Forem: IntSpired®

Satellite Signals Are Easier to Observe Than Many Realise

IntSpired® — Thu, 21 May 2026 17:31:34 +0000

Satellite communications underpin much of the world’s connectivity.

Recent research, including a 2025 academic study, has shown that some GEO satellite links still carry clear-text IP traffic, exposing voice calls, SMS messages and operational data.

These systems support cellular networks, aviation, maritime operations and remote infrastructure across vast regions.

When transmissions are not properly encrypted, sensitive information can become observable to anyone capable of monitoring the RF spectrum.

Satellite Signal Observation

Image 1: SDR monitoring setup used to observe satellite activity in real time.

Image 2: Signal activity captured during a satellite pass, visible in the spectrum waterfall.

Much of this activity sits in a layer many organisations rarely monitor: the RF signals their systems depend on.

As reliance on wireless and satellite-connected systems grows, understanding how signals behave across this space becomes increasingly important for modern security, resilience and intelligence work.

At IntSpired, we analyse signal environments like these to help identify emerging exposure risks before they become operational problems.

Research paper:
https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Bluetooth Exposure – Part 3

IntSpired® — Tue, 19 May 2026 05:53:20 +0000

The Silent Signals You Never Realise You’re Broadcasting

Long before digital navigation, reconnaissance teams relied on fieldcraft. Location was confirmed through resection: bearings plotted against known landmarks to determine position with precision.

Today, devices perform those bearings automatically.

Image 1: illustrates the shift from traditional navigation to Wi-Fi probing and finally to BLE mesh networks that quietly map presence and proximity through everyday devices.

Modern phones broadcast continuously. Wi-Fi probes and Bluetooth Low Energy (BLE) signals reveal device presence the moment a device wakes, often long before any connection is made.

BLE takes this further

Major technology ecosystems operate large-scale BLE mesh frameworks embedded into consumer devices. Phones, watches, earbuds, vehicles, trackers, and IoT products emit low-power beacons every few seconds. Nearby devices receive and relay them, extending the mesh.

The result is ambient visibility.

Image 2: shows two BLE detection interfaces side by side. Together, they demonstrate how BLE broadcasts can be observed externally and used to assess presence, proximity, and movement patterns.

No pairing.
No password.
No exploitation.

This is simply how BLE operates.

Over time, broadcast patterns can reveal behavioural rhythm: arrival times, devices that move together, and devices that separate. The exposure is not technical compromise, it is ambient metadata.

The same radio landscape that exposes also protects.

Understanding your own emissions helps identify anomalies, detect unknown trackers, and recognise unusual activity in your environment.

A simple starting point:
• Disable Bluetooth when not required
• Review device privacy settings
• Understand what your devices broadcast by default

In a shared spectrum world, awareness is no longer optional.

If you do not understand your own emissions, someone else eventually will.

@intspired® - Protecting your brand, your business, and your operations.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Bluetooth Exposure – Part 2

IntSpired® — Thu, 14 May 2026 07:11:07 +0000

Understanding BLE Through Simple Threat Modelling

Most people do not realise how much their devices broadcast. Constantly. Passively. Often in plaintext. BLE may be low power, but from an attacker’s perspective it is highly informative.

Last week we explored why Bluetooth remains an overlooked attack surface. This week we go deeper by applying simple threat modelling to show what an attacker actually sees and where the real exposures sit.

The Everyday BLE Ecosystem

This is the environment most people carry with them every day. A silent network of identifiers, telemetry and behavioural signals leaking into the air around you.

Image 1: BLE Device Ecosystem.

Smartwatch (Peripheral) Continuously advertises identifiers, sensor values, motion events and sync activity. This alone is enough to build behavioural profiles.

Bluetooth Earbuds (Peripheral) Many models broadcast even while inside the charging case. They reveal identifiers, battery levels and reconnection attempts. This exposes presence, movement and proximity.

Smart Lock (Peripheral) Reveals device type, activity timing, connection attempts and lock state patterns.

Smartphone (Central) Acts as the BLE hub. Constant scanning, pairing, reconnecting and exchanging data through OS services and installed apps.
Cloud Services Telemetry, identifiers and behavioural analytics flow upstream from associated apps. Once correlated, this becomes highly identifiable and highly valuable.

Why this ecosystem creates risk
Attackers do not need pairing. They do not need exploits. They only need to listen.

Image 2: shows the full 2.4 gigahertz environment: channel spikes, BLE bursts and hopping patterns, revealing activity density and where signals originate.

