The 404 Media Podcast

Episode Title: How to Detect Phone Spying Tech (with Cooper Quintin)
Date: March 2, 2026

Overview

This episode, hosted by 404 Media, features an in-depth interview with Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF). The conversation centers on cell site simulators—often dubbed "IMSI catchers" or "Stingrays"—devices used by law enforcement and malicious actors to track, surveil, and sometimes intercept communications from mobile phones. The episode covers the technical workings of these devices, their evolution, legal/regulatory changes, and the development of "Ray Hunter," a new, user-friendly tool to help activists, journalists, and the public detect these spying technologies. The discussion is highly technical yet accessible, busting myths and providing real-world insight into surveillance threats.

Key Discussion Points & Insights

1. What Are IMSI Catchers/Cell Site Simulators?

• Definition and Functionality

  • IMSI catchers, Stingrays, and cell site simulators all refer to essentially the same technology—a fake cell tower used to trick phones into connecting, revealing their unique subscriber identity (IMSI).
    • "It's usually a fake cell tower that police are able to use to trick your phone into connecting to it instead of the real cell tower... used to find the identity or IMSI of your phone." (Cooper Quintin, 02:13)
  • Once connected, the device can collect identifiers, locate devices precisely, and potentially intercept calls or texts.

• Exploit the Telecommunication Network’s Design

  • Cell phones naturally try to connect to the strongest/nearest tower, making them susceptible.
    • "Your phone is... always tracking you, right? Because the phone company has to know what towers you're connected to... [for] routing messages... and there's really no way to get around that." (Cooper Quintin, 03:43)

2. Capabilities and Abuse of Cell Site Simulators

• Beyond Tracking: Surveillance Uses

  • Used for precise location (even in buildings), potentially man-in-the-middling calls and SMS, and indiscriminate collection of all device IDs in an area—raising civil liberties concerns.
    • "You could use it, for example, to identify who is in a particular location... sit outside of a protest... and gather up all of the identities." (Cooper Quintin, 07:44)
  • Not just law enforcement: scammers have also used these to send SMS phishing messages.
    • "...drive around and they broadcast... text messages. In the France case, it was from the French Health Ministry... just SMS scams." (Cooper Quintin, 09:54)

• Levels of Sophistication

  • Law enforcement models are expensive, feature-rich, and come with tech support. Crude versions can be built cheaply by hobbyists or criminals.
    • "You can build an MC catcher right now with a $20 software defined radio..." (Cooper Quintin, 10:52)
    • "The contracts the police are signing for these are close to a million dollars..." (12:13)

3. The 'Stingray' Brand and the Evolution of the Industry

• Historical Context

  • “Stingray” is a brand name from Harris Corporation; it became a generic term, much like "Kleenex."
    • "It wasn't the first IMSI catcher, but it was the first one that really got a lot of attention and was widely used by local law enforcement." (13:23)

• Expansion and Secret Use

  • Initially, these were used without warrants for various investigative purposes. Secrecy was enforced by vendors, sometimes causing cases to be dropped to keep techniques hidden.
    • "Harris would encourage police and DAs to drop cases if it seemed like evidence acquired from an IMSI Catcher was going to come up in court..." (20:37)

• Industry Shifts and New Players

  • Harris has moved out of selling to local police, with smaller companies and international firms (like Octastic from Israel) now filling the market, including new 5G-compatible devices.
    • "...recent purchases that I've seen for MC Catchers tend to come more from a company called Jacobs... The other one... is Octastic, an Israeli company..." (21:45)

4. Tech Evolution and Ongoing Vulnerabilities in Cellular Networks

• Cat and Mouse with Cellular Standards
  • As networks progress from 2G to 3G/4G/5G, security improves but new exploits are discovered. Older, insecure generations must remain available for legacy support, perpetuating risk.
    • "Cellular standards are governed by... 3GPP... it's a standard that's designed by committee... is only barely followed... leaves a lot of room for exploits." (27:20)
    • Even 5G, despite improvements, is not immune: “5G Titanic” research showed man-in-the-middle attacks are possible.
    • "There was a paper this year called 5G Titanic where a researcher demonstrated the ability to man in the middle conversations in 5G. So I think it's curtains for 5G, man." (30:06)

5. Introducing Ray Hunter: A Tool for Detecting Cell Site Simulators

• Origins and Challenges

  • Initial efforts, like “Crocodile Hunter,” required expensive equipment and technical skills, limiting adoption by non-experts.
    • "The few journalists who did use this, right, like I needed to be there as backup... we kind of scrapped this idea." (34:47)

