DEV Community: IntSpired®

Satellite-to-Phone Connectivity

IntSpired® — Thu, 11 Jun 2026 05:45:44 +0000

Satellite phones are not new. What is changing is ordinary smartphones connecting directly to satellites.

For years satellite communication required specialist devices and dedicated terminals used by remote workers, maritime users, emergency responders, military personnel and journalists operating beyond normal mobile coverage.

Most people rely on terrestrial networks. That means everything connecting your phone or laptop to the internet through ground-based infrastructure. The cell tower in your street. The cables between exchanges. Your home broadband and Wi-Fi router. If it sits on the ground and carries your data it is part of the terrestrial network.

When those networks are unavailable, damaged, congested, jammed or out of range, connectivity fails. That is where direct-to-device satellite connectivity becomes relevant.

The shift has already started

Apple's satellite features allow compatible iPhones to contact emergency services with no cellular or Wi-Fi coverage. Starlink is developing direct-to-cell services using low Earth orbit satellites. AST SpaceMobile has received FCC approval to operate a constellation providing supplemental coverage through existing mobile partners.

Full satellite broadband to every phone as an everyday service is not here yet. But the move from specialist satellite hardware towards ordinary satellite-capable smartphones has begun.

Image 1: Starlink V1.5, V2 and V3.

Later Starlink satellites are expected to be larger and more capable to support direct-to-device connectivity. V3-class satellites are widely discussed as requiring Starship-scale launch capacity rather than routine Falcon 9 deployment. A larger antenna array can help the satellite focus a stronger and more precise signal beam towards a device on the ground. That is what makes connecting to an ordinary smartphone physically possible.

The signal strength problem

Many low Earth orbit communication satellites operate hundreds of kilometres above Earth. Research modelling often uses altitudes of around 550–560 km to illustrate the scale of the signal-strength challenge. Purpose-built ground terminals use large, focused antennas to receive these signals. Smartphones, by contrast, rely on much smaller built-in antennas. As a result, the received signal strength can be thousands of times weaker than with a dedicated ground terminal.

The solution is beamforming. Instead of broadcasting a signal in all directions, the satellite uses an array of antennas to focus power precisely towards a specific device. It is the difference between a lightbulb spreading light across a room and a torch aimed at a single point.

Image 2: Beamforming & Focusing the Signal.

Left: unfocused signal spreading in all directions with most power wasted. Right: beamforming concentrating power directly at the device on the ground.

A satellite has limited power. Beamforming focuses that power like a torch beam rather than spreading it like a lightbulb. This is one of the key techniques that allows a satellite to reach a standard smartphone without a specialist terminal on the ground.

Multiple satellites, one phone

Research published in 2026 by engineers at KTH Royal Institute of Technology shows how multiple satellites can coordinate to serve the same device simultaneously. Instead of connecting to one satellite a phone could receive data streams from several at once improving both speed and reliability. If one satellite moves out of range or is blocked, others may help maintain continuity. This coordination does not require the satellites to be precisely synchronised with each other removing one of the main practical barriers to real-world deployment.

Image 3: One Phone, Multiple Satellites.

Four satellites each sending a differently coloured beam to a single smartphone on the ground.

Future systems may allow a device to receive signals from several satellites simultaneously improving resilience and reducing the impact of movement, blockage or coverage gaps. Each satellite sends part of the data. The phone combines the signals.

Why this changes the risk landscape

Wider access creates wider exposure.

For ordinary users a satellite-capable phone can communicate outside normal network infrastructure even when that infrastructure is deliberately disrupted.

For organisations satellite-capable devices may bypass local network controls, corporate gateways or expected monitoring points.

The criminal threat: more than jamming

Jamming means broadcasting interference on the same frequency a satellite uses to block the signal. GPS jamming is already documented across multiple regions. Direct-to-device services use different frequencies but any wireless link can be vulnerable to interference if an attacker can affect the relevant signal path.

Spoofing mimics a legitimate signal. Spoofing or false-signal attacks could attempt to mislead devices or disrupt trust in the connection.

Covert communications. Historically, communicating beyond terrestrial network reach often required expensive and visible specialist hardware. A standard smartphone with satellite capability removes that barrier. Networks operating in remote areas, across borders or at sea gain a communications channel that no longer depends on infrastructure authorities can monitor or disrupt.