Image 3: illustrates live BLE MAC addresses, advertising data, service identifiers and device presence in real time. This allows attackers to map devices, movement patterns, proximity and relationships.

Image 4: password sent from phone, intercepted via BLE UART, captured by Nordic Sniffer, shown in plaintext in Wireshark.

This is BLE without encryption or authentication. And many consumer IoT devices still work exactly like this.

Plaintext BLE write operations may include: • passwords • PIN codes • actuator commands such as unlock or open • configuration values • sensor and status payloads

If it is unencrypted, anyone in range can intercept it.

Key Takeaway

If a BLE device does not enforce encryption and authenticated pairing, everything it transmits is visible and can be captured by anyone in range.

For red teams this is a powerful source of passive intelligence. For attackers it is trivial interception. For defenders it remains a major blind spot.

Next Week in Part 3

Part 1 explored why Bluetooth remains a high-value vector and how attackers use BLE at the reconnaissance stage.

Part 2 showed what an attacker can actually see, including live identifiers and plaintext BLE traffic.

Part 3 will move into the defensive and counter-surveillance side.

We will look at:

• Quick methods to reduce your BLE attack surface

• Surveillance and counter-surveillance considerations

• What attackers silently collect from BLE Radar-type tools • How to detect or disrupt unwanted BLE tracking

• How attackers use signal strength and directional antennas to track BLE devices in the real world

If you rely on BLE devices every day, Part 3 is the one you’ll want to read.

@intspired® - Protecting your brand, your business, and your operations.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Bluetooth Exposure – Part 1

IntSpired® — Sun, 10 May 2026 06:43:23 +0000

Real-World Weaknesses | Awareness Series: Part 1 of 3

Over the next few posts, I will explore the real cybersecurity risks behind Bluetooth and why individuals, homeowners and businesses routinely overlook this attack surface.

Bluetooth is often treated as harmless background technology. In reality, it can reveal device presence, proximity, movement patterns and, in some cases, weak implementation choices that increase exposure.

Classic Bluetooth vs BLE

Classic Bluetooth is typically used for audio devices and higher-bandwidth data transfer.

Bluetooth Low Energy, or BLE, is commonly used by beacons, trackers, wearables, IoT devices, smart locks and sensors.

Both operate in the crowded 2.4 GHz ISM band. Both can broadcast information into the surrounding environment. That means both can create exposure, often without the user realising.

Bluetooth Research Tools

Image 1: shows a selection of tools commonly used to explore Bluetooth and BLE weaknesses.

Highlighted is the Ubertooth One, a well-known device within the Bluetooth security research community. However, research and field experience show that it can be unreliable, and it is not usually the first tool I would reach for during practical assessments.

Bluetooth Exposure in the Real World

Image 2: demonstrates how easily freely available mobile apps can reveal Bluetooth devices nearby.

Many of these apps are designed for legitimate diagnostics and device management. However, they also show why individuals and organisations should take Bluetooth exposure seriously.

Even without specialist knowledge, it is possible to identify:

• Nearby devices currently broadcasting
• Devices left in discoverable or pairable modes
• Device names that unintentionally leak information
• Signal strength, or RSSI, which can indicate proximity
• Wearables, trackers, earbuds, speakers, locks and IoT equipment

Some devices may also accept a connection without being bonded or paired, allowing applications to read or write characteristics. This is not advanced exploitation. It is usually a sign of weak device security and poor implementation.

The same visibility that supports diagnostics can also allow environments to be passively mapped. Over time, this can reveal device presence, routines and behavioural patterns.

Despite this, Bluetooth exposure remains widely underestimated. In certain conditions, it can contribute to privacy compromise, tracking, surveillance, or become part of a broader attack chain.

Simple Defensive Step

Before going deeper into the series, one simple defensive step everyone should follow is:

Turn Bluetooth off when you are not using it.

This significantly reduces exposure and prevents your device from broadcasting unnecessarily.

What This Series Will Cover

This series will provide a high-level overview of:

• Why Bluetooth remains a valuable vector for threat actors
• How attackers use BLE during reconnaissance
• What nearby devices can reveal without pairing
• What your phone may broadcast without your knowledge
• Tools defenders should understand
• Quick ways to reduce Bluetooth exposure
• Surveillance and counter-surveillance considerations

Bluetooth may feel harmless, but it is not invisible. Most people have no idea how much they are broadcasting until it is demonstrated to them.

INTSPIRED® | Offensive by Design. Intelligent by Nature.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

When a Radio Signal Stops a Train

IntSpired® — Thu, 07 May 2026 07:41:34 +0000

A Taiwan high-speed rail incident from earlier this week is a sharp reminder that RF security is not a niche issue. It is part of critical infrastructure resilience.

