Just wanted to advertise that the EFF recently released an open source tool for detecting cell-site simulators. The hardware is like $20 and it's pretty easy to setup yourself. Worth having around to stay aware of what's out there, especially if you live in one of the places recently targeted by the administration.
>At 8:58 a.m., just before the protest began, SAN began monitoring eight LTE bands present in the area and found no anomalous behavior. At 9:06 a.m., however, a burst of 57 IMSI-exposing commands was detected.
>Other bursts, present on four of the LTE frequency bands, appeared roughly every 10 minutes over the next hour, causing Marlin to issue numerous real-time alerts. A post-scan analysis confirmed the detection of 574 IMSI-exposing messages.
>It also flagged two “attach reject” messages, a type of cellular rejection sent when a cell phone tries to connect to a network. Attach rejects can occur for valid reasons, such as when a phone with an expired SIM card tries to connect to a network but such messages are rare on properly configured networks. IMSI catchers may use attach reject messages to block or downgrade connections and obtain an IMSI before it is encrypted. SAN observed the two suspicious messages at 9:55 a.m. and 10:04 a.m. at the height of the protest but did not encounter others before or after the demonstration ended.
>SAN conducted a follow-up scan during the same time period, the following day, when no protesters were present. Unlike the day prior, Marlin did not issue real-time alerts.
It would be amazing if an authoritarian government like that in Venezuela could just "facilitate" (such a funny word these days) getting a single convicted murderer into the US and then turn the US into the same kind of authoritarian government.
Whoops, I hope no other country in conflict with the US gets this idea, that pool has expanded significantly lately!
I recall reading about the people who slammed planes into the World Trade Center towers. They were not hell bent on destroying buildings, they were hell bent on destroying society of the US, destroying buildings was just a stepping stone. And, sure seems like they succeeded.
Am I wrong for suspecting that the policy that colors the current Administration’s tyranny has its roots in those prior (Bush II, Obama)? Were we not warned of the possible consequences when less sensational or consenting news broke back then?
> ICE used such a cell-site simulator in an attempt to track down an individual in Orem, Utah. The suspect had been ordered to leave the U.S. in 2023, but is believed to still be in the country. Investigators learned last month that before going to Utah, he’d escaped prison in Venezuela where he was serving a sentence for murder, according to the warrant. He’s also suspected of being linked to gang activity in the country, investigators said.
Sounds like a real cool guy.
Wiretaps have always been a tool in law enforcement's hands, and if it's subject to a warrant, which the article goes on to say it was, I am completely fine with this. If the ability to tap phone conversations 75 years ago didn't cause us to descend into fascism, I don't automatically think this is scary.
Really wish Apple would allow us to lock our phones to 5g standalone so we can choose to make fake cell towers a thing of the past.
Update: I quickly searched this to see if it was available on the latest version of iOS and you can mostly use it on T-mobile USA with ios 17+. As they have enable support for 5g SA nationwide. if your SIM card has enabled 5G SA provisioning and if you set the iPhone to 5G On, it will not fall back in any area that has good T-mobile reception meaning they would have to turn off T-mobiles towers or you to be in a deadspot for the IMSI catcher to work. If you enter field test mode you can confirm that you are provisioned for NR SA in area that T-mobile has it’s own good towers with good reception. If it shows up you are provisioned. If not you can call t-mobile and ask that they provision it but many newer sims are provisioned with 5g SA by default and you can use 5G On setting instead of auto to only be vulnerable to downgrade attacks in weak signal areas and deadzones. I’m not an expert on this so if I’m wrong please comment.
How would one go about detecting the IMSI commands? Would an advanced radio receiver be able to see these? I know pretty much nothing about SIGINT but been contemplating spending some time learning about it.
The article describes a search conducted with a warrant. Given the brazen criminality ICE agents are acting with, I’d like to see evidence of malpractice before risking diluting the message.
Every bus stop and billboard with a CBS logo on it is doing the same thing and has been for a long time. They map your movements by presenting as a cell tower and record the IMEIs of passers by. Forbes won't write a story about that though.