Evading lawful interception. Legal frameworks for intercepting communications are built around terrestrial infrastructure. When traffic routes through a satellite path it may complicate existing lawful intercept, monitoring and governance models that were designed for that environment.

Fraud and identity threats. SIM fraud, account compromise and interception attempts will follow satellite connectivity as they have followed every previous generation of mobile technology. Security frameworks built on terrestrial assumptions will need updating.

Physical security in sensitive locations. A satellite-capable phone carried into a restricted environment can communicate outside any local network controls in place. Existing device policies and physical security protocols may not account for this.

This technology does not create new crimes. It reduces friction, increases reach, and may weaken some existing assumptions around visibility, control and disruption.

The point for security awareness

Satellite connectivity is moving from specialist equipment into everyday phones and the infrastructure is being built now.

Criminal networks adapt quickly to new communications capabilities. They do not wait for policy frameworks to catch up. A new channel emerges, legitimate users adopt it, and those seeking to avoid detection follow.

The gap between how fast this technology is moving and how slowly security awareness tends to follow is where the risk lives.

IntSpired®
Offensive by Design. Intelligent by Nature.

References:
KTH Royal Institute of Technology, "Joint and Streamwise Distributed MIMO Satellite Communications with Multi-Antenna Ground Users" (2026)

NextBigFuture, "Satellite Direct to Cellphone — SpaceX Starlink vs Apple vs AST Space Mobile" (2025).

Tracking down a 1964 US Navy Satellite No One Could Switch Off

IntSpired® — Mon, 01 Jun 2026 06:05:54 +0000

They said it was dead. It kept transmitting.

Transit 5B-5. NORAD 965. OPS 6582.

Launched in December 1964 as part of the US Navy’s Transit satellite navigation system, the GPS of its era.

Nineteen days after launch, its navigation transmitters failed. The satellite stopped responding to commands. The telemetry transmitter could not be switched off.

This morning, from IntSpired, Cornwall, we tracked it.

Here is exactly how.

Image 1: Step 1 — Pull the orbital data.

Before you can track anything, you need to know where it is.

One command to CelesTrak. curl pulls the TLE directly from the source: two lines of orbital mechanics containing the epoch, inclination, eccentricity and mean motion.

That is everything Gpredict needs to compute where Transit 5B-5 will be, and when.

Written to 965.sat.

Ground truth established.

Image 2: Step 2 — Configure the ground station.

A satellite’s position means nothing without a reference point on Earth.

IntSpired, Cornwall, UK
50.5000°N, 5.0000°W
IO70MM
50 metres above sea level
Weather station: EGHQ

Every AOS time, LOS time, elevation calculation and Doppler prediction runs against this coordinate.

This is the anchor.

Get it wrong and nothing that follows is accurate.

Image 3: Step 3 — Wait for the geometry to align.

Forty-seven minutes to acquisition of signal.

Transit 5B-5 is 13,641 km away. Elevation -81°. Deep below the horizon. Eclipsed.

The red dotted line shows the incoming trajectory. Gpredict is computing the pass in real time. IntSpired is locked as the ground station and waiting.

This is the part nobody posts.

The prediction phase.

Knowing exactly when and where to look before anything appears.

That discipline is the skill. The SDR is just the receiver.

Image 4: Step 4 — Acquisition.

There it is.

Elevation 25.77°. Slant range 1,988 km.

Transit 5B-5 is inside IntSpired’s footprint on the map, the two points almost touching over the North Atlantic.

Doppler is at -362 Hz. The sign has already flipped, which means closest approach has passed and the satellite is now receding.

That zero-crossing happened live during the pass as the frequency shifted through zero.

That is observable proof of a real pass, not just a prediction on a screen.

Signal loss: 138.37 dB.
Orbit: 4108.
Observed from Cornwall with one dipole and one SDR.

Why this matters

Transit 5B-5 has no active operators. No mission control. No one managing it.

Its batteries failed decades ago. It appears to run directly from degraded solar cells. When it enters Earth’s shadow, the transmitter can drop within seconds. When sunlight returns, it recovers and transmits again.

It has continued doing this for more than 60 years because nobody can tell it to stop.

That is unmanaged RF exposure at the extreme end of the scale.

A signal crossing the sky that no one controls, few people monitor, and almost no one knows is there.

The workflow this morning was simple:

Gpredict.
One dipole.
One RTL-SDR.
One computer.

Nothing exotic.

The barrier to observing signals people assume are invisible is lower than most organisations think.

