digital-securitysurveillancecommunity-defensetactics

Stingray Devices: What They Are, How They Work, and What You Can Do

Tactical Snowflakes

Your phone is constantly looking for the strongest cell tower signal it can find. That's how cellular networks work. Your device connects, identifies itself, and starts passing data.

A Stingray exploits that process. It pretends to be a cell tower. Your phone connects to it. And now whoever is operating that device knows exactly where you are, what device you're carrying, and which SIM card is in it.

This is not theoretical. These devices are in active use by law enforcement agencies across the country.

What Is a Stingray?

A Stingray is a cell-site simulator, also called an IMSI catcher. It's a piece of hardware that broadcasts a cellular signal mimicking a legitimate tower. When your phone connects, the device captures two critical identifiers: your IMSI (the unique number tied to your SIM card) and your IMEI (the unique number tied to your physical handset).

With those two numbers, someone can track a specific person across devices. Swap your SIM card, they still have your IMEI. Swap your phone, they still have your IMSI. Use a burner, they can correlate your location pattern to your real identity.

The name "Stingray" comes from a product line made by L3Harris Technologies. It became the generic term the way "Xerox" did for copiers.

How Do They Actually Work?

There are two types: passive and active.

Passive IMSI catchers work like a radio scanner. They pull cellular transmissions out of the air without broadcasting anything themselves. They're nearly impossible to detect because they don't interfere with the radio environment at all.

Active cell-site simulators are what most law enforcement agencies use. These transmit their own signal, and they're more capable. An active Stingray can force your phone to increase its transmission power, turning it into a more precise tracking beacon. It can also downgrade your connection from 4G or 5G down to 2G, which has no encryption. Once you're on 2G, your calls and texts can be intercepted in plain text.

That downgrade attack is a textbook man-in-the-middle technique. Your phone thinks it's talking to a tower. The tower thinks it's talking to your phone. The Stingray sits between them, reading everything.

Who Uses Them and How Much Do They Cost?

The global market for cell-site simulators hit roughly $199 million in 2024. It's projected to approach $485 million by 2033. That's a lot of fake cell towers.

L3Harris makes the most well-known models. The Stingray II and Hailstorm units are typically vehicle-mounted or installed in aircraft. They can capture data from thousands of phones simultaneously. For foot operations, the KingFish and ArrowHead are compact enough to fit in a vest or briefcase.

Federal agencies spent heavily to build this capability. Between 2010 and 2014, the Department of Justice alone spent over $71 million on cell-site simulation technology. The Department of Homeland Security added another $24 million and also helps state and local agencies purchase the equipment through federal grant programs.

That last part matters. This isn't just FBI and DEA. Mid-sized municipal police departments have access to this hardware, funded by federal grants.

What Does the Law Say?

The legal situation is messy.

Historically, law enforcement used pen register orders to deploy Stingrays. Those require a much lower standard than a warrant. You only need to show the information is "relevant" to an investigation, not that you have probable cause.

The 2018 Supreme Court ruling in Carpenter v. United States changed part of that picture. The Court held that people have a reasonable expectation of privacy in their physical movements as captured through cell-site location data. Real-time tracking via Stingrays is arguably more intrusive than the historical records addressed in that case. Simulators can pinpoint location to within several feet, including inside private homes.

In 2015, the DOJ and DHS established policies requiring federal agents to get a warrant before deploying a Stingray. But exceptions exist for "exigent circumstances," and state-level rules vary wildly. California, Illinois, Washington, and Utah require warrants. Many other states have minimal oversight.

There's a secrecy problem too. The FBI requires local police departments that use Stingrays to sign non-disclosure agreements. Those NDAs are so restrictive that prosecutors have dismissed criminal cases rather than reveal the technology's existence to a judge. In one New York case, a federal judge suppressed evidence obtained through a Stingray because the DEA never got a specific warrant. In Florida, a detective admitted to walking around an apartment complex with a handheld unit to identify which door a suspect was behind.

Why Should Communities Like Ours Care?

Stingrays are dragnet tools. They don't just capture data from the target. They capture data from every phone within range. If you happen to be near an operation, your identifiers get swept up too.

Operating a Stingray can also disrupt local cellular networks. By forcing phones to disconnect from legitimate towers, the device can block 911 calls within a 500-meter radius. It also forces phones to transmit at maximum power, draining batteries faster. That means people in the area may lose the ability to call for help.

The deployment pattern is not random. In Baltimore, Stingray use was concentrated in neighborhoods with high minority populations. When these devices are used at protests or political rallies, they create a surveillance record of who attended. That has a chilling effect on First Amendment activity.

LGBTQ+ organizations, civil rights groups, immigrant communities, political minorities. These are the communities that have always been surveilled first. That's not speculation. It's the documented pattern across decades of domestic surveillance programs.

Can You Detect a Stingray?