Image 1: Taiwan High Speed Rail — THSR 700T train on the Taipei–Kaohsiung line. Source: Wikimedia Commons

Reports confirm a university student used consumer-grade SDR equipment to intercept, decode and clone TETRA radio parameters, then triggered a General Alarm signal that brought four high-speed trains to an emergency stop for 48 minutes. A 23-year-old student has since been arrested and is currently out on bail.

The technical takeaway is clear. Parameters were cloned. Authentication was bypassed. And the equipment used was bought online.

Image 2: Seized equipment. Source: Taoyuan District Prosecutors Office via CNA/Newtalk, 2026. https://newtalk.tw/news/view/2026-04-30/1032591

What this incident tells us is not just that the system was vulnerable. It tells us that the vulnerability had likely existed for years, undetected and untested. A radio enthusiast with off-the-shelf equipment, no insider access, and no advanced technical background was able to clone operational parameters and trigger the highest-priority alert in a national rail network.

That is not a sophisticated attack. That is a gap that should have been identified in a security assessment long before it was exploited this way.

The questions every critical infrastructure operator should be asking right now are simple. When did you last rotate your radio parameters? Have you ever tested whether your authentication can be bypassed from outside the network? Do you have any detection capability for rogue transmissions? Do you know where a rogue signal is coming from and how fast you can locate it? And if someone triggered a false alarm today, would your response procedures hold up?

If any of those answers are uncertain, that is where to start.

What good RF security looks like in these environments is not complicated in principle, but it is rarely done well in practice. It means treating radio as an attack surface from day one. Regular parameter rotation. Strong authentication on every device. Encryption that is actually tested, not just assumed. Logging and alerting on anomalous transmissions. Direction-finding capability so you can locate a rogue signal when it appears. And response procedures that have actually been exercised, not just written down.

This is not about SDR being dangerous. SDR is a tool. The real issue is whether safety-critical communications have strong authentication, encryption, parameter rotation, logging, detection, direction-finding, and response processes around them.

For rail, ports, airports, utilities, emergency services and other critical environments, RF should be treated as an attack surface, not background noise.

Test it like it matters. Because it does.

Further insights - Taipei Times: https://www.taipeitimes.com/News/taiwan/archives/2026/05/05/2003856781
The Register: https://www.theregister.com/cyber-crime/2026/05/06/taiwan-student-pwns-rail-comms-halts-high-speed-trains/5230489
LinkedIn: https://www.linkedin.com/in/keith-intspired
IntSpired®: https://www.intspired.co.uk

Cover image: Handheld radios seized during the investigation. Source: CTWANT/Weekly King via PChome News. https://news.pchome.com.tw/society/crwant/20260501/index-77760091156668316002.html

Femtocell Security Risks: Why Legacy Devices Are Still a Threat

IntSpired® — Tue, 05 May 2026 07:23:17 +0000

Femtocells are low-power cellular base stations used in homes and small offices to improve indoor mobile coverage. They connect to the operator’s core network over broadband and broadcast a local cellular signal, typically covering 10 to 50 metres.

They operate within standard mobile infrastructure, using licensed spectrum such as:
• 3G UMTS bands (Band 1 2100 MHz in the UK)
• Some later units support LTE bands depending on deployment
Unlike signal boosters, femtocells do not amplify an existing signal. They create a new one, and devices will automatically connect if it presents the strongest signal.

Image 1: Legacy femtocell device originally deployed by mobile networks, now circulating in secondary markets despite being phased out.

The issue
Femtocells extend the cellular network directly into private environments.
• Traffic is routed through broadband
• Devices connect based on signal strength, not trust
• The cellular layer becomes localised and harder to monitor
This creates a gap between:
• What is visible on the IP network
• What is happening over the air interface
This is where visibility breaks.

Image 2: Femtocell architecture highlighting the visibility gap between IP network monitoring and the air interface.

How to identify them
Femtocells are not visible through traditional network scanning.
They are identified through signal behaviour.

Using mobile apps such as Network Cell Info Lite or NetMonster, look for:
• Very strong signal indoors
• Rapid signal drop when leaving the building
• Unusual or isolated Cell ID
• Cell location appearing extremely close or inaccurate
If the cell is not mapped, it may indicate a small cell or femtocell.

Image 3: Analysing cellular signals using Network Cell Info Lite (left) and CellMapper (right) to identify signal strength, band, and local cell infrastructure.
These are not just indicators. They reflect how femtocells operate at the network edge.

Security implications
While modern units are more secure, historically femtocells have presented:
• Firmware attack surface
• Potential interception if compromised
• Reliance on broadband
• Single operator dependency
They are trusted by design but deployed in uncontrolled environments.

Still in circulation
Consumer femtocells have been phased out in the UK following 3G shutdowns.
However:
• Legacy devices remain active
• Units are still being sold on secondary markets
• Small cell technology continues in enterprise environments

How to reduce risk
• Use Wi-Fi Calling instead of legacy femtocell hardware
• Avoid unsupported or second hand telecom devices
• Monitor RF environments in sensitive locations
• Validate unexpected strong indoor cellular signals
• Treat local cellular infrastructure as part of the attack surface

Takeaway
Femtocells highlight a fundamental issue.
Security monitoring focuses on networks and endpoints.
Cellular operates in RF. If you are not looking at the spectrum, you are not seeing the full environment.

For more insight on wireless weaknesses, visit intspired.co.uk/blog

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Accessible, Documented, and Off Most Security Radars

IntSpired® — Sun, 03 May 2026 10:26:47 +0000

Back in January, I wrote about how tools can be modified beyond their intended use. Not always with bad intent, but not always with good either. https://intspired.co.uk/blog/f/beyond-the-surface

Since then, a few things caught my attention. Unrelated on the surface, but all wireless, all open, and all sitting just outside where most security teams are looking.

A general-purpose device transmitting amateur radio

Image 1: Amateur Radio Meets General-Purpose Hardware (Flipper Zero APRS setup).

As a ham radio user, I came across a GitHub project by Richard YO3GND demonstrating a Flipper Zero transmitting APRS, a protocol typically associated with dedicated amateur radio equipment.

It's experimental. Imperfect. Not something you'd stake your comms on.

But that's not the point. The point is that a low cost, general-purpose device is now capable of emulating a specialised radio function simply by implementing the protocol in software. The hardware didn't change. The capability did.

Computer vision that sets up in minutes

Image 2: Real-Time Face Detection Using OpenCV — Accessible Computer Vision in Practice.

Computer vision tools and the development solutions that support them aren't new. What's changed is the accessibility. Detection capability is no longer the barrier. Frameworks have been simplified to the point where a working setup can be running in minutes, on commodity hardware.

The specialisation required has dropped dramatically. The output hasn't.

Passive detection at scale

Image 3: From Detection Hardware to Crowdsourced Surveillance — Seeed Studio XIAO ESP32S3 and DeFlock Maps.

Tools like OUI-SPY, built on hardware such as the Seeed Studio XIAO ESP32S3, can passively detect nearby Bluetooth and BLE broadcasts, flag recognised identifiers, and alert on known signal patterns without active probing. These tools aren't single-purpose, and the same understanding that enables detection can be used to avoid it.

What happens when that detection is contributed at scale is a different question entirely. Platforms like DeFlock Maps illustrate it clearly. A crowdsourced ALPR surveillance map, DeFlock currently shows over 75,000 cameras in view across the US alone. Individual observations, aggregated, become infrastructure-level intelligence.

Transmit. See. Detect. Three capabilities, three communities, all moving in the same direction: accessible, affordable, and functional enough to matter. Not theory. Right now.

Why security teams should care
Most of these developments aren't appearing in threat intelligence feeds. They're appearing in radio groups, maker communities, and computer vision forums. The people building them aren't adversaries. They're curious, technically capable, and sharing their work openly.

That openness is exactly what makes it relevant. Capability that's documented, reproducible, and discussable in public is already in play. The gap between innovation and risk is narrower than most organisations assume.

Awareness won't close that gap. But without it, you won't even know it exists.

If it's there, it's observable.

INTSPIRED®
Offensive by design. Intelligent by nature

IMSI Catchers Don’t Break Encryption — They Exploit the Network

IntSpired® — Fri, 01 May 2026 16:25:51 +0000

Most mobile devices will connect to any base station that appears legitimate.

That behaviour is what makes IMSI catchers possible.

Mobile devices use International Mobile Subscriber Identifiers (IMSI) to authenticate and communicate across cellular networks. IMSI catchers exploit this by impersonating legitimate base stations, causing nearby phones to connect to them instead of the real network.

In doing so, they collect SIM and device identifiers (such as IMSI or IMEI), along with signalling metadata that can be used to estimate presence and rough location. This does not require breaking applications or accessing encrypted content. It relies entirely on standard network behaviour.

These techniques exploit trust within the network itself, sometimes forcing devices onto older or less secure protocols. Although heavily regulated and detectable, their effectiveness highlights how much signalling information mobile networks already expose by design.