RF awareness is not only for signals intelligence units. It is a methodology.

It is knowing what is above your horizon, when it is there, and what it is transmitting.

That is our baseline.

Your adversary can do the same.

Watch the full pass

Countdown to AOS, acquisition, peak elevation and LOS — the complete observation recorded live from IntSpired, Cornwall:

tiktok.com

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Hardware Not Required: WebSDR and the Open RF Layer

IntSpired® — Mon, 25 May 2026 09:33:04 +0000

Anyone with a browser can access live radio spectrum from receivers around the world.

No SDR dongle. No antenna. No local setup. Just a browser and an internet connection.

The WebSDR project began at the University of Twente in 2007. Since then, browser-based RF access has become widely available, with public receivers covering different countries, bands and antenna sites.

Examples of WebSDR in Use

Image 1: The public WebSDR directory, showing receivers across Europe with their own locations, antennas and frequency ranges.

Image 2: Qatar-OSCAR 100 at Goonhilly Earth Station, Cornwall. Live satellite RF from Es’hail-2, streamed through a browser.

Image 3: Hack Green, Cheshire. A former Cold War nuclear bunker, still transmitting.

What a waterfall reveals

Not every signal tells a story. Much of what appears on a waterfall is simply evidence of a transmission, on a frequency, at a point in time.

Where signals are left open or technically decodable, SDR tools can reveal more.

Frequency use. Timing. Signal type. Volume.

On their own, these details may look minor. Combined over time, they can reveal routines, system behaviour and operational change.

The layer most organisations do not monitor

Many organisations rely on wireless systems for communications, access control, logistics and safety. Few monitor the RF environment around them.

The assumption is often that signals disappear into noise and go unnoticed.

They do not.

WebSDR makes passive RF observation accessible. With the right receiver, antenna, band coverage and propagation conditions, a signal may be observable well beyond the site that transmitted it.

The RF layer should not be assumed private by default. It is a layer many security teams have not yet thought to look at.

If a signal is transmitted, it may be observable.

The RF layer is not invisible.

See for yourself: websdr.org

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Satellite Signals Are Easier to Observe Than Many Realise

IntSpired® — Thu, 21 May 2026 17:31:34 +0000

Satellite communications underpin much of the world’s connectivity.

Recent research, including a 2025 academic study, has shown that some GEO satellite links still carry clear-text IP traffic, exposing voice calls, SMS messages and operational data.

These systems support cellular networks, aviation, maritime operations and remote infrastructure across vast regions.

When transmissions are not properly encrypted, sensitive information can become observable to anyone capable of monitoring the RF spectrum.

Satellite Signal Observation

Image 1: SDR monitoring setup used to observe satellite activity in real time.

Image 2: Signal activity captured during a satellite pass, visible in the spectrum waterfall.

Much of this activity sits in a layer many organisations rarely monitor: the RF signals their systems depend on.

As reliance on wireless and satellite-connected systems grows, understanding how signals behave across this space becomes increasingly important for modern security, resilience and intelligence work.

At IntSpired, we analyse signal environments like these to help identify emerging exposure risks before they become operational problems.

Research paper:
https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Bluetooth Exposure – Part 3

IntSpired® — Tue, 19 May 2026 05:53:20 +0000

The Silent Signals You Never Realise You’re Broadcasting

Long before digital navigation, reconnaissance teams relied on fieldcraft. Location was confirmed through resection: bearings plotted against known landmarks to determine position with precision.

Today, devices perform those bearings automatically.

Image 1: illustrates the shift from traditional navigation to Wi-Fi probing and finally to BLE mesh networks that quietly map presence and proximity through everyday devices.

Modern phones broadcast continuously. Wi-Fi probes and Bluetooth Low Energy (BLE) signals reveal device presence the moment a device wakes, often long before any connection is made.

BLE takes this further

Major technology ecosystems operate large-scale BLE mesh frameworks embedded into consumer devices. Phones, watches, earbuds, vehicles, trackers, and IoT products emit low-power beacons every few seconds. Nearby devices receive and relay them, extending the mesh.

The result is ambient visibility.

Image 2: shows two BLE detection interfaces side by side. Together, they demonstrate how BLE broadcasts can be observed externally and used to assess presence, proximity, and movement patterns.

No pairing.
No password.
No exploitation.

This is simply how BLE operates.

