DEV Community: IntSpired®

IMSI Catchers Don’t Break Encryption — They Exploit the Network

IntSpired® — Fri, 01 May 2026 16:25:51 +0000

Most mobile devices will connect to any base station that appears legitimate.

That behaviour is what makes IMSI catchers possible.

Mobile devices use International Mobile Subscriber Identifiers (IMSI) to authenticate and communicate across cellular networks. IMSI catchers exploit this by impersonating legitimate base stations, causing nearby phones to connect to them instead of the real network.

In doing so, they collect SIM and device identifiers (such as IMSI or IMEI), along with signalling metadata that can be used to estimate presence and rough location. This does not require breaking applications or accessing encrypted content. It relies entirely on standard network behaviour.

These techniques exploit trust within the network itself, sometimes forcing devices onto older or less secure protocols. Although heavily regulated and detectable, their effectiveness highlights how much signalling information mobile networks already expose by design.

What to keep in mind when interpreting this data

Mobile network data reflects connectivity, not people. It describes devices and sessions, not identity or human behaviour.
Convenience signals are often over-trusted. Networks prioritise availability and usability, not verification or assurance.
Risk increases in sensitive contexts. Meetings, travel, and safety-critical situations raise the cost of misinterpretation.
Continuous connectivity is not always necessary. Many activities do not require phones to remain connected at all times.
Decisions are more reliable when they do not depend entirely on phone location or connectivity data.

Illustrative examples of GSM signalling exposure

Image 1: GSM Downlink Signal Activity.
Live cellular spectrum showing active network presence within range.

Image 2: GSM Signalling Metadata.
Decoded broadcast data showing network identifiers and signalling information transmitted continuously by the network.

Image 3: Associated GSM Data Exposure.
Structured dataset linking identifiers (IMSI/TMSI) with network parameters and timestamps, enabling pattern and presence analysis over time.

Final point

This isn’t about breaking encryption or accessing content. It’s about what is already exposed through normal network operation.

Understanding the signal is one thing. Interpreting the risk is another.

If it’s there, it’s observable.

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Stay informed.

RF Intelligence: The Attack Surface Your SIEM Can't See

IntSpired® — Thu, 30 Apr 2026 08:14:31 +0000

RF signals don’t appear in logs.

They pass through walls, bypass controls, and leave no trace.

This article shows how RF activity can be detected and analysed outside of traditional security controls using a GNU Radio setup with a HackRF One.

Most organisations monitor their networks extensively. Firewalls, SIEM platforms, EDR tools and intrusion detection systems continuously observe the digital perimeter. However, one attack surface is rarely monitored: the radio frequency spectrum inside the physical environment.

A compromised device transmitting over RF, a covert hardware implant beaconing on a schedule, or a receiver positioned just outside a facility will not appear in traditional monitoring systems.

If RF is not being monitored, there is a blind spot.

What This Setup Provides

• Wideband RF monitoring across the local environment
• Identification of signal frequencies and behaviour
• Power measurement for consistent analysis
• Detection and investigation of unusual transmissions

RF Anomaly Detection Interface

The setup uses a dual-panel interface for monitoring and inspection.

The left panel provides wideband visibility across the monitored spectrum, allowing all active signals to be seen at a glance.

The right panel provides focused inspection. Any signal identified in the wideband view can be selected and analysed in more detail, including centre frequency, bandwidth, signal structure and power relative to the noise floor.

This creates a simple workflow: detect across the spectrum, then isolate and investigate.

Real Signal Detection

Image 1: Wideband spectrum (left) and selected signal (right). A narrowband signal at 440 MHz is highlighted for closer inspection.

Signal 1 — 440.000 MHz

This frequency sits outside the 433 MHz ISM allocation and within the 70 centimetre amateur radio band, subject to verification of local licensed activity.

This is where RF monitoring moves into analysis.

Key questions include whether the transmission is expected in the environment, whether there is a known licensed source, whether the signal aligns with known device behaviour, and whether it could represent unauthorised or anomalous activity.

Initial capture indicated a strong local transmission. After gain adjustment, the signal resolved at approximately -72 dBFS, with a noise floor around -88 dBFS.

No immediate indication of malicious behaviour was observed during initial analysis. However, the same process would apply when assessing unauthorised or covert transmissions.

Image 2: Narrowband RF signal at 433 MHz observed during monitoring.

Signal 2 — 433.000 MHz

A second signal was observed, consistent with strong local transmission relative to the observed noise floor.

This aligns with expected ISM band activity such as sensors, weather stations and consumer wireless devices, and was treated as part of the baseline RF environment.

Engineering the Setup

Image 3: GNU Radio flowgraph developed for RF signal processing.

The underlying processing is implemented in GNU Radio Companion on DragonOS, using a HackRF One with a Diamond SRH789 antenna.

Raw IQ data is captured from the HackRF and processed through an FFT-based processing chain.

A 4096-point FFT converts the signal into the frequency domain, with Blackman-Harris windowing used to improve visibility of weaker signals near stronger ones.

Signal power is calculated using magnitude squared conversion and normalised into dBFS, allowing measurements to be compared consistently.

The system runs at a 20 Msps sample rate, covering roughly 20 MHz of bandwidth from 423 MHz to 443 MHz.

This allows signals to be detected and analysed clearly rather than just observed.

RF Detection Compared to Traditional Sweepers

Traditional RF sweepers indicate the presence of a signal but provide limited detail.

This setup allows signals to be identified by frequency, measured, visualised across the spectrum and analysed in context.

Rather than simply detecting activity, it makes it possible to assess whether a signal is expected or unusual.

This distinction is what separates intelligence from detection.

Why RF Monitoring Matters

Most security programmes focus on networks, applications and endpoints.

RF is rarely included, which creates an opportunity for activity that does not generate logs or alerts.

Data can be transmitted out of a secure environment without touching the network. Devices can operate silently over RF for long periods.

Signals can exist outside commonly monitored bands such as WiFi and Bluetooth.

The RF environment inside a facility is an attack surface that traditional monitoring does not cover.

Field Collection Capability

For on-site work away from the DragonOS setup, a PortaPack HM4 with an integrated HackRF One can be used for standalone field capture.

This allows RF data to be collected without a laptop and stored for later analysis.

Captured data can then be replayed through the same processing setup, keeping analysis consistent between live monitoring and post-capture review.

Future Development

The current setup provides monitoring, detection and basic analysis.

Future work will focus on building a baseline of expected RF activity and identifying deviations over time.

This would allow more structured detection of unusual or unexpected signals.

If RF is not part of your security approach, it is worth considering.

For organisations looking to better understand RF exposure and wireless risk, assessment beyond traditional controls may be required.

Contact:
info@intspired.co.uk
https://intspired.co.uk

IntSpired®
Offensive by Design. Intelligent by Nature.

RF Exposure via Digital Speech Decoders

IntSpired® — Mon, 27 Apr 2026 06:41:45 +0000

This post is intended to raise awareness of RF exposure and visibility, not to promote or enable misuse.

Software-defined radio is a genuine intelligence capability when used correctly.

With tools like DSDPlus and low-cost SDR hardware, monitoring and interpreting unencrypted digital radio systems is now widely accessible across the UK and internationally.

What was once specialist capability is now accessible with minimal experience.

Image 1: UHF Spectrum Survey — Automated Scanning Across Active Frequencies.

In practice, exposure goes beyond audio. It reveals talkgroup activity, device presence, and communication patterns over time.

Image 2: Real-Time Group Call Decoded — Radio ID Automatically Identified by DSDPlus.

The UK RF Reality

In the UK, the most relevant and observable systems include:

• DMR (Digital Mobile Radio) — widely used across security, logistics, construction, events, and commercial operations

• NXDN and digital PMR networks — used across rail, industrial environments, and private deployments

• Amateur digital voice systems — active, open, and often overlooked

Public safety communications operate on Airwave (TETRA). The long-delayed transition to the Emergency Services Network (ESN) continues, with full migration still incomplete. While Airwave is designed with strong encryption, RF systems are only as secure as their configuration and operational use, and exposure is more commonly observed across less protected commercial systems.

Global Context

Across other regions, the landscape shifts:

• P25 Phase 1 & 2 — widely used for public safety in the United States, Canada, and Australia

• DMR and NXDN — widely deployed across commercial and private networks in Europe and parts of Asia

What’s observable depends on the local RF environment.

What Actually Matters

This is not about listening. It is about exposure.

Whether in the public or private sector, unencrypted RF communications create a layer of visibility that is often overlooked.

Even without focusing on voice, consistent monitoring allows patterns to be built around:

• Talkgroup usage and communication structures
• Device activity and presence over time
• Shifts in operational tempo
• Encrypted versus unencrypted behaviour

These insights are not provided directly by the tools. They emerge through analysis of what is already being transmitted in the clear.

IntSpired Assessment

As technology and threat actor capability evolve, RF is no longer just radio. It is an intelligence layer, and one that can be used against you.

Most organisations focus on securing networks, not what those networks transmit.

If it is transmitting, it is detectable, analysable, and increasingly accessible to those who know where to look.

Codename: TEMPEST — The real magnitude of an 80-year-old threat

IntSpired® — Fri, 24 Apr 2026 07:30:02 +0000

Most security focuses on networks and endpoints.
Very little attention is given to what devices emit into the physical environment.

This isn’t a dormant risk. It’s an unaddressed one.

In March 2026, U.S. lawmakers formally requested a renewed investigation into TEMPEST-related threats, citing:
• Lack of public awareness
• Absence of modern regulatory requirements for consumer devices
• Potential exploitation by criminals, private investigators, and non-state actors
Image 1: Extract from Congressional letter (March 4, 2026) describing TEMPEST as a “serious national security threat”.

The request highlights a critical point:
The U.S. government has not conducted a follow-up review of this threat since 1986, despite the risk being known for over 80 years.
The accompanying Congressional Research Service memorandum reinforces this, outlining:
• The ability to reconstruct data from electromagnetic, acoustic, and RF emissions
• That these techniques have been repeatedly rediscovered in academic research
• That the equipment required to observe these emissions is now easily obtainable

What TEMPEST is
TEMPEST refers to the unintentional electromagnetic emissions generated by electronic devices during operation.

These emissions are not just noise.
They can carry structured information.

Under the right conditions, it is sometimes possible to reconstruct elements of what a system is processing, including screen content, signals, or data flows, from emitted RF energy.

This is a physical side-channel. It exists whether it is monitored or not.

Image 2: Simulated TEMPEST reconstruction using GNU Radio (gr-tempest open-source implementation)

The setup
From a practical standpoint, observing these emissions does not require exotic infrastructure.

A typical research setup may include:
• Software-defined radio platforms (e.g. HackRF class devices)
• Near-field or directional antennas
• Signal processing via tools such as GNU Radio

With correct tuning and filtering, emissions from monitors, video cables, power lines, and internal components can be captured and analysed.

Importantly:
No network interaction is required.
No system access is required.
This is passive collection from the electromagnetic environment.

Beyond policy and classification, the underlying reality is simpler:
TEMPEST is often framed within classified programmes, hardened environments, and military-grade shielding.

What determines the risk are three factors:
• how detectable the emissions are
• how far they travel
• how much information they expose
This shifts TEMPEST from a classified concern to a physical reality with direct operational implications.

What the documents explicitly confirm
The CRS memo is very direct about how this works in practice:
• Acoustic — keystrokes can be derived from recorded typing sounds
• RF — emissions may be observable at distance under favourable conditions
• Electromagnetic — signals generated by internal currents can be measured and analysed
It also confirms something often missed:
These attacks rely on observing unintended signals generated during operation.

What has not changed
The same memorandum highlights a structural gap:
• No uniform TEMPEST mitigation policy across U.S. government systems
• No requirement for consumer device manufacturers to implement countermeasures
• Limited public guidance despite long-standing awareness
At the same time:
• Techniques have been publicly demonstrated (2009–2022 research examples)
• Methods now fall under what is broadly called side-channel attacks
• The barrier to entry is no longer restricted to state actors

Threat level — low, but specific
For most organisations, TEMPEST does not present an immediate or scalable risk.
Constraints remain significant:
• Effective range is limited
• Signal clarity degrades rapidly
• Environmental RF noise introduces distortion
• Skill and interpretation barriers are non-trivial

However, context matters.
In environments where:
• systems are air-gapped
• data sensitivity is high
• physical proximity can be achieved
TEMPEST becomes a relevant niche collection method.
Not widespread.
But not theoretical.

Closing note
Most organisations monitor networks, endpoints, and cloud environments.
Very few consider what their systems emit into the physical environment.

INTSPIRED®
OFFENSIVE BY DESIGN. INTELLIGENT BY NATURE.

Full references and further detail available in the article.

• U.S. Congressional letter (March 2026)
https://www.wyden.senate.gov/imo/media/doc/wyden_gao_tempest_letter.pdf

• Congressional Research Service memorandum
https://www.wyden.senate.gov/imo/media/doc/memo_-_tempest.pdf

• GNU Radio TEMPEST implementation (gr-tempest)
https://github.com/git-artes/gr-tempest

Wi-Fi Hacking Hype vs Reality

IntSpired® — Thu, 23 Apr 2026 07:00:46 +0000

There is constant noise around “new” Wi-Fi hacking tools and techniques.

Established reconnaissance platforms are presented as breakthrough capabilities.
Handshake capture devices are often interpreted as automatically retrieving passwords.
Deauthentication attacks are portrayed as systemic compromise events.

Much of this reflects misunderstanding rather than cryptographic reality.

To reset the narrative, we must separate RF visibility from real compromise and examine the capabilities and limitations of a select set of commonly referenced tools.

Sparrow WiFi: An Example of Wireless Reconnaissance and Telemetry Analysis

Image 1: Sparrow WiFi interface displaying wireless network discovery, signal strength telemetry, and channel utilisation across 2.4 GHz and 5 GHz bands.

Sparrow WiFi is one example of a wireless reconnaissance and telemetry analysis tool used for site surveys and RF assessment.

Tools in this category provide:

• Network discovery
• Signal strength analysis
• Channel utilisation metrics
• Security mode identification
• GPS telemetry
• SSID and BSSID mapping

Their purpose is RF visibility and environmental analysis.
They do not perform cryptographic attacks, bypass WPA3, or recover passwords.

RF visibility does not by itself constitute network compromise.

Pwnagotchi and “Password Catching

Image 2: Captured WPA/WPA2 handshake packet files (.pcap) prepared for offline analysis in a controlled lab environment.

Pwnagotchi automