The Harris Corporation's StingRay II became the product that gave a class of surveillance hardware its street name. Originally military technology, cell site simulators entered law enforcement use in the United States in the early 2000s and have since proliferated to hundreds of agencies, municipal police departments included. The EFF and ACLU have documented deployments in at least 75 agencies across 27 states, and that's based on public records requests and leaks alone — the actual number is higher.
Understanding how these devices work, and what they can and cannot actually capture given modern cellular protocols, is worth knowing precisely rather than in broad strokes.
How Cell Site Simulators Work
Every mobile phone carries a pair of identifiers: the IMSI (International Mobile Subscriber Identity) stored on your SIM card, and the IMEI (International Mobile Equipment Identity) tied to the hardware. When your phone searches for service, it broadcasts the IMSI to identify itself to towers.
A cell site simulator transmits as a legitimate tower, broadcasting a stronger signal than real infrastructure in the area. Phones in range follow standard cellular protocol and attempt to register with it — sending their IMSI in the process. The device then either relays the connection to a real tower (passive collection) or drops the connection entirely.
In passive mode: device identifiers (IMSI, IMEI), presence confirmation, approximate location by signal strength. In active mode on older protocols: unencrypted voice calls and SMS content. On LTE/5G: identifiers only — content interception requires protocol downgrade attacks.
The critical distinction is protocol generation. 2G (GSM) has no tower authentication — phones connect to any tower claiming to be valid, and GSM voice/SMS can be decrypted with known-plaintext attacks. 3G and 4G LTE introduced mutual authentication and stronger encryption. A stingray targeting an LTE phone today can harvest identifiers and location data but cannot trivially decrypt traffic. Some advanced deployments use protocol downgrade attacks — forcing a phone to fall back to 2G to capture content — but modern phones with LTE-only mode or 5G SA enabled resist this.
What "Location" Actually Means Here
IMSI catchers don't produce GPS coordinates — they confirm presence in an area. If a device registers with a mobile stingray, investigators can place it at a specific location at a specific time. In a crowd scenario — a protest, a courthouse, a mosque — every phone in range is logged. The EFF has documented cases where blanket collection at public gatherings was used to identify who attended, not to target individuals already suspected of anything.
This is the dragnet problem. The technology is indiscriminate by design. Targeted interception and mass presence logging use identical hardware.
"The government's use of stingrays is deeply troubling. The devices can sweep up information on huge numbers of innocent people who happen to be in the vicinity of a target." — ACLU, Stingray Tracking Devices: Who's Got Them?
Legal Landscape: Warrants, Exceptions, and Secrecy
In the United States, federal guidance requires agencies to obtain a warrant before using stingrays in most circumstances, following a 2015 Department of Justice policy revision. In practice, compliance is inconsistent. Agencies have historically obtained pen register orders — a much lower legal bar — rather than Fourth Amendment warrants, and have signed nondisclosure agreements with Harris Corporation that prevented them from disclosing the technology even to judges handling related cases.
Several convictions have been challenged or overturned when stingray use was disclosed mid-trial. In 2016, a Baltimore detective admitted under oath that officers had been trained to omit stingray use from reports and to recreate the investigative chain using parallel construction — obtaining the same evidence again through methods that could survive disclosure.
Outside the US, legal frameworks vary widely. In the UK, stingray-equivalent IMSI catchers fall under the Investigatory Powers Act. In Germany, their use requires judicial authorization. Across much of the developing world, regulations are absent entirely, and the technology is sold openly to governments without human rights review.
Protocol-Level Protections in LTE and 5G
Fourth-generation LTE addressed the glaring 2G authentication gap. LTE uses the Evolved Packet System Authentication and Key Agreement (EPS-AKA) protocol, which provides mutual authentication — the phone verifies the tower's credentials, not just the reverse. This closes the basic "connect to anything that calls itself a tower" vulnerability.
5G SA (Standalone Architecture) goes further. It introduces SUPI (Subscription Permanent Identifier) concealment — the permanent identifier is encrypted using the network's public key before transmission, replaced on the air interface with a temporary SUCI (Subscription Concealed Identifier). A passive stingray operating against a 5G SA device cannot harvest a persistent identifier without also possessing the network operator's private key.
| Protocol | Tower Auth | IMSI Exposed? | Content Interception |
|---|---|---|---|
| 2G / GSM | None | Yes (plaintext) | Feasible |
| 3G / UMTS | Mutual (weak) | Sometimes | Harder |
| 4G / LTE | Mutual (EPS-AKA) | Via downgrade | Requires downgrade |
| 5G NSA | Mutual | Partial (no SUCI) | Requires downgrade |
| 5G SA | Mutual | Concealed (SUCI) | Not feasible |
The problem: most carriers have not completed 5G SA rollout. Non-Standalone 5G (NSA) uses a 4G LTE core with 5G radio — it does not implement SUCI. Many phones in areas without SA coverage fall back to LTE. The 2G fallback risk persists as long as legacy networks operate.
Practical Mitigations
You cannot fully opt out of cellular infrastructure while maintaining connectivity. But the mitigations that actually work are worth knowing:
- Disable 2G in device settings. Android 12+ allows this under "SIM card" settings as "Allow 2G." Disabling it prevents protocol downgrade attacks entirely. iOS does not currently expose this control.
- Use LTE-only or 5G SA-only mode where available. Reduces exposure surface significantly.
- Use end-to-end encrypted communications over data. Even if an IMSI catcher forces a 2G downgrade for voice, encrypted messaging apps operating over the data channel (not the cellular voice circuit) remain protected — the catcher can see that data packets are flowing, not their contents.
- Airplane mode eliminates cellular exposure entirely at the cost of connectivity. For high-sensitivity activities, this is a real option.
- Applications like Haven that encrypt at the application layer are not affected by protocol-level downgrade attacks — the encryption lives above the transport layer, independent of what the cellular network does.
VPNs do not prevent IMSI collection — the identifier is broadcast before your VPN tunnel is established. Signal does not prevent a stingray from knowing your phone was present at a location. Nothing prevents presence logging except not having a powered-on phone in the area.
Detection: Is It Possible?
Several Android apps have attempted to detect stingray activity by monitoring anomalous cellular behavior: unexpected 2G downgrade, base station parameter changes, unusually strong signals in areas with weak real infrastructure. The EFF's SnoopSnitch (requires root) and AIMSICD were notable early efforts.
The honest assessment is that reliable detection is not currently practical for end users. Modern stingrays are designed to minimize the behavioral artifacts that earlier detection approaches looked for. Commercial operators like Pwnie Express and ESD America sold professional-grade equipment for counter-surveillance, but these require expertise and hardware most individuals don't have. The cellular protocol improvements in 5G SA remain the most structurally sound defense, and their value depends entirely on network rollout timelines outside individual control.
What's within your control is the content layer. A stingray that successfully logs your presence in an area and captures your IMSI learns that you were somewhere. If your communications travel over end-to-end encrypted channels — regardless of cellular generation — the content of those communications remains protected. That's not a small thing.
The metadata problem — who talked to whom, from where, at what time — is legitimately harder. Metadata surveillance is its own threat model, and the tools for addressing it operate at a different layer than encrypted messaging alone.