Hi guys,
First of all, thanks for this great project. Much appreciated!
I’ve been walking around a European capital with my rayhunter on a TP Link M7350 running v0.9.0 for a few weeks. Today I got my first critical alert when out to lunch but I believe it is most likely a false positive.
The alert (8 of them in a row) was triggered by the LTE SIB 6/7 Downgrade v1 heuristics, and it specifically mentions “LTE cell advertised a 3G cell for priority 0 reselection”. The reasons I suspect this is a false positive:
-
The cell network in that specific area has always been pretty bad so perhaps it would make sense for the network to try to push my device from 4G to 3G since LTE/4G is very weak there?
-
AFAIK 3G supports mutual auth so it is not vulnerable to stingrays. If it were truly an attack wouldn’t they jam/downgrade my phone to 2G?
Anyway, I thought that sharing real world testing info could be helpful to the project. Happy to provide the pcap files to the team if they think it would be useful.
Cheers, Peter
I believe this is the same discussion as https://github.com/EFForg/rayhunter/issues/784 – I have this heuristic disabled via config for this reason. IIRC parts of the heuristic assumes you are in a country without 2G, i.e. the US.
Good question, tbh I don’t know either. @cooperq ?
Peter can you send me this pcap file to my work signal: @cooperq.01
Sorry, just saw your reply now. Let me see if I can still find the pcap and I will send it to you.
Thanks
We have fixed the false positive that @untitaker mentions above. This heuristic can be safely enabled in EU again.