Over time, broadcast patterns can reveal behavioural rhythm: arrival times, devices that move together, and devices that separate. The exposure is not technical compromise, it is ambient metadata.

The same radio landscape that exposes also protects.

Understanding your own emissions helps identify anomalies, detect unknown trackers, and recognise unusual activity in your environment.

A simple starting point:
• Disable Bluetooth when not required
• Review device privacy settings
• Understand what your devices broadcast by default

In a shared spectrum world, awareness is no longer optional.

If you do not understand your own emissions, someone else eventually will.

@intspired® - Protecting your brand, your business, and your operations.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Bluetooth Exposure – Part 2

IntSpired® — Thu, 14 May 2026 07:11:07 +0000

Understanding BLE Through Simple Threat Modelling

Most people do not realise how much their devices broadcast. Constantly. Passively. Often in plaintext. BLE may be low power, but from an attacker’s perspective it is highly informative.

Last week we explored why Bluetooth remains an overlooked attack surface. This week we go deeper by applying simple threat modelling to show what an attacker actually sees and where the real exposures sit.

The Everyday BLE Ecosystem

This is the environment most people carry with them every day. A silent network of identifiers, telemetry and behavioural signals leaking into the air around you.

Image 1: BLE Device Ecosystem.

Smartwatch (Peripheral) Continuously advertises identifiers, sensor values, motion events and sync activity. This alone is enough to build behavioural profiles.

Bluetooth Earbuds (Peripheral) Many models broadcast even while inside the charging case. They reveal identifiers, battery levels and reconnection attempts. This exposes presence, movement and proximity.

Smart Lock (Peripheral) Reveals device type, activity timing, connection attempts and lock state patterns.

Smartphone (Central) Acts as the BLE hub. Constant scanning, pairing, reconnecting and exchanging data through OS services and installed apps.
Cloud Services Telemetry, identifiers and behavioural analytics flow upstream from associated apps. Once correlated, this becomes highly identifiable and highly valuable.

Why this ecosystem creates risk
Attackers do not need pairing. They do not need exploits. They only need to listen.

Image 2: shows the full 2.4 gigahertz environment: channel spikes, BLE bursts and hopping patterns, revealing activity density and where signals originate.

Image 3: illustrates live BLE MAC addresses, advertising data, service identifiers and device presence in real time. This allows attackers to map devices, movement patterns, proximity and relationships.

Image 4: password sent from phone, intercepted via BLE UART, captured by Nordic Sniffer, shown in plaintext in Wireshark.

This is BLE without encryption or authentication. And many consumer IoT devices still work exactly like this.

Plaintext BLE write operations may include: • passwords • PIN codes • actuator commands such as unlock or open • configuration values • sensor and status payloads

If it is unencrypted, anyone in range can intercept it.

Key Takeaway

If a BLE device does not enforce encryption and authenticated pairing, everything it transmits is visible and can be captured by anyone in range.

For red teams this is a powerful source of passive intelligence. For attackers it is trivial interception. For defenders it remains a major blind spot.

Next Week in Part 3

Part 1 explored why Bluetooth remains a high-value vector and how attackers use BLE at the reconnaissance stage.

Part 2 showed what an attacker can actually see, including live identifiers and plaintext BLE traffic.

Part 3 will move into the defensive and counter-surveillance side.

We will look at:

• Quick methods to reduce your BLE attack surface

• Surveillance and counter-surveillance considerations

• What attackers silently collect from BLE Radar-type tools • How to detect or disrupt unwanted BLE tracking

• How attackers use signal strength and directional antennas to track BLE devices in the real world

If you rely on BLE devices every day, Part 3 is the one you’ll want to read.

@intspired® - Protecting your brand, your business, and your operations.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

Bluetooth Exposure – Part 1

IntSpired® — Sun, 10 May 2026 06:43:23 +0000

Real-World Weaknesses | Awareness Series: Part 1 of 3

Over the next few posts, I will explore the real cybersecurity risks behind Bluetooth and why individuals, homeowners and businesses routinely overlook this attack surface.

Bluetooth is often treated as harmless background technology. In reality, it can reveal device presence, proximity, movement patterns and, in some cases, weak implementation choices that increase exposure.

Classic Bluetooth vs BLE

Classic Bluetooth is typically used for audio devices and higher-bandwidth data transfer.

Bluetooth Low Energy, or BLE, is commonly used by beacons, trackers, wearables, IoT devices, smart locks and sensors.

