An IMSI catcher is a surveillance device that mimics a cell tower to trick nearby phones into connecting to it, allowing the operator to track locations, collect phone identifiers, and in some cases intercept calls and text messages. Law enforcement agencies are the primary users, though the technology is also available to intelligence services and, increasingly, to criminals. The devices go by several names: cell-site simulators, StingRays (after the most well-known brand), or simply “fake base stations.”
How IMSI Catchers Work
Your phone is constantly searching for the strongest cell tower signal. An IMSI catcher exploits this by broadcasting a signal that appears stronger or more attractive than the real towers nearby. When your phone connects, the device captures your IMSI (International Mobile Subscriber Identity), a unique number tied to your SIM card that can be used to identify you. It can also collect your phone’s serial number and pinpoint your location to within six feet.
The devices come in two broad categories. Active IMSI catchers transmit their own signal and force phones to connect. Passive ones don’t transmit anything. Instead, they silently pluck cellular signals out of the air and decode them, similar to how an FM radio picks up broadcasts. Active catchers are more powerful but also more detectable.
One of the more invasive capabilities involves forcing your phone to downgrade from a modern 4G or 5G connection to the older 2G/GSM standard, which has far weaker encryption. Once on 2G, the device can potentially intercept the content of phone calls and text messages, log call metadata (who you called, who called you, and how long each call lasted), and monitor some types of data usage, including websites visited. Marketing materials from manufacturers even describe configurations that can divert calls and texts, edit messages, or spoof a caller’s identity.
What Data They Collect
At a minimum, an IMSI catcher collects the IMSI number and location of every phone that connects to it. This is important to understand: these devices are not surgical. They sweep up data from all phones in the area, not just the target’s. If police are looking for one suspect, every bystander’s phone in range also gets logged.
Beyond identification and location, the data collection can escalate depending on the device’s capabilities and configuration:
- Location tracking: Precise real-time positioning, accurate enough to pinpoint a specific room in a building.
- Call and text metadata: Numbers dialed, numbers received, timestamps, and call duration.
- Content interception: On downgraded 2G connections, the actual content of calls, texts, and some internet traffic.
- Device fingerprinting: Hardware serial numbers and SIM identifiers that can be cross-referenced with carrier records to reveal your identity.
Common Hardware Models
The Harris Corporation, a Florida-based defense contractor, developed the most widely used line of cell-site simulators. The original StingRay is a box-shaped portable device that can be set up anywhere, including inside a moving vehicle. Software upgrades expanded its capabilities: one called FishHawk enables eavesdropping on live conversations, while another called Porpoise adds the ability to surveil both location and text messages simultaneously.
The KingFish is a smaller, vehicle-mountable version designed for mobile tracking operations. One police department paid roughly $200,600 for the hardware, software, and training. The Hailstorm is the next-generation upgrade, and switching from a KingFish to a Hailstorm cost one department $388,000. Annual maintenance fees with Harris add thousands more. These price tags help explain why the technology was once limited to federal agencies but has gradually spread to city and state police departments across the country.
Legal Rules Around Their Use
In the United States, the legal framework has tightened over time but remains inconsistent. The NYPD’s published policy, one of the more transparent examples, requires investigators to obtain a search warrant before deploying a cell-site simulator. A judge must find probable cause that a crime has been committed, is being committed, or is about to be committed, and that the simulator will be relevant to the investigation.
There are exceptions. In emergencies, officers can activate the device first and obtain a warrant within 48 hours. No warrant is required when searching for a missing or suicidal person. These carve-outs are fairly standard across departments that have formal policies.
The problem is that many agencies historically avoided the warrant process entirely. Police have obtained lesser court orders, like pen register orders, without explaining that the surveillance involved a cell-site simulator rather than a simple phone number log. Some agencies signed nondisclosure agreements with Harris Corporation, and prosecutors have dropped cases rather than reveal the technology was used. The legal landscape is evolving, but enforcement of warrant requirements varies widely by jurisdiction.
Does 5G Protect You?
5G networks were specifically designed to address the IMSI-catching problem. The 5G authentication protocol uses asymmetric encryption to protect your IMSI, meaning your subscriber identity is encrypted before it leaves your phone. This blocks the classic IMSI-catching technique where a fake tower simply asks your phone to broadcast its identity in plain text.
However, the protection is narrower than it sounds. Research from IEEE found that while 5G successfully prevents the basic IMSI-catcher attack, all other known privacy attacks against the authentication protocol still work. Location tracking, connection manipulation, and other surveillance techniques remain viable even on 5G. And as long as your phone can fall back to older network standards (which nearly all phones can), an attacker can still force a downgrade to 2G and bypass 5G protections entirely.
How to Detect an IMSI Catcher
Detecting these devices is difficult by design, but not impossible. Researchers at the University of Washington built a system called SeaGlass that uses dedicated sensor phones mounted in rideshare vehicles to scan for anomalies across an entire city. Their work identified several telltale signatures that fake base stations tend to exhibit.
A cell-site simulator often looks like a tower that changes location over time, or one that appears briefly and then vanishes. It may broadcast on frequencies that don’t match what’s expected in that area, or advertise a location area identity that belongs to a different region. On a technical level, the fake tower might force your phone to transmit more frequently than normal, use weak encryption, push a 2G connection when your phone supports 4G, or request your full IMSI when a temporary identifier would normally be used.
For individual users, the options are limited. An Android app called SnoopSnitch, developed by Security Research Labs, can flag suspicious base station behavior by analyzing network packets and comparing them against known patterns. It requires a rooted Android phone with a compatible chipset, which puts it out of reach for most people. There is no equivalent tool for iPhones, since iOS does not give apps access to the low-level cellular data needed for detection. A separate system called FBS-Radar, integrated into the Baidu Phone Guard app, works with mobile carriers to flag unauthorized base stations sending spam or fraudulent messages, though its focus is narrower.
For most people, the practical reality is that you won’t know if an IMSI catcher is nearby. The most effective countermeasure is using end-to-end encrypted communication apps for sensitive conversations, since even an intercepted data stream is unreadable without the encryption keys.