Forem: IntSpired®

RF Exposure via Digital Speech Decoders

IntSpired® — Mon, 27 Apr 2026 06:41:45 +0000

This post is intended to raise awareness of RF exposure and visibility, not to promote or enable misuse.

Software-defined radio is a genuine intelligence capability when used correctly.

With tools like DSDPlus and low-cost SDR hardware, monitoring and interpreting unencrypted digital radio systems is now widely accessible across the UK and internationally.

What was once specialist capability is now accessible with minimal experience.

Image 1: UHF Spectrum Survey — Automated Scanning Across Active Frequencies.

In practice, exposure goes beyond audio. It reveals talkgroup activity, device presence, and communication patterns over time.

Image 2: Real-Time Group Call Decoded — Radio ID Automatically Identified by DSDPlus.

The UK RF Reality

In the UK, the most relevant and observable systems include:

• DMR (Digital Mobile Radio) — widely used across security, logistics, construction, events, and commercial operations

• NXDN and digital PMR networks — used across rail, industrial environments, and private deployments

• Amateur digital voice systems — active, open, and often overlooked

Public safety communications operate on Airwave (TETRA). The long-delayed transition to the Emergency Services Network (ESN) continues, with full migration still incomplete. While Airwave is designed with strong encryption, RF systems are only as secure as their configuration and operational use, and exposure is more commonly observed across less protected commercial systems.

Global Context

Across other regions, the landscape shifts:

• P25 Phase 1 & 2 — widely used for public safety in the United States, Canada, and Australia

• DMR and NXDN — widely deployed across commercial and private networks in Europe and parts of Asia

What’s observable depends on the local RF environment.

What Actually Matters

This is not about listening. It is about exposure.

Whether in the public or private sector, unencrypted RF communications create a layer of visibility that is often overlooked.

Even without focusing on voice, consistent monitoring allows patterns to be built around:

• Talkgroup usage and communication structures
• Device activity and presence over time
• Shifts in operational tempo
• Encrypted versus unencrypted behaviour

These insights are not provided directly by the tools. They emerge through analysis of what is already being transmitted in the clear.

IntSpired Assessment

As technology and threat actor capability evolve, RF is no longer just radio. It is an intelligence layer, and one that can be used against you.

Most organisations focus on securing networks, not what those networks transmit.

If it is transmitting, it is detectable, analysable, and increasingly accessible to those who know where to look.

Codename: TEMPEST — The real magnitude of an 80-year-old threat

IntSpired® — Fri, 24 Apr 2026 07:30:02 +0000

Most security focuses on networks and endpoints.
Very little attention is given to what devices emit into the physical environment.

This isn’t a dormant risk. It’s an unaddressed one.

In March 2026, U.S. lawmakers formally requested a renewed investigation into TEMPEST-related threats, citing:
• Lack of public awareness
• Absence of modern regulatory requirements for consumer devices
• Potential exploitation by criminals, private investigators, and non-state actors
Image 1: Extract from Congressional letter (March 4, 2026) describing TEMPEST as a “serious national security threat”.

The request highlights a critical point:
The U.S. government has not conducted a follow-up review of this threat since 1986, despite the risk being known for over 80 years.
The accompanying Congressional Research Service memorandum reinforces this, outlining:
• The ability to reconstruct data from electromagnetic, acoustic, and RF emissions
• That these techniques have been repeatedly rediscovered in academic research
• That the equipment required to observe these emissions is now easily obtainable

What TEMPEST is
TEMPEST refers to the unintentional electromagnetic emissions generated by electronic devices during operation.

These emissions are not just noise.
They can carry structured information.

Under the right conditions, it is sometimes possible to reconstruct elements of what a system is processing, including screen content, signals, or data flows, from emitted RF energy.

This is a physical side-channel. It exists whether it is monitored or not.

Image 2: Simulated TEMPEST reconstruction using GNU Radio (gr-tempest open-source implementation)

The setup
From a practical standpoint, observing these emissions does not require exotic infrastructure.

A typical research setup may include:
• Software-defined radio platforms (e.g. HackRF class devices)
• Near-field or directional antennas
• Signal processing via tools such as GNU Radio

With correct tuning and filtering, emissions from monitors, video cables, power lines, and internal components can be captured and analysed.

Importantly:
No network interaction is required.
No system access is required.
This is passive collection from the electromagnetic environment.

Beyond policy and classification, the underlying reality is simpler:
TEMPEST is often framed within classified programmes, hardened environments, and military-grade shielding.

What determines the risk are three factors:
• how detectable the emissions are
• how far they travel
• how much information they expose
This shifts TEMPEST from a classified concern to a physical reality with direct operational implications.

What the documents explicitly confirm
The CRS memo is very direct about how this works in practice:
• Acoustic — keystrokes can be derived from recorded typing sounds
• RF — emissions may be observable at distance under favourable conditions
• Electromagnetic — signals generated by internal currents can be measured and analysed
It also confirms something often missed:
These attacks rely on observing unintended signals generated during operation.

What has not changed
The same memorandum highlights a structural gap:
• No uniform TEMPEST mitigation policy across U.S. government systems
• No requirement for consumer device manufacturers to implement countermeasures
• Limited public guidance despite long-standing awareness
At the same time:
• Techniques have been publicly demonstrated (2009–2022 research examples)
• Methods now fall under what is broadly called side-channel attacks
• The barrier to entry is no longer restricted to state actors

Threat level — low, but specific
For most organisations, TEMPEST does not present an immediate or scalable risk.
Constraints remain significant:
• Effective range is limited
• Signal clarity degrades rapidly
• Environmental RF noise introduces distortion
• Skill and interpretation barriers are non-trivial

However, context matters.
In environments where:
• systems are air-gapped
• data sensitivity is high
• physical proximity can be achieved
TEMPEST becomes a relevant niche collection method.
Not widespread.
But not theoretical.

Closing note
Most organisations monitor networks, endpoints, and cloud environments.
Very few consider what their systems emit into the physical environment.

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Full references and further detail available in the article.

• U.S. Congressional letter (March 2026)
https://www.wyden.senate.gov/imo/media/doc/wyden_gao_tempest_letter.pdf

• Congressional Research Service memorandum
https://www.wyden.senate.gov/imo/media/doc/memo_-_tempest.pdf

• GNU Radio TEMPEST implementation (gr-tempest)
https://github.com/git-artes/gr-tempest

Wi-Fi Hacking Hype vs Reality

IntSpired® — Thu, 23 Apr 2026 07:00:46 +0000

There is constant noise around “new” Wi-Fi hacking tools and techniques.

Established reconnaissance platforms are presented as breakthrough capabilities.
Handshake capture devices are often interpreted as automatically retrieving passwords.
Deauthentication attacks are portrayed as systemic compromise events.

Much of this reflects misunderstanding rather than cryptographic reality.

To reset the narrative, we must separate RF visibility from real compromise and examine the capabilities and limitations of a select set of commonly referenced tools.

Sparrow WiFi: An Example of Wireless Reconnaissance and Telemetry Analysis

Image 1: Sparrow WiFi interface displaying wireless network discovery, signal strength telemetry, and channel utilisation across 2.4 GHz and 5 GHz bands.

Sparrow WiFi is one example of a wireless reconnaissance and telemetry analysis tool used for site surveys and RF assessment.

Tools in this category provide:

• Network discovery
• Signal strength analysis
• Channel utilisation metrics
• Security mode identification
• GPS telemetry
• SSID and BSSID mapping

Their purpose is RF visibility and environmental analysis.
They do not perform cryptographic attacks, bypass WPA3, or recover passwords.

RF visibility does not by itself constitute network compromise.

Pwnagotchi and “Password Catching

Image 2: Captured WPA/WPA2 handshake packet files (.pcap) prepared for offline analysis in a controlled lab environment.

Pwnagotchi automates the capture of WPA/WPA2 4-way authentication handshakes when a client associates with a network.

It does not capture plaintext passwords.

A captured handshake only enables offline password testing; it does not reveal the network key unless the passphrase can be correctly guessed.

Recovering a passphrase therefore requires testing candidate passwords against authentication material derived from the 4-way handshake. Common approaches include:

• GPU-accelerated password guessing
• Dictionary attacks
• Rule-based mutations
• Hybrid attacks
• Testing known breached credentials

There is currently no known practical method to directly decrypt traffic from properly configured WPA2-AES or WPA3-SAE networks without knowledge of the network credential.

This process does not break AES encryption. It simply tests candidate passwords against the captured handshake. If the passphrase is long, unique, and high entropy, the attack fails.

Strong credential hygiene defeats this class of attack.

Deauthentication Attacks Do Not Break Encryption

Deauthentication attacks:

• Force clients to disconnect
• Trigger reauthentication attempts
• May enable handshake capture in certain scenarios

They do not:

• Reveal passwords
• Decrypt traffic
• Break AES encryption

Deauthentication is a disruption technique, not a cryptographic attack.

Networks using Management Frame Protection, defined in IEEE 802.11w, significantly reduce exposure to spoofed deauthentication and disassociation frames.

Even without Management Frame Protection, deauthentication creates an opportunity for capture, not automatic compromise.

Rainbow Tables and “Decryption” Claims

Rainbow tables are precomputed lookup tables used to reverse hashes.

In modern wireless assessments, they are rarely the primary method.

In WPA2-PSK, the SSID is used as the salt in the PBKDF2 key derivation process. This means rainbow tables must be generated for a specific network name, which significantly limits practicality.

In real-world assessments, GPU-accelerated offline password guessing is still far more common than maintaining large precomputed rainbow tables.

Rainbow tables are effective only when:

• Passwords are short
• Passwords are common
• Credentials are reused
• The SSID is predictable and widely reused

They do not defeat strong, high-entropy passphrases.

There is no practical real-time decryption of properly configured WPA3-SAE networks.

AirSnitch and Client Isolation Research

Research such as AirSnitch highlights weaknesses in certain implementations of client isolation on consumer routers.

This is valuable work.

However, it demonstrates configuration and architectural flaws in specific devices. It does not represent a universal break of Wi-Fi encryption.

The issue is implementation, not cryptography.

Channel Hopping: What It Actually Means

Channel hopping is a scanning technique in which a wireless adapter cycles through Wi-Fi channels to observe activity.

It does not refer to an access point changing its operating channel, which may occur automatically due to interference or optimisation policies.

It is also different from client roaming, where a device reassociates between access points or frequency bands.

Because a single wireless radio can observe only one channel at a time, scanning tools rotate across channels to build broader visibility. Multi-radio monitoring systems can observe multiple channels simultaneously.

This behaviour is common in:

• Passive scanning
• Wireless intrusion detection systems
• Spectrum analysis
• Site surveys
• Security research

The same physical limitation applies to attackers. To transmit deauthentication frames or conduct other active attacks, the radio must be tuned to the target’s channel. A single radio cannot transmit on multiple channels simultaneously.

Channel hopping does not:

• Bypass encryption
• Defeat WPA2-AES
• Defeat WPA3-SAE
• Decrypt traffic
• Grant network access

It increases visibility. It does not create compromise.

Where Wi-Fi Actually Fails

Wi-Fi compromise rarely occurs because encryption is broken. It more often results from operational and configuration weaknesses, including:

• Weak or predictable passphrases
• Reused credentials across networks or services
• WPS enabled
• Misconfigured wireless security settings
• Flat network architecture with no segmentation
• Poor monitoring or visibility of wireless activity
• Exposed internal services accessible from the network
• Weak authentication controls once network access is obtained
• Unpatched access points or outdated firmware

Once network access is gained, attackers often move laterally within the environment. The access point is rarely the final objective.

Final Point
When modern Wi-Fi is properly configured, including:

• WPA2-AES with strong, unique passphrases
• WPA3-SAE
• Management Frame Protection enabled (802.11w / PMF)
• WPS disabled

there is currently no known practical method for directly breaking the encryption in real-world conditions.

Modern Wi-Fi cryptography is rarely the weak link. Configuration and operational discipline are.

INTSPIRED®
Offensive by Design. Intelligent by Nature.

Home

We apply intelligence-led methods to identify cyber and wireless risks before they can be exploited.

intspired.co.uk