Both operate in the crowded 2.4 GHz ISM band. Both can broadcast information into the surrounding environment. That means both can create exposure, often without the user realising.

Bluetooth Research Tools

Image 1: shows a selection of tools commonly used to explore Bluetooth and BLE weaknesses.

Highlighted is the Ubertooth One, a well-known device within the Bluetooth security research community. However, research and field experience show that it can be unreliable, and it is not usually the first tool I would reach for during practical assessments.

Bluetooth Exposure in the Real World

Image 2: demonstrates how easily freely available mobile apps can reveal Bluetooth devices nearby.

Many of these apps are designed for legitimate diagnostics and device management. However, they also show why individuals and organisations should take Bluetooth exposure seriously.

Even without specialist knowledge, it is possible to identify:

• Nearby devices currently broadcasting
• Devices left in discoverable or pairable modes
• Device names that unintentionally leak information
• Signal strength, or RSSI, which can indicate proximity
• Wearables, trackers, earbuds, speakers, locks and IoT equipment

Some devices may also accept a connection without being bonded or paired, allowing applications to read or write characteristics. This is not advanced exploitation. It is usually a sign of weak device security and poor implementation.

The same visibility that supports diagnostics can also allow environments to be passively mapped. Over time, this can reveal device presence, routines and behavioural patterns.

Despite this, Bluetooth exposure remains widely underestimated. In certain conditions, it can contribute to privacy compromise, tracking, surveillance, or become part of a broader attack chain.

Simple Defensive Step

Before going deeper into the series, one simple defensive step everyone should follow is:

Turn Bluetooth off when you are not using it.

This significantly reduces exposure and prevents your device from broadcasting unnecessarily.

What This Series Will Cover

This series will provide a high-level overview of:

• Why Bluetooth remains a valuable vector for threat actors
• How attackers use BLE during reconnaissance
• What nearby devices can reveal without pairing
• What your phone may broadcast without your knowledge
• Tools defenders should understand
• Quick ways to reduce Bluetooth exposure
• Surveillance and counter-surveillance considerations

Bluetooth may feel harmless, but it is not invisible. Most people have no idea how much they are broadcasting until it is demonstrated to them.

INTSPIRED® | Offensive by Design. Intelligent by Nature.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

intspired.co.uk

When a Radio Signal Stops a Train

IntSpired® — Thu, 07 May 2026 07:41:34 +0000

A Taiwan high-speed rail incident from earlier this week is a sharp reminder that RF security is not a niche issue. It is part of critical infrastructure resilience.

Image 1: Taiwan High Speed Rail — THSR 700T train on the Taipei–Kaohsiung line. Source: Wikimedia Commons

Reports confirm a university student used consumer-grade SDR equipment to intercept, decode and clone TETRA radio parameters, then triggered a General Alarm signal that brought four high-speed trains to an emergency stop for 48 minutes. A 23-year-old student has since been arrested and is currently out on bail.

The technical takeaway is clear. Parameters were cloned. Authentication was bypassed. And the equipment used was bought online.

Image 2: Seized equipment. Source: Taoyuan District Prosecutors Office via CNA/Newtalk, 2026. https://newtalk.tw/news/view/2026-04-30/1032591

What this incident tells us is not just that the system was vulnerable. It tells us that the vulnerability had likely existed for years, undetected and untested. A radio enthusiast with off-the-shelf equipment, no insider access, and no advanced technical background was able to clone operational parameters and trigger the highest-priority alert in a national rail network.

That is not a sophisticated attack. That is a gap that should have been identified in a security assessment long before it was exploited this way.

The questions every critical infrastructure operator should be asking right now are simple. When did you last rotate your radio parameters? Have you ever tested whether your authentication can be bypassed from outside the network? Do you have any detection capability for rogue transmissions? Do you know where a rogue signal is coming from and how fast you can locate it? And if someone triggered a false alarm today, would your response procedures hold up?

If any of those answers are uncertain, that is where to start.

What good RF security looks like in these environments is not complicated in principle, but it is rarely done well in practice. It means treating radio as an attack surface from day one. Regular parameter rotation. Strong authentication on every device. Encryption that is actually tested, not just assumed. Logging and alerting on anomalous transmissions. Direction-finding capability so you can locate a rogue signal when it appears. And response procedures that have actually been exercised, not just written down.