• Breakthrough: Low-Cost, Usable Solution

  • Leveraging rooted Qualcomm-based mobile hotspots and diagnostics protocols, Ray Hunter provides affordable detection (hardware ~$10–20).
    • "Ray Hunter... you go buy a older, last generation mobile hotspot, they're like $20, $10 on eBay... Throw it in your pocket and you go about your day." (36:14)

• How It Works

  • An LED signals detection. Packet captures enable researchers everywhere to independently analyze suspicious activity.
    • "There's a little green line at the top of the screen. That line turns red if it detects something..." (36:14)
  • Looks for patterns like 2G downgrades (almost never legit in US) or suspicious requests for your IMSI.
    • "A 2G downgrade is very, very unusual for a normal tower... in the U.S... we've shut down our 2G networks..." (37:33–37:41)

6. Evidence on Use of IMSI Catchers at Protests and Activism

• Myths vs. Reality
  • Evidence so far does not support fears that Stingrays are regularly used to collect protester IDs in the US.
    • "As we've had people carrying these around, what we've found is no evidence to support that IMSI catchers are being used at protests in the U.S..." (39:19)
  • The main documented uses tend to be targeted (e.g., serving warrants or precise location in investigations).
  • Still, possibility of future use remains, so monitoring must continue.

7. User Experience and Accessibility

• Installation & Use
  • Designed to be as easy to use as possible, similar to running modern privacy-focused tools.
    • "I have installed this myself...it was incredibly painless... very easy to use..." (43:24)
  • Team is working on making the software installable without having to touch a command line.
    • "We're working on a graphical installer right now so people no longer have to open the terminal." (45:11)

8. Limitations & Further Hopes for the Project

• Not an App—And Why

  • Due to technical/security tradeoffs, Ray Hunter is not an app; rooting phones decreases security and increases risk from law enforcement forensic tools (e.g., Cellebrite).
    • "I don't want to be in the business telling people to root their phone... more people should be concerned about mobile forensic tools like Cellebrite..." (45:11)

• Need for Systemic Change

  • Real improvements need to come from device manufacturers (Apple, Google, Qualcomm) and telcos integrating detection natively.
    • "Your phone should be the one actually protecting you from an IMSI catcher." (52:26)

• Educating Activists & Public

  • Accurate threat modeling is important: cell site simulators are not the most imminent surveillance threat to protesters—tools like license plate readers and facial recognition are more widely deployed.
    • "I kind of hope that this is already starting to work... we haven't really found this at protest..." (48:21)

Notable Quotes & Memorable Moments

"A cell site simulator is usually a fake cell tower that police are able to use to trick your phone into connecting to it instead of the real cell tower."
— Cooper Quintin (02:13)

"You can build an IMSI catcher right now with a $20 software defined radio."
— Cooper Quintin (10:52)

"Harris would encourage police and DAs to drop cases if it seemed like evidence acquired from an IMSI catcher was going to come up in court..."
— Cooper Quintin (20:37)

"As we've had people carrying these around, what we've found is no evidence to support that IMSI catchers are being used at protests in the U.S."
— Cooper Quintin (39:19)

"I hope you won’t find anything... but also, I hope you will and I hope you'll send it to me."
— Cooper Quintin (48:21)

"Your phone should be the one actually protecting you from an IMSI catcher."
— Cooper Quintin (52:26)

Timestamps for Important Segments

• [02:13] – What is an IMSI catcher?
• [07:44] – Surveillance risks beyond targeted tracking
• [12:13] – Industry cost and what law enforcement buys
• [13:23] – "Stingray" name and industry history
• [21:45] – New market players: Jacobs, Octastic, 5G
• [27:20] – Cellular standards’ vulnerabilities and cat-and-mouse
• [36:14] – How Ray Hunter works
• [39:19] – Evidence (or lack thereof) for protester surveillance
• [45:11] – Why there's no Ray Hunter app; Cellebrite risk
• [48:21] – Project hopes: reduce fear, inform manufacturers
• [52:26] – Advocacy for industry-wide protections

Summary

This episode delivers a rich, technical, yet accessible look inside the world of cell site simulators—from their history and capabilities to myths, legal shifts, and fresh, open-source resistance tools. Cooper Quintin’s work on Ray Hunter sets out not just to empower the public with actionable detection, but to foster a more realistic understanding of digital surveillance threats. Ultimately, the message is that while IMSI catchers are powerful, their routine use against protesters is not supported by current evidence; meanwhile, collective vigilance and pressure on tech industry giants remain essential.