Cell-site simulators force phones onto fake cellular towers and harvest call metadata, SMS, and location. Used legally by U.S. federal and state law enforcement, and illegally by foreign intelligence near hotels, embassies, and conferences. Software detection is unreliable. Faraday isolation is the only physical defense that defeats every variant — modern, legacy, and 5G-capable.
An IMSI catcher (often called a Stingray after the Harris Corporation product line) is a portable cell-site simulator that mimics a legitimate cellular tower. Phones in range are tricked into connecting to it instead of a real tower. Once connected, the operator harvests the phone's IMSI, call metadata, SMS content, and approximate location. Faraday isolation defeats this attack class entirely — inside a quality Faraday bag, the phone has no cellular signal at all, so the simulator has nothing to attach to. The attack cannot complete because the phone is not on any cellular network.
Software detection (apps like SnoopSnitch, AIMSICD) is unreliable against modern equipment. Airplane Mode works at the OS level but depends on the phone's implementation being trustworthy — for high-stakes threat models, that assumption is shaky. Faraday isolation is mathematically guaranteed regardless of OS state, firmware version, or simulator generation.
Cellular protocols (2G, 3G, LTE, 5G) all begin with a tower-authentication exchange. The phone tells nearby towers its IMSI; the tower with the strongest signal wins; the phone connects to that tower. The protocol does not require the phone to verify the tower is genuine — only the tower verifies the phone. This asymmetric trust model dates from the 1980s when the threat of fake towers was theoretical and protocol designers prioritized simplicity.
The simulator broadcasts a stronger signal than nearby legitimate towers in a target area (a hotel lobby, a financial-conference venue, a courthouse, a foreign embassy area). Phones in range automatically connect to the simulator instead of legitimate towers. The simulator captures every IMSI as the phones attempt to register. For a passive operator, this alone identifies who is in the area and at what time.
Once connected, the simulator can force the phone to downgrade from LTE or 5G to 2G — which has weaker authentication and was deprecated in most U.S. networks but remains supported on phones for legacy compatibility. On 2G, the operator can intercept SMS in plaintext, capture call metadata, and in some configurations relay the phone to a legitimate network while sitting in the middle (man-in-the-middle).
Multiple simulators in coordinated deployment can triangulate a target's location to within meters. Some operations use mobile simulators (vehicle-mounted) to track a phone's movement through a city. Others use fixed deployments at chokepoints (airport terminals, courthouse approaches) to identify who passes through.
5G includes encrypted IMSI exchange that defeats simple legacy simulators. But NR-mode Stingrays (5G-capable) have been available since 2022 and bypass the new protections. Additionally, the simulator can force a 5G phone to downgrade to LTE or 3G, which still leak. The protocol weakness is structural; protocol upgrades raise the bar but do not close the attack class.
| Data Type | Captured? | Effort Required |
|---|---|---|
| IMSI (subscriber identity) | Captured | Trivial · passive collection |
| IMEI (device identity) | Captured | Trivial · passive collection |
| Approximate location | Captured | Trivial · passive collection |
| Call metadata (who/when/duration) | Captured | Active · downgrade or MITM mode |
| SMS content (plaintext on 2G) | Captured | Active · downgrade attack to 2G |
| Voice calls (plaintext on 2G) | Captured | Active · downgrade + relay |
| iMessage / Signal / WhatsApp content | Not captured | Encrypted at app layer · simulator only sees metadata |
| Web traffic content | Not captured | HTTPS encrypted · simulator only sees metadata |
| Email content | Not captured | TLS encrypted · simulator only sees metadata |
| Bank app activity | Not captured | Cert-pinned TLS · simulator only sees connection metadata |
The takeaway: IMSI catchers are a metadata harvester, not a content harvester for modern encrypted apps. The metadata still has serious operational value — who you talk to, when, where, for how long — even when the content of the conversation remains encrypted. For pattern-of-life surveillance, financial-investigation correlation, or M&A-leak detection, the metadata is often sufficient.
National-security, financial-investigation, organized-crime beats. Source protection is the entire job. IMSI metadata reveals which sources you contact and when — even if the content stays encrypted.
Material non-public information on transit between client offices. A pre-announcement leak destroys deal value before signing. State-actor and counterparty surveillance documented in multiple deal investigations.
Foreign intelligence operates IMSI catchers near U.S. embassies abroad and near foreign embassies in U.S. cities. Documented State Department guidance for outbound diplomatic travel includes IMSI countermeasures.
Diaspora populations from countries with active intelligence operations against their members in the U.S. Several documented cases involve IMSI catchers operated near community centers and political events.
M&A targets, companies with material non-public information, defense contractors, biotech IP holders. Corporate-espionage operators have access to commercial IMSI equipment from the gray-market resale chain.
The phone has no cellular signal inside the bag. The simulator has nothing to capture. Mathematically guaranteed regardless of OS state, firmware version, or simulator generation. Operationally trivial — drop the phone in the bag, take it out when you need it. The REVIS-1 Privacy Pillar covers this and the broader privacy threat surface in detail.
Airplane Mode disables cellular at the OS level. Powered-off goes further. Both depend on the phone's implementation being trustworthy. For ordinary consumer threat models this is sufficient. For high-stakes scenarios (state-actor, post-compromise device), the assumption that the phone is not lying about its state is shaky. Faraday is the trustworthy answer.
SnoopSnitch (Android) and AIMSICD attempt to detect cellular anomalies that suggest IMSI activity. Modern simulators have countermeasures. Detection is at best probabilistic — useful for situational awareness, not a defense. The operational answer is mitigation by Faraday + Airplane Mode, with detection apps as a complementary signal.
Three independently shielded chambers — laptop, tablet+phone, wallet+keys. 76–85 dB attenuation across 30 MHz – 10 GHz, covering 2G, 3G, LTE, 5G sub-6, 5G mmWave, plus WiFi, Bluetooth, GPS, NFC, RFID, and key-fob LF. Made in the United States. Used by journalists, attorneys, diplomats, and corporate-security teams as one layer in a defense-in-depth posture.
Acquire — $129 Privacy Pillar