This is not about SDR being dangerous. SDR is a tool. The real issue is whether safety-critical communications have strong authentication, encryption, parameter rotation, logging, detection, direction-finding, and response processes around them.

For rail, ports, airports, utilities, emergency services and other critical environments, RF should be treated as an attack surface, not background noise.

Test it like it matters. Because it does.

Further insights - Taipei Times: https://www.taipeitimes.com/News/taiwan/archives/2026/05/05/2003856781
The Register: https://www.theregister.com/cyber-crime/2026/05/06/taiwan-student-pwns-rail-comms-halts-high-speed-trains/5230489
LinkedIn: https://www.linkedin.com/in/keith-intspired
IntSpired®: https://www.intspired.co.uk

Cover image: Handheld radios seized during the investigation. Source: CTWANT/Weekly King via PChome News. https://news.pchome.com.tw/society/crwant/20260501/index-77760091156668316002.html

Femtocell Security Risks: Why Legacy Devices Are Still a Threat

IntSpired® — Tue, 05 May 2026 07:23:17 +0000

Femtocells are low-power cellular base stations used in homes and small offices to improve indoor mobile coverage. They connect to the operator’s core network over broadband and broadcast a local cellular signal, typically covering 10 to 50 metres.

They operate within standard mobile infrastructure, using licensed spectrum such as:
• 3G UMTS bands (Band 1 2100 MHz in the UK)
• Some later units support LTE bands depending on deployment
Unlike signal boosters, femtocells do not amplify an existing signal. They create a new one, and devices will automatically connect if it presents the strongest signal.

Image 1: Legacy femtocell device originally deployed by mobile networks, now circulating in secondary markets despite being phased out.

The issue
Femtocells extend the cellular network directly into private environments.
• Traffic is routed through broadband
• Devices connect based on signal strength, not trust
• The cellular layer becomes localised and harder to monitor
This creates a gap between:
• What is visible on the IP network
• What is happening over the air interface
This is where visibility breaks.

Image 2: Femtocell architecture highlighting the visibility gap between IP network monitoring and the air interface.

How to identify them
Femtocells are not visible through traditional network scanning.
They are identified through signal behaviour.

Using mobile apps such as Network Cell Info Lite or NetMonster, look for:
• Very strong signal indoors
• Rapid signal drop when leaving the building
• Unusual or isolated Cell ID
• Cell location appearing extremely close or inaccurate
If the cell is not mapped, it may indicate a small cell or femtocell.

Image 3: Analysing cellular signals using Network Cell Info Lite (left) and CellMapper (right) to identify signal strength, band, and local cell infrastructure.
These are not just indicators. They reflect how femtocells operate at the network edge.

Security implications
While modern units are more secure, historically femtocells have presented:
• Firmware attack surface
• Potential interception if compromised
• Reliance on broadband
• Single operator dependency
They are trusted by design but deployed in uncontrolled environments.

Still in circulation
Consumer femtocells have been phased out in the UK following 3G shutdowns.
However:
• Legacy devices remain active
• Units are still being sold on secondary markets
• Small cell technology continues in enterprise environments

How to reduce risk
• Use Wi-Fi Calling instead of legacy femtocell hardware
• Avoid unsupported or second hand telecom devices
• Monitor RF environments in sensitive locations
• Validate unexpected strong indoor cellular signals
• Treat local cellular infrastructure as part of the attack surface

Takeaway
Femtocells highlight a fundamental issue.
Security monitoring focuses on networks and endpoints.
Cellular operates in RF. If you are not looking at the spectrum, you are not seeing the full environment.

For more insight on wireless weaknesses, visit intspired.co.uk/blog

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Accessible, Documented, and Off Most Security Radars

IntSpired® — Sun, 03 May 2026 10:26:47 +0000

Back in January, I wrote about how tools can be modified beyond their intended use. Not always with bad intent, but not always with good either. https://intspired.co.uk/blog/f/beyond-the-surface

Since then, a few things caught my attention. Unrelated on the surface, but all wireless, all open, and all sitting just outside where most security teams are looking.

A general-purpose device transmitting amateur radio

Image 1: Amateur Radio Meets General-Purpose Hardware (Flipper Zero APRS setup).

As a ham radio user, I came across a GitHub project by Richard YO3GND demonstrating a Flipper Zero transmitting APRS, a protocol typically associated with dedicated amateur radio equipment.

It's experimental. Imperfect. Not something you'd stake your comms on.