What to keep in mind when interpreting this data

Mobile network data reflects connectivity, not people. It describes devices and sessions, not identity or human behaviour.
Convenience signals are often over-trusted. Networks prioritise availability and usability, not verification or assurance.
Risk increases in sensitive contexts. Meetings, travel, and safety-critical situations raise the cost of misinterpretation.
Continuous connectivity is not always necessary. Many activities do not require phones to remain connected at all times.
Decisions are more reliable when they do not depend entirely on phone location or connectivity data.

Illustrative examples of GSM signalling exposure

Image 1: GSM Downlink Signal Activity.
Live cellular spectrum showing active network presence within range.

Image 2: GSM Signalling Metadata.
Decoded broadcast data showing network identifiers and signalling information transmitted continuously by the network.

Image 3: Associated GSM Data Exposure.
Structured dataset linking identifiers (IMSI/TMSI) with network parameters and timestamps, enabling pattern and presence analysis over time.

Final point

This isn’t about breaking encryption or accessing content. It’s about what is already exposed through normal network operation.

Understanding the signal is one thing. Interpreting the risk is another.

If it’s there, it’s observable.

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Stay informed.

RF Intelligence: The Attack Surface Your SIEM Can't See

IntSpired® — Thu, 30 Apr 2026 08:14:31 +0000

RF signals don’t appear in logs.

They pass through walls, bypass controls, and leave no trace.

This article shows how RF activity can be detected and analysed outside of traditional security controls using a GNU Radio setup with a HackRF One.

Most organisations monitor their networks extensively. Firewalls, SIEM platforms, EDR tools and intrusion detection systems continuously observe the digital perimeter. However, one attack surface is rarely monitored: the radio frequency spectrum inside the physical environment.

A compromised device transmitting over RF, a covert hardware implant beaconing on a schedule, or a receiver positioned just outside a facility will not appear in traditional monitoring systems.

If RF is not being monitored, there is a blind spot.

What This Setup Provides

• Wideband RF monitoring across the local environment
• Identification of signal frequencies and behaviour
• Power measurement for consistent analysis
• Detection and investigation of unusual transmissions

RF Anomaly Detection Interface

The setup uses a dual-panel interface for monitoring and inspection.

The left panel provides wideband visibility across the monitored spectrum, allowing all active signals to be seen at a glance.

The right panel provides focused inspection. Any signal identified in the wideband view can be selected and analysed in more detail, including centre frequency, bandwidth, signal structure and power relative to the noise floor.

This creates a simple workflow: detect across the spectrum, then isolate and investigate.

Real Signal Detection

Image 1: Wideband spectrum (left) and selected signal (right). A narrowband signal at 440 MHz is highlighted for closer inspection.

Signal 1 — 440.000 MHz

This frequency sits outside the 433 MHz ISM allocation and within the 70 centimetre amateur radio band, subject to verification of local licensed activity.

This is where RF monitoring moves into analysis.

Key questions include whether the transmission is expected in the environment, whether there is a known licensed source, whether the signal aligns with known device behaviour, and whether it could represent unauthorised or anomalous activity.

Initial capture indicated a strong local transmission. After gain adjustment, the signal resolved at approximately -72 dBFS, with a noise floor around -88 dBFS.

No immediate indication of malicious behaviour was observed during initial analysis. However, the same process would apply when assessing unauthorised or covert transmissions.

Image 2: Narrowband RF signal at 433 MHz observed during monitoring.

Signal 2 — 433.000 MHz

A second signal was observed, consistent with strong local transmission relative to the observed noise floor.

This aligns with expected ISM band activity such as sensors, weather stations and consumer wireless devices, and was treated as part of the baseline RF environment.

Engineering the Setup

Image 3: GNU Radio flowgraph developed for RF signal processing.

The underlying processing is implemented in GNU Radio Companion on DragonOS, using a HackRF One with a Diamond SRH789 antenna.

Raw IQ data is captured from the HackRF and processed through an FFT-based processing chain.

A 4096-point FFT converts the signal into the frequency domain, with Blackman-Harris windowing used to improve visibility of weaker signals near stronger ones.

Signal power is calculated using magnitude squared conversion and normalised into dBFS, allowing measurements to be compared consistently.

The system runs at a 20 Msps sample rate, covering roughly 20 MHz of bandwidth from 423 MHz to 443 MHz.

This allows signals to be detected and analysed clearly rather than just observed.

RF Detection Compared to Traditional Sweepers

Traditional RF sweepers indicate the presence of a signal but provide limited detail.