Sort of. There are detection methods, but none are perfect.

Stingray detectors look for specific signal anomalies. The main red flags include a sudden downgrade from 4G/5G to 2G, a tower broadcasting a Cell ID that doesn't match the surrounding network, a tower that doesn't provide a list of neighboring cells (which legitimate towers do for handover purposes), and unusual requests for your IMSI during the initial connection phase.

A few Android apps have tried to tackle this. SnoopSnitch analyzes radio data but requires root access on specific hardware and produces frequent false positives. AIMSICD offers a map-based network overview but struggles against modern simulators. Both require rooting your phone, which most people aren't going to do. And because phone apps can't access the baseband processor where the real protocol manipulation happens, they miss sophisticated devices.

Enterprise systems like ESD Overwatch use dedicated radio sensors independent of any handset and are more reliable. They're also priced for corporate and government clients, not individuals.

What About Rayhunter?

This one is worth its own section.

In March 2025, the Electronic Frontier Foundation released Rayhunter, an open-source tool for detecting cell-site simulators. Unlike the Android apps mentioned above, Rayhunter runs on a dedicated piece of hardware: the Orbic RC400L, a small mobile hotspot you can buy for around $50 to $80 on Amazon or eBay. You can also buy pre-flashed units ready to go for around $100 to $150 from sellers on Tindie.

Rayhunter works by intercepting and analyzing the control traffic between the hotspot and nearby cell towers. It doesn't capture your web traffic or personal data. It watches for the specific protocol-level behaviors that Stingrays use: forced downgrades to 2G, suspicious IMSI requests, rogue tower broadcasts.

A status line on the device stays green when everything looks normal. If something suspicious happens, it turns red. You can connect to the hotspot over Wi-Fi and pull up a web dashboard for more detail. Logs export in PCAP format if you want to dig deeper or hand them to someone who can.

Setup takes about 10 to 20 minutes. You download the release from GitHub, connect the device to a computer, and run an install script. Mac and Linux are supported. If that sounds like too much, the pre-flashed units skip all of that. Insert a SIM card, turn it on, and it's working.

Rayhunter is not perfect. It can't stop an attack, only detect signs of one. It requires a SIM card to function. And like any detection tool, it may not catch every technique a well-funded operator could deploy. But it runs on 4G networks, which is where most current Stingray operations happen. The project is actively maintained on GitHub, and the community has already added support for devices beyond the original Orbic. Unlike rooting your phone to run SnoopSnitch, carrying a separate hotspot doesn't require modifying your primary device.

For around $100 and 20 minutes of setup, there isn't a lower barrier to entry for Stingray detection right now. The EFF is also using data collected by Rayhunter users to map where cell-site simulators are being deployed. So running one doesn't just tell you what's happening around you. It adds to a public record of who is being surveilled and where.

Does 5G Fix This?

Partially.

5G introduced encryption for subscriber identifiers. Your permanent identity is supposed to stay hidden behind encrypted protocols. That's a real improvement over older networks.

But researchers have found pre-authentication vulnerabilities that still allow tracking. A 2025 study identified 53 specific messages across 2G through 5G networks that can force a phone to reveal its identity before a secure connection is established. Downgrade attacks also remain effective. A Stingray can jam 5G frequencies and force your phone to fall back to LTE or 2G, where the old vulnerabilities still apply.

5G makes interception harder. It does not make tracking impossible.

What Can You Actually Do?

Signal and other encrypted messaging apps protect the content of your communications. If a Stingray intercepts your connection, it can't read Signal messages. But Signal does not hide your location or the fact that your phone is present. Your IMSI and IMEI are exposed before any app-layer encryption matters.

If you are attending an event where surveillance is a concern, a Faraday bag is the only reliable hardware countermeasure. It blocks all radio signals to and from your device. Your phone can't connect to anything, real or fake. The tradeoff is obvious: while it's in the bag, your phone is a brick.

Airplane mode is not equivalent. Some devices continue to communicate at the baseband level even with airplane mode enabled.

Awareness matters more than any single tool. Your phone broadcasts identifying information constantly. Being near a Stingray operation means your data gets collected whether you're the target or not. And metadata, where you were, when, which device you carried, tells a story even when content stays encrypted.

The same communities that benefit from knowing how to protect themselves physically benefit from understanding how they can be located, identified, and tracked before anything physical happens. That's what this is about.

Related Reading

The Pentagon Wants AI with No Limits. Your Community Should Care.
The DoD is pressuring Anthropic to drop its ban on mass surveillance. The communities most likely targeted first are the ones who need self-defense most.
Faraday bags: what they are, how they work, and when you need one
Your phone broadcasts your location even when it's off. Faraday bags are the fix. Here's what they do, why software isn't enough, and how to pick one.

Get More Like This

Weekly guides, gear reviews, and community updates. No spam.

Subscribe