But that's not the point. The point is that a low cost, general-purpose device is now capable of emulating a specialised radio function simply by implementing the protocol in software. The hardware didn't change. The capability did.

Computer vision that sets up in minutes

Image 2: Real-Time Face Detection Using OpenCV — Accessible Computer Vision in Practice.

Computer vision tools and the development solutions that support them aren't new. What's changed is the accessibility. Detection capability is no longer the barrier. Frameworks have been simplified to the point where a working setup can be running in minutes, on commodity hardware.

The specialisation required has dropped dramatically. The output hasn't.

Passive detection at scale

Image 3: From Detection Hardware to Crowdsourced Surveillance — Seeed Studio XIAO ESP32S3 and DeFlock Maps.

Tools like OUI-SPY, built on hardware such as the Seeed Studio XIAO ESP32S3, can passively detect nearby Bluetooth and BLE broadcasts, flag recognised identifiers, and alert on known signal patterns without active probing. These tools aren't single-purpose, and the same understanding that enables detection can be used to avoid it.

What happens when that detection is contributed at scale is a different question entirely. Platforms like DeFlock Maps illustrate it clearly. A crowdsourced ALPR surveillance map, DeFlock currently shows over 75,000 cameras in view across the US alone. Individual observations, aggregated, become infrastructure-level intelligence.

Transmit. See. Detect. Three capabilities, three communities, all moving in the same direction: accessible, affordable, and functional enough to matter. Not theory. Right now.

Why security teams should care
Most of these developments aren't appearing in threat intelligence feeds. They're appearing in radio groups, maker communities, and computer vision forums. The people building them aren't adversaries. They're curious, technically capable, and sharing their work openly.

That openness is exactly what makes it relevant. Capability that's documented, reproducible, and discussable in public is already in play. The gap between innovation and risk is narrower than most organisations assume.

Awareness won't close that gap. But without it, you won't even know it exists.

If it's there, it's observable.

INTSPIRED®
Offensive by design. Intelligent by nature

IMSI Catchers Don’t Break Encryption — They Exploit the Network

IntSpired® — Fri, 01 May 2026 16:25:51 +0000

Most mobile devices will connect to any base station that appears legitimate.

That behaviour is what makes IMSI catchers possible.

Mobile devices use International Mobile Subscriber Identifiers (IMSI) to authenticate and communicate across cellular networks. IMSI catchers exploit this by impersonating legitimate base stations, causing nearby phones to connect to them instead of the real network.

In doing so, they collect SIM and device identifiers (such as IMSI or IMEI), along with signalling metadata that can be used to estimate presence and rough location. This does not require breaking applications or accessing encrypted content. It relies entirely on standard network behaviour.

These techniques exploit trust within the network itself, sometimes forcing devices onto older or less secure protocols. Although heavily regulated and detectable, their effectiveness highlights how much signalling information mobile networks already expose by design.

What to keep in mind when interpreting this data

Mobile network data reflects connectivity, not people. It describes devices and sessions, not identity or human behaviour.
Convenience signals are often over-trusted. Networks prioritise availability and usability, not verification or assurance.
Risk increases in sensitive contexts. Meetings, travel, and safety-critical situations raise the cost of misinterpretation.
Continuous connectivity is not always necessary. Many activities do not require phones to remain connected at all times.
Decisions are more reliable when they do not depend entirely on phone location or connectivity data.

Illustrative examples of GSM signalling exposure

Image 1: GSM Downlink Signal Activity.
Live cellular spectrum showing active network presence within range.

Image 2: GSM Signalling Metadata.
Decoded broadcast data showing network identifiers and signalling information transmitted continuously by the network.

Image 3: Associated GSM Data Exposure.
Structured dataset linking identifiers (IMSI/TMSI) with network parameters and timestamps, enabling pattern and presence analysis over time.

Final point

This isn’t about breaking encryption or accessing content. It’s about what is already exposed through normal network operation.

Understanding the signal is one thing. Interpreting the risk is another.

If it’s there, it’s observable.

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Stay informed.

RF Intelligence: The Attack Surface Your SIEM Can't See

IntSpired® — Thu, 30 Apr 2026 08:14:31 +0000

RF signals don’t appear in logs.

They pass through walls, bypass controls, and leave no trace.

This article shows how RF activity can be detected and analysed outside of traditional security controls using a GNU Radio setup with a HackRF One.

