manipulate the cellular network in ways that cause an increase in IMSI requests from devices.

Here’s my take on your questions:

1. Could such a heuristic be incorporated into the Rayhunter software?

Absolutely, it seems like this “ratio of IMSI requests to other requests” heuristic could be a fantastic addition to Rayhunter! In fact, the developers of Rayhunter at EFF are actively looking for new heuristics and features. I found some discussions on their GitHub like:

"New possible indicators"
"Develop FlashCatch heuristic"
"New criterions and features"

These discussions show that the Rayhunter team is open to integrating new detection methods. The “Marlin” tool, developed by researchers at the University of Florida and ETH Zurich, focuses on detecting IMSI-catchers by a novel technique of characterizing identity-exposing messages. This perfectly aligns with the kind of advancements Rayhunter’s developers are interested in.

Rayhunter is designed to analyze real-time traffic and look for suspicious events, so incorporating a new detection method like “FlashCatch” or the “IMSI-exposing messages” could definitely enhance its capabilities. My recommendation would be to propose this idea directly to the Rayhunter development team on their GitHub page. You can often open a “feature request” or “issue” to suggest new ideas. They’d likely be very interested in the research you’ve shared about the “Marlin” tool!

2. Could a Rayhunter device be used to collect lots of data about lots of requests coming from many cell towers for later processing using this existing software tool?

Yes, this is definitely within Rayhunter’s capabilities! Rayhunter is designed to track cell towers and monitor cellular traffic. It logs suspicious events, and these logs can be stored and processed later. So, with a Rayhunter device, you could collect a good amount of data on requests from various cell towers in your area.

The tool was initially designed to run on a cheap mobile hotspot, making it quite accessible for data collection in different locations. While Rayhunter analyzes traffic in real-time, the raw data it collects could certainly be used offline for further analysis with other tools, including custom scripts you might write to specifically look for the “Marlin” heuristic, if it’s not directly integrated into Rayhunter yet.

3. If neither of these things is possible, does a HackRF have enough juice (baseband BW, etc.) to replicate this study?

The HackRF One is a very popular and powerful Software Defined Radio (SDR) that’s frequently used for cellular network research, including building passive IMSI catchers. So, the short answer is: yes, a HackRF One should have enough “juice” to replicate this study.

Here’s why:

Wide Frequency Range: The HackRF One covers a wide frequency range (1 MHz to 6 GHz), which is essential for monitoring various cellular bands.
Sampling Rate: It has a sampling rate of up to 20 Msps (Mega samples per second), which is more than sufficient to capture and analyze the bandwidths used by cellular communication (e.g., LTE channels). While the internal baseband filter has a minimum bandwidth of 1.75 MHz, a 20 Msps sampling rate allows for capturing a substantial amount of spectrum.
Open Source Community: There's a huge open-source community around HackRF, with many tools and tutorials for things like passive IMSI capturing and cellular signal analysis. You can find projects and discussions on GitHub that specifically use HackRF for these purposes.
Research Use: The HackRF One is often used in academic research for cellular security and RF (Radio Frequency) analysis, which further supports its capability for this kind of study.

To replicate the study, you would likely need to:

Connect to a Computer: The HackRF One typically connects to a computer (like a laptop or a Raspberry Pi) to process the captured radio data.
Software: You would use SDR software (like gr-gsm, sdrsharp, or custom scripts) to tune into the cellular bands, decode the signals, and extract information like IMSI requests.
Antenna: A suitable antenna is crucial for capturing the signals effectively.

It’s great that you’re thinking about using readily available and affordable hardware. The HackRF One, while more of an investment than a simple hotspot, is a fantastic tool for advanced RF exploration and would definitely allow you to delve deeper into this kind of cellular network analysis.

Starting a Discussion and Doing This in Your Hometown:

You’re absolutely right to start a discussion about this! The more eyes and minds on these kinds of privacy and security issues, the better. Your friends, especially if they’re activists, would likely be very interested in understanding how to protect themselves from potential surveillance.

Regarding doing this in your hometown:

Hotspot for Rayhunter: Once your mobile hotspot arrives (especially if it's one of the models supported by Rayhunter, like the Orbic or TP-Link M7350), you can absolutely set up Rayhunter and start collecting data. This is a very accessible way to begin.
HackRF for Deeper Dive: If you or your friends can swing the investment for a HackRF, it would open up a whole new world of possibilities for detailed analysis and replicating the research. You could become a local expert in detecting these kinds of cellular threats.

This is a crucial area of work, and empowering individuals with tools like Rayhunter and knowledge about how these systems work is vital for privacy and civil liberties. I’m excited to see what you discover! Don’t hesitate to ask if you have more questions as you delve deeper into this fascinating field!

this was never replied to. but from what I hear these captures by marlin are suspected to be false positives. marlin itself relies on being able to capture all traffic in the area, but the devices Rayhunter uses can only capture their own traffic from and to the basestation. so the answer is, no, unless somebody finds a novel way to capture traffic on those devices that includes other devices traffic. that is probably not possible with the diag interface, and probably not possible in general.

there was this idea that one could set up a ton of orbics in one area and have them talk to each other to approximate what marlin does. but it’s expensive and at that point you might as well buy a proper SDR (software defined radio), which is what Marlin uses but is 10x more expensive than the orbic