This setup allows signals to be identified by frequency, measured, visualised across the spectrum and analysed in context.

Rather than simply detecting activity, it makes it possible to assess whether a signal is expected or unusual.

This distinction is what separates intelligence from detection.

Why RF Monitoring Matters

Most security programmes focus on networks, applications and endpoints.

RF is rarely included, which creates an opportunity for activity that does not generate logs or alerts.

Data can be transmitted out of a secure environment without touching the network. Devices can operate silently over RF for long periods.

Signals can exist outside commonly monitored bands such as WiFi and Bluetooth.

The RF environment inside a facility is an attack surface that traditional monitoring does not cover.

Field Collection Capability

For on-site work away from the DragonOS setup, a PortaPack HM4 with an integrated HackRF One can be used for standalone field capture.

This allows RF data to be collected without a laptop and stored for later analysis.

Captured data can then be replayed through the same processing setup, keeping analysis consistent between live monitoring and post-capture review.

Future Development

The current setup provides monitoring, detection and basic analysis.

Future work will focus on building a baseline of expected RF activity and identifying deviations over time.

This would allow more structured detection of unusual or unexpected signals.

If RF is not part of your security approach, it is worth considering.

For organisations looking to better understand RF exposure and wireless risk, assessment beyond traditional controls may be required.

Contact:
info@intspired.co.uk
https://intspired.co.uk

IntSpired®
Offensive by Design. Intelligent by Nature.

RF Exposure via Digital Speech Decoders

IntSpired® — Mon, 27 Apr 2026 06:41:45 +0000

This post is intended to raise awareness of RF exposure and visibility, not to promote or enable misuse.

Software-defined radio is a genuine intelligence capability when used correctly.

With tools like DSDPlus and low-cost SDR hardware, monitoring and interpreting unencrypted digital radio systems is now widely accessible across the UK and internationally.

What was once specialist capability is now accessible with minimal experience.

Image 1: UHF Spectrum Survey — Automated Scanning Across Active Frequencies.

In practice, exposure goes beyond audio. It reveals talkgroup activity, device presence, and communication patterns over time.

Image 2: Real-Time Group Call Decoded — Radio ID Automatically Identified by DSDPlus.

The UK RF Reality

In the UK, the most relevant and observable systems include:

• DMR (Digital Mobile Radio) — widely used across security, logistics, construction, events, and commercial operations

• NXDN and digital PMR networks — used across rail, industrial environments, and private deployments

• Amateur digital voice systems — active, open, and often overlooked

Public safety communications operate on Airwave (TETRA). The long-delayed transition to the Emergency Services Network (ESN) continues, with full migration still incomplete. While Airwave is designed with strong encryption, RF systems are only as secure as their configuration and operational use, and exposure is more commonly observed across less protected commercial systems.

Global Context

Across other regions, the landscape shifts:

• P25 Phase 1 & 2 — widely used for public safety in the United States, Canada, and Australia

• DMR and NXDN — widely deployed across commercial and private networks in Europe and parts of Asia

What’s observable depends on the local RF environment.

What Actually Matters

This is not about listening. It is about exposure.

Whether in the public or private sector, unencrypted RF communications create a layer of visibility that is often overlooked.

Even without focusing on voice, consistent monitoring allows patterns to be built around:

• Talkgroup usage and communication structures
• Device activity and presence over time
• Shifts in operational tempo
• Encrypted versus unencrypted behaviour

These insights are not provided directly by the tools. They emerge through analysis of what is already being transmitted in the clear.

IntSpired Assessment

As technology and threat actor capability evolve, RF is no longer just radio. It is an intelligence layer, and one that can be used against you.

Most organisations focus on securing networks, not what those networks transmit.

If it is transmitting, it is detectable, analysable, and increasingly accessible to those who know where to look.

Codename: TEMPEST — The real magnitude of an 80-year-old threat

IntSpired® — Fri, 24 Apr 2026 07:30:02 +0000

Most security focuses on networks and endpoints.
Very little attention is given to what devices emit into the physical environment.

This isn’t a dormant risk. It’s an unaddressed one.

In March 2026, U.S. lawmakers formally requested a renewed investigation into TEMPEST-related threats, citing:
• Lack of public awareness
• Absence of modern regulatory requirements for consumer devices
• Potential exploitation by criminals, private investigators, and non-state actors
Image 1: Extract from Congressional letter (March 4, 2026) describing TEMPEST as a “serious national security threat”.