Most organisations monitor their networks extensively. Firewalls, SIEM platforms, EDR tools and intrusion detection systems continuously observe the digital perimeter. However, one attack surface is rarely monitored: the radio frequency spectrum inside the physical environment.

A compromised device transmitting over RF, a covert hardware implant beaconing on a schedule, or a receiver positioned just outside a facility will not appear in traditional monitoring systems.

If RF is not being monitored, there is a blind spot.

What This Setup Provides

• Wideband RF monitoring across the local environment
• Identification of signal frequencies and behaviour
• Power measurement for consistent analysis
• Detection and investigation of unusual transmissions

RF Anomaly Detection Interface

The setup uses a dual-panel interface for monitoring and inspection.

The left panel provides wideband visibility across the monitored spectrum, allowing all active signals to be seen at a glance.

The right panel provides focused inspection. Any signal identified in the wideband view can be selected and analysed in more detail, including centre frequency, bandwidth, signal structure and power relative to the noise floor.

This creates a simple workflow: detect across the spectrum, then isolate and investigate.

Real Signal Detection

Image 1: Wideband spectrum (left) and selected signal (right). A narrowband signal at 440 MHz is highlighted for closer inspection.

Signal 1 — 440.000 MHz

This frequency sits outside the 433 MHz ISM allocation and within the 70 centimetre amateur radio band, subject to verification of local licensed activity.

This is where RF monitoring moves into analysis.

Key questions include whether the transmission is expected in the environment, whether there is a known licensed source, whether the signal aligns with known device behaviour, and whether it could represent unauthorised or anomalous activity.

Initial capture indicated a strong local transmission. After gain adjustment, the signal resolved at approximately -72 dBFS, with a noise floor around -88 dBFS.

No immediate indication of malicious behaviour was observed during initial analysis. However, the same process would apply when assessing unauthorised or covert transmissions.

Image 2: Narrowband RF signal at 433 MHz observed during monitoring.

Signal 2 — 433.000 MHz

A second signal was observed, consistent with strong local transmission relative to the observed noise floor.

This aligns with expected ISM band activity such as sensors, weather stations and consumer wireless devices, and was treated as part of the baseline RF environment.

Engineering the Setup

Image 3: GNU Radio flowgraph developed for RF signal processing.

The underlying processing is implemented in GNU Radio Companion on DragonOS, using a HackRF One with a Diamond SRH789 antenna.

Raw IQ data is captured from the HackRF and processed through an FFT-based processing chain.

A 4096-point FFT converts the signal into the frequency domain, with Blackman-Harris windowing used to improve visibility of weaker signals near stronger ones.

Signal power is calculated using magnitude squared conversion and normalised into dBFS, allowing measurements to be compared consistently.

The system runs at a 20 Msps sample rate, covering roughly 20 MHz of bandwidth from 423 MHz to 443 MHz.

This allows signals to be detected and analysed clearly rather than just observed.

RF Detection Compared to Traditional Sweepers

Traditional RF sweepers indicate the presence of a signal but provide limited detail.

This setup allows signals to be identified by frequency, measured, visualised across the spectrum and analysed in context.

Rather than simply detecting activity, it makes it possible to assess whether a signal is expected or unusual.

This distinction is what separates intelligence from detection.

Why RF Monitoring Matters

Most security programmes focus on networks, applications and endpoints.

RF is rarely included, which creates an opportunity for activity that does not generate logs or alerts.

Data can be transmitted out of a secure environment without touching the network. Devices can operate silently over RF for long periods.

Signals can exist outside commonly monitored bands such as WiFi and Bluetooth.

The RF environment inside a facility is an attack surface that traditional monitoring does not cover.

Field Collection Capability

For on-site work away from the DragonOS setup, a PortaPack HM4 with an integrated HackRF One can be used for standalone field capture.

This allows RF data to be collected without a laptop and stored for later analysis.

Captured data can then be replayed through the same processing setup, keeping analysis consistent between live monitoring and post-capture review.

Future Development

The current setup provides monitoring, detection and basic analysis.

Future work will focus on building a baseline of expected RF activity and identifying deviations over time.

This would allow more structured detection of unusual or unexpected signals.

If RF is not part of your security approach, it is worth considering.

For organisations looking to better understand RF exposure and wireless risk, assessment beyond traditional controls may be required.

Contact:
info@intspired.co.uk
https://intspired.co.uk

IntSpired®
Offensive by Design. Intelligent by Nature.