"In a recently-unsealed search warrant reviewed by Forbes, ICE used such a cell-site simulator in an attempt to track down an individual in Orem, Utah. The suspect had been ordered to leave the U.S. in 2023, but is believed to still be in the country. Investigators learned last month that before going to Utah, he’d escaped prison in Venezuela where he was serving a sentence for murder, according to the warrant. He’s also suspected of being linked to gang activity in the country, investigators said."
Could folks share more accessible methods for developing counter-Stingray type activities described in this paper, or rather, which ones they themselves have used with varying degrees of success?
The Forbes article says ICE acquired mobile cellular surveillance equipment and services under the Biden administration, and there have been IMSI catchers detected at demonstrations for a long time, for example at the Dakota Access Pipeline demonstrations in November, 2016[1]. It's not a new thing.
What is the baseline spying by ALL agencies? For non experts this would be useful to know. Just heard something suggesting most comms are fully infiltrated anyway for certain foreign actors but have no idea how to validate those claims myself.
ICE is using fake cell towers to spy on people's phones
(forbes.com)665 points by coloneltcb 9 September 2025 | 255 comments
Comments
https://github.com/EFForg/rayhunter/
>At 8:58 a.m., just before the protest began, SAN began monitoring eight LTE bands present in the area and found no anomalous behavior. At 9:06 a.m., however, a burst of 57 IMSI-exposing commands was detected.
>Other bursts, present on four of the LTE frequency bands, appeared roughly every 10 minutes over the next hour, causing Marlin to issue numerous real-time alerts. A post-scan analysis confirmed the detection of 574 IMSI-exposing messages.
>It also flagged two “attach reject” messages, a type of cellular rejection sent when a cell phone tries to connect to a network. Attach rejects can occur for valid reasons, such as when a phone with an expired SIM card tries to connect to a network but such messages are rare on properly configured networks. IMSI catchers may use attach reject messages to block or downgrade connections and obtain an IMSI before it is encrypted. SAN observed the two suspicious messages at 9:55 a.m. and 10:04 a.m. at the height of the protest but did not encounter others before or after the demonstration ended.
>SAN conducted a follow-up scan during the same time period, the following day, when no protesters were present. Unlike the day prior, Marlin did not issue real-time alerts.
Whoops, I hope no other country in conflict with the US gets this idea, that pool has expanded significantly lately!
I recall reading about the people who slammed planes into the World Trade Center towers. They were not hell bent on destroying buildings, they were hell bent on destroying society of the US, destroying buildings was just a stepping stone. And, sure seems like they succeeded.
Sounds like a real cool guy.
Wiretaps have always been a tool in law enforcement's hands, and if it's subject to a warrant, which the article goes on to say it was, I am completely fine with this. If the ability to tap phone conversations 75 years ago didn't cause us to descend into fascism, I don't automatically think this is scary.
Update: I quickly searched this to see if it was available on the latest version of iOS and you can mostly use it on T-mobile USA with ios 17+. As they have enable support for 5g SA nationwide. if your SIM card has enabled 5G SA provisioning and if you set the iPhone to 5G On, it will not fall back in any area that has good T-mobile reception meaning they would have to turn off T-mobiles towers or you to be in a deadspot for the IMSI catcher to work. If you enter field test mode you can confirm that you are provisioned for NR SA in area that T-mobile has it’s own good towers with good reception. If it shows up you are provisioned. If not you can call t-mobile and ask that they provision it but many newer sims are provisioned with 5g SA by default and you can use 5G On setting instead of auto to only be vulnerable to downgrade attacks in weak signal areas and deadzones. I’m not an expert on this so if I’m wrong please comment.
slippery slope, I know...
https://www.cise.ufl.edu/~butler/pubs/ndss25-tucker-marlin.p...
Ideally, this is something I could hack together in the next few days since ICE is prepping to invade my city.
[1] https://www.justsecurity.org/34449/investigating-surveillanc...
Only option is stay in airplane mode and use wifi.
If I am understanding correctly, I would need a mobile device?
Would this work using the phone as a hotspot? If so, then I guess my previous comment is moot.