#840 Attach request without any authentication and IMSI revealed and sent over in plaintext.
Recently I’ve been getting these the past few weeks . I don’t see it everyday just a few days out the week now. No warning from the orbic device or rayhunter dashboard. I travel a lot with the device and haven’t got 1 warning from it before, so I’m skeptical if its able to send warnings correctly but it does produce results of activity in pcap
1
@untitaker any insight? 🙏
This is a false positive that happens sometimes with non activated SIM cards, it’s one I see a lot, specifically the reason ‘eps and non eps services not allowed’ is the tower saying ‘I can’t provide you service’ The reason you don’t see a warning for it is because we don’t have a heuristic for an IMSI attach request, we used to but it generated a ton of false positives since this is unfortunately something that happens semi-regularly. We now look for an identity-request(IMSI) from the tower instead.
Hey Cooper,
I really appreciate your help, and thanks for clearing that up for me.
I’ve been running the Rayhunter Orbic device for almost a year now. I travel across the country frequently, and I carry it with me pretty much religiously. About halfway through the year, after spending several weeks in cities that are considered “hot zones” where IMSI catchers are reportedly used heavily and got no warnings, I started to wonder whether my device was functioning properly.
Because of that, I purchased a second Orbic, installed the latest Rayhunter release, and ran it daily for another six months. During that entire period, I didn’t receive any warnings or alerts.
Recently, I decided to use the analyzer/checker to review the combined logs from both devices. I have hundreds of logs, and the analyzer flagged over 60 entries with warnings, including many suspicious cell IDs.
My question is: do you think the analyzer or checker could be producing false positives, or otherwise misinterpreting the data?
Thanks again for your time and insight. I really appreciate it.
On Wed, Feb 4, 2026 at 3:32 PM Cooper Quintin @.***> wrote:
One quick follow-up I realized I forgot to ask in my last email.
Is it possible that the warnings flagged by the analyzer could be the result of passive IMSI detection rather than active IMSI catcher behavior? I’m trying to understand whether passive collection or monitoring could explain the suspicious cell IDs showing up in the logs.
––––– Forwarded message ——— From: Jimmy @.> Date: Wed, Feb 4, 2026 at 6:47 PM Subject: Re: [EFForg/rayhunter] Attach request without any authentication and IMSI revealed and sent over in plaintext. (Discussion #840) To: EFForg/rayhunter < @.>
Hey Cooper,
I really appreciate your help, and thanks for clearing that up for me.
I’ve been running the Rayhunter Orbic device for almost a year now. I travel across the country frequently, and I carry it with me pretty much religiously. About halfway through the year, after spending several weeks in cities that are considered “hot zones” where IMSI catchers are reportedly used heavily and got no warnings, I started to wonder whether my device was functioning properly.
Because of that, I purchased a second Orbic, installed the latest Rayhunter release, and ran it daily for another six months. During that entire period, I didn’t receive any warnings or alerts.
Recently, I decided to use the analyzer/checker to review the combined logs from both devices. I have hundreds of logs, and the analyzer flagged over 60 entries with warnings, including many suspicious cell IDs.
My question is: do you think the analyzer or checker could be producing false positives, or otherwise misinterpreting the data?
Thanks again for your time and insight. I really appreciate it.
On Wed, Feb 4, 2026 at 3:32 PM Cooper Quintin @.***> wrote:
when you talk about the analyzer which analyzer are you talking about? Rayhunter-check? If you are getting warnings from that tool you can send the recordings to our EFF signal account for analysis. ElectronicFrontierFoundation.90