The request highlights a critical point:
The U.S. government has not conducted a follow-up review of this threat since 1986, despite the risk being known for over 80 years.
The accompanying Congressional Research Service memorandum reinforces this, outlining:
• The ability to reconstruct data from electromagnetic, acoustic, and RF emissions
• That these techniques have been repeatedly rediscovered in academic research
• That the equipment required to observe these emissions is now easily obtainable

What TEMPEST is
TEMPEST refers to the unintentional electromagnetic emissions generated by electronic devices during operation.

These emissions are not just noise.
They can carry structured information.

Under the right conditions, it is sometimes possible to reconstruct elements of what a system is processing, including screen content, signals, or data flows, from emitted RF energy.

This is a physical side-channel. It exists whether it is monitored or not.

Image 2: Simulated TEMPEST reconstruction using GNU Radio (gr-tempest open-source implementation)

The setup
From a practical standpoint, observing these emissions does not require exotic infrastructure.

A typical research setup may include:
• Software-defined radio platforms (e.g. HackRF class devices)
• Near-field or directional antennas
• Signal processing via tools such as GNU Radio

With correct tuning and filtering, emissions from monitors, video cables, power lines, and internal components can be captured and analysed.

Importantly:
No network interaction is required.
No system access is required.
This is passive collection from the electromagnetic environment.

Beyond policy and classification, the underlying reality is simpler:
TEMPEST is often framed within classified programmes, hardened environments, and military-grade shielding.

What determines the risk are three factors:
• how detectable the emissions are
• how far they travel
• how much information they expose
This shifts TEMPEST from a classified concern to a physical reality with direct operational implications.

What the documents explicitly confirm
The CRS memo is very direct about how this works in practice:
• Acoustic — keystrokes can be derived from recorded typing sounds
• RF — emissions may be observable at distance under favourable conditions
• Electromagnetic — signals generated by internal currents can be measured and analysed
It also confirms something often missed:
These attacks rely on observing unintended signals generated during operation.

What has not changed
The same memorandum highlights a structural gap:
• No uniform TEMPEST mitigation policy across U.S. government systems
• No requirement for consumer device manufacturers to implement countermeasures
• Limited public guidance despite long-standing awareness
At the same time:
• Techniques have been publicly demonstrated (2009–2022 research examples)
• Methods now fall under what is broadly called side-channel attacks
• The barrier to entry is no longer restricted to state actors

Threat level — low, but specific
For most organisations, TEMPEST does not present an immediate or scalable risk.
Constraints remain significant:
• Effective range is limited
• Signal clarity degrades rapidly
• Environmental RF noise introduces distortion
• Skill and interpretation barriers are non-trivial

However, context matters.
In environments where:
• systems are air-gapped
• data sensitivity is high
• physical proximity can be achieved
TEMPEST becomes a relevant niche collection method.
Not widespread.
But not theoretical.

Closing note
Most organisations monitor networks, endpoints, and cloud environments.
Very few consider what their systems emit into the physical environment.

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Full references and further detail available in the article.

• U.S. Congressional letter (March 2026)
https://www.wyden.senate.gov/imo/media/doc/wyden_gao_tempest_letter.pdf

• Congressional Research Service memorandum
https://www.wyden.senate.gov/imo/media/doc/memo_-_tempest.pdf

• GNU Radio TEMPEST implementation (gr-tempest)
https://github.com/git-artes/gr-tempest

Wi-Fi Hacking Hype vs Reality

IntSpired® — Thu, 23 Apr 2026 07:00:46 +0000

There is constant noise around “new” Wi-Fi hacking tools and techniques.

Established reconnaissance platforms are presented as breakthrough capabilities.
Handshake capture devices are often interpreted as automatically retrieving passwords.
Deauthentication attacks are portrayed as systemic compromise events.

Much of this reflects misunderstanding rather than cryptographic reality.

To reset the narrative, we must separate RF visibility from real compromise and examine the capabilities and limitations of a select set of commonly referenced tools.

Sparrow WiFi: An Example of Wireless Reconnaissance and Telemetry Analysis

Image 1: Sparrow WiFi interface displaying wireless network discovery, signal strength telemetry, and channel utilisation across 2.4 GHz and 5 GHz bands.

Sparrow WiFi is one example of a wireless reconnaissance and telemetry analysis tool used for site surveys and RF assessment.

Tools in this category provide:

• Network discovery
• Signal strength analysis
• Channel utilisation metrics
• Security mode identification
• GPS telemetry
• SSID and BSSID mapping

Their purpose is RF visibility and environmental analysis.
They do not perform cryptographic attacks, bypass WPA3, or recover passwords.

RF visibility does not by itself constitute network compromise.

