From e7ba02173a2c87a9966cdd5dae95ad316b7ba347 Mon Sep 17 00:00:00 2001 From: Cooper Quintin Date: Wed, 18 Jun 2025 09:37:02 -0700 Subject: [PATCH] update heuristic docs --- doc/heuristics.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/heuristics.md b/doc/heuristics.md index a3a2a9f..661bd40 100644 --- a/doc/heuristics.md +++ b/doc/heuristics.md @@ -4,10 +4,19 @@ Rayhunter includes several analyzers to detect potential IMSI catcher activity. ## Available Analyzers -- **IMSI Requested**: Tests whether the ME sends an IMSI Identity Request NAS message +- **IMSI Requested**: Tests whether the eNodeB sends an IMSI Identity Request NAS message. This + can sometimes happen under normal circumstances when the network doesn't already have a TMSI + (Temporary Mobile Subscriber ID or GUTI in 5G terminology) for your device. This most often + happens when you first turn the device on, especially after it has been off for a long time or + if you are in an area where ther is absolutely no connection to your service provider. This can + also happen if you leave your device on while on an airplane and it suddenly connects to a new + tower after being disconnected for a long time. + However, if you get this warning at a time when you have been steadily connected to towers and the device has been on for a while it can be treated as suspcious. - **Connection Release/Redirected Carrier 2G Downgrade**: Tests if a cell releases our connection and redirects us to a 2G cell. This heuristic only - makes sense in the US, European users may want to disable it. + makes sense in the US or other countries where there are no more operating 2G base stations. + Users in contries where 2G is still in service (such as most of EU) may want to disable it. + See https://en.wikipedia.org/wiki/2G#Past_2G_networks for information about your country. - **LTE SIB6/7 Downgrade**: Tests for LTE cells broadcasting a SIB type 6 and 7 which include 2G/3G frequencies with higher priorities - **Null Cipher**: Tests whether the cell suggests using a null cipher (EEA0).