Discover how IMSI catchers track your phone, what the risks are, and practical steps to protect your privacy—from cheap dongles to Faraday cages and 5G defenses.
IMSI Catchers: How Everyday Phones Get Tracked and What I Can Do About It
TL;DR
- Phones always send a unique ID (IMSI) that can be sniffed by cheap radio gear.
- Active devices called Stingrays mimic cell towers and force phones to downgrade, exposing all data.
- 5G uses encrypted IDs (SUPI/SUCI), but old 2G/3G traffic is still vulnerable.
- SS7 back-end attacks can hijack 2-factor texts and redirect calls.
- You can block or limit tracking by turning off your phone, using a Faraday cage, or using a service that rotates identifiers.
Published by Brav
Table of Contents
Why this matters
Every time your phone is on, it shares a unique number called the IMSI. This is like a serial number that lets the network know who you are. But that number is visible to anyone who can pick up the radio waves. A cheap $30 dongle can hear it, and law-enforcement devices called Stingrays can make your phone think it’s connecting to a normal tower and then capture all of its data. Governments and bad actors have used this to track protests and hijack two-factor codes. Knowing how it works lets you take simple steps to protect yourself.
Core concepts
| Concept | What it means | How it can be abused |
|---|---|---|
| IMSI | The unique ID tied to your SIM card | Can be captured by any device that listens to cell-tower signals |
| 2G/3G | Older network generations | No encryption; IMSI is sent in clear text |
| 4G LTE | Modern network with stronger encryption | Still vulnerable to forced downgrades |
| 5G | Uses SUPI/SUCI – encrypted IDs per connection | Much harder to read, but old protocols still coexist |
| SS7 | Back-end protocol that routes calls and texts | Can be hijacked to redirect 2-FA SMS |
Passive IMSI Catchers
A passive catcher is a small radio that just listens to the air. It can pick up the IMSI from any phone within range, even if the phone thinks it’s talking to a real tower. The RTL-SDR is a $30 USB dongle that does exactly this. The “Thought Emporium” video shows the process and how you can track a phone’s movements with cheap gear.RTL-SDR — The Thought Emporium Explores IMSI Cell Phone Tracking (2026)
Active IMSI Catchers (Stingrays)
Active catchers mimic a cell tower and force phones to connect to them. Once connected, the device can record calls, texts, GPS data, and even inject malicious code. The USRP B210 can be turned into a Stingray. The CableLabs article explains how the device works and why it’s dangerous.CableLabs — False Base Station or IMSI Catcher: What You Need to Know (2026)
The Cloudwards guide shows how to detect a Stingray and how disabling 2G can stop a downgrade attack.Cloudwards — How to Block Stingray Surveillance (2026)
5G and SS7
5G replaces the IMSI with a Subscription Permanent Identifier (SUPI) that is hidden behind an encrypted Subscription Concealed Identifier (SUCI). That makes it hard for an eavesdropper to see who you are. However, the network still talks to the old SS7 back-end to route SMS. If an attacker gains SS7 access (the price on dark-web forums is $5,000), they can redirect your 2-FA text to a phone they control. The MobileIDWorld article shows how the attack works and the price of the exploit.MobileIDWorld — Critical SS7 Protocol Vulnerability Being Sold for $5,000 (2026)
How to apply it
- Turn your phone off when you’re in a crowd or on a protest. The phone stops broadcasting its IMSI.
- Use a Faraday cage – a metal box that blocks radio waves. The EUREKA article explains how a Faraday cage can stop FM radio, Wi-Fi, and cellular signals. Even a small metal trash can with foil can block 40 kW FM stations.EUREKA — What Is Electromagnetic Shielding? How Faraday Cages Block RF Signals (2026)
- Disable 2G on your phone (go to Settings > Network > Cellular data and toggle off “2G” or “GSM”). Cloudwards shows that disabling 2G stops a Stingray from forcing the downgrade.
- Use a privacy-focused service like Cape that rotates your IMSI every 24 hours and keeps call-detail records for only 60 days. The Cape product-feature article explains how the rotation works and how they limit data retention.Cape — Product Feature: Identifier Rotation (2026)
- Install a detection app such as Ray Hunter, an open-source tool that looks for weird IMSI requests. The EFF article shows how the app flags a potential Stingray.
- Keep your phone’s software up to date – vendors patch vulnerabilities that could be exploited by active catchers.
Pitfalls & edge cases
- Legal grey area – Passive catchers are generally legal, but active Stingrays are illegal in most countries. The US Congress hearing explains the regulatory context.
- 5G “always on” – Even with 5G, your phone will still talk to the old SS7 back-end for SMS, so 2-FA texts are still vulnerable.
- Faraday cage cost – A DIY cage made from an old metal cooler can cost under $50, but high-quality kits are more expensive.
- Device compatibility – Not all phones allow disabling 2G; some may force the connection back to a 2G network.
Quick FAQ
Q1: What is an IMSI catcher?
A1: It’s a device that pretends to be a cell tower and tricks phones into connecting, allowing the device to read data.
Q2: Can I stop a Stingray from tracking me?
A2: Turning your phone off, disabling 2G, or using a Faraday cage can help, but the device can still see your phone if it’s on.
Q3: Is 5G completely safe from IMSI capture?
A3: 5G uses encrypted IDs that are hard to read, but the network still relies on old protocols for SMS, so it’s not bullet-proof.
Q4: How much does a Faraday cage cost?
A4: A DIY cage can be made for under $50; commercial cages range from $200–$1,000.
Q5: Are passive IMSI catchers legal?
A5: Generally yes, but active devices like Stingrays are illegal in many jurisdictions.
Q6: Can my phone’s manufacturer protect me?
A6: Some manufacturers add encryption or randomize identifiers, but most still expose the IMSI on 2G/3G.
Q7: How do I detect a Stingray?
A7: Apps like Ray Hunter scan for anomalous IMSI requests and alert you.
Conclusion
If you’re worried about being tracked, you can take several practical steps: keep your phone off in sensitive places, block the radio with a Faraday cage, disable 2G, use a privacy-focused service that rotates identifiers, and run a detection app. While passive catchers are cheap and legal, the threat from active devices and SS7 attacks shows that staying informed and prepared is the best defense.
References
- Palantír — Palantíri (Tolkien) (2026)
- CableLabs — False Base Station or IMSI Catcher: What You Need to Know (2026)
- Cloudwards — How to Block Stingray Surveillance (2026)
- RTL-SDR — The Thought Emporium Explores IMSI Cell Phone Tracking (2026)
- Blog4Evers — USRP B210 vs Competitors: Pricing, Features, and Value (2026)
- EFF — Ray Hunter: What We Have Found So Far (2026)
- Cape — What Information Is Your Phone Broadcasting (2026)
- Cape — Product Feature: Identifier Rotation (2026)
- Cape — Don’t Trust Us: Defense-in-Depth at Cape (2026)
- Wireless Device Radiation and Health — Wikipedia (2026)
- TechLTEWorld — 5G Identifiers SUPI and SUCI (2026)
- MobileIDWorld — Critical SS7 Protocol Vulnerability Being Sold for $5,000 (2026)
- Kali Linux — Official Website (2026)
- Congress — 115th Congress Hearing on IMSI Catchers (2018)
- EUREKA — What Is Electromagnetic Shielding? How Faraday Cages Block RF Signals (2026)