Pwnagotchi and “Password Catching

Image 2: Captured WPA/WPA2 handshake packet files (.pcap) prepared for offline analysis in a controlled lab environment.

Pwnagotchi automates the capture of WPA/WPA2 4-way authentication handshakes when a client associates with a network.

It does not capture plaintext passwords.

A captured handshake only enables offline password testing; it does not reveal the network key unless the passphrase can be correctly guessed.

Recovering a passphrase therefore requires testing candidate passwords against authentication material derived from the 4-way handshake. Common approaches include:

• GPU-accelerated password guessing
• Dictionary attacks
• Rule-based mutations
• Hybrid attacks
• Testing known breached credentials

There is currently no known practical method to directly decrypt traffic from properly configured WPA2-AES or WPA3-SAE networks without knowledge of the network credential.

This process does not break AES encryption. It simply tests candidate passwords against the captured handshake. If the passphrase is long, unique, and high entropy, the attack fails.

Strong credential hygiene defeats this class of attack.

Deauthentication Attacks Do Not Break Encryption

Deauthentication attacks:

• Force clients to disconnect
• Trigger reauthentication attempts
• May enable handshake capture in certain scenarios

They do not:

• Reveal passwords
• Decrypt traffic
• Break AES encryption

Deauthentication is a disruption technique, not a cryptographic attack.

Networks using Management Frame Protection, defined in IEEE 802.11w, significantly reduce exposure to spoofed deauthentication and disassociation frames.

Even without Management Frame Protection, deauthentication creates an opportunity for capture, not automatic compromise.

Rainbow Tables and “Decryption” Claims

Rainbow tables are precomputed lookup tables used to reverse hashes.

In modern wireless assessments, they are rarely the primary method.

In WPA2-PSK, the SSID is used as the salt in the PBKDF2 key derivation process. This means rainbow tables must be generated for a specific network name, which significantly limits practicality.

In real-world assessments, GPU-accelerated offline password guessing is still far more common than maintaining large precomputed rainbow tables.

Rainbow tables are effective only when:

• Passwords are short
• Passwords are common
• Credentials are reused
• The SSID is predictable and widely reused

They do not defeat strong, high-entropy passphrases.

There is no practical real-time decryption of properly configured WPA3-SAE networks.

AirSnitch and Client Isolation Research

Research such as AirSnitch highlights weaknesses in certain implementations of client isolation on consumer routers.

This is valuable work.

However, it demonstrates configuration and architectural flaws in specific devices. It does not represent a universal break of Wi-Fi encryption.

The issue is implementation, not cryptography.

Channel Hopping: What It Actually Means

Channel hopping is a scanning technique in which a wireless adapter cycles through Wi-Fi channels to observe activity.

It does not refer to an access point changing its operating channel, which may occur automatically due to interference or optimisation policies.

It is also different from client roaming, where a device reassociates between access points or frequency bands.

Because a single wireless radio can observe only one channel at a time, scanning tools rotate across channels to build broader visibility. Multi-radio monitoring systems can observe multiple channels simultaneously.

This behaviour is common in:

• Passive scanning
• Wireless intrusion detection systems
• Spectrum analysis
• Site surveys
• Security research

The same physical limitation applies to attackers. To transmit deauthentication frames or conduct other active attacks, the radio must be tuned to the target’s channel. A single radio cannot transmit on multiple channels simultaneously.

Channel hopping does not:

• Bypass encryption
• Defeat WPA2-AES
• Defeat WPA3-SAE
• Decrypt traffic
• Grant network access

It increases visibility. It does not create compromise.

Where Wi-Fi Actually Fails

Wi-Fi compromise rarely occurs because encryption is broken. It more often results from operational and configuration weaknesses, including:

• Weak or predictable passphrases
• Reused credentials across networks or services
• WPS enabled
• Misconfigured wireless security settings
• Flat network architecture with no segmentation
• Poor monitoring or visibility of wireless activity
• Exposed internal services accessible from the network
• Weak authentication controls once network access is obtained
• Unpatched access points or outdated firmware

Once network access is gained, attackers often move laterally within the environment. The access point is rarely the final objective.

Final Point
When modern Wi-Fi is properly configured, including:

• WPA2-AES with strong, unique passphrases
• WPA3-SAE
• Management Frame Protection enabled (802.11w / PMF)
• WPS disabled

there is currently no known practical method for directly breaking the encryption in real-world conditions.

Modern Wi-Fi cryptography is rarely the weak link. Configuration and operational discipline are.

INTSPIRED®
Offensive by Design. Intelligent by Nature.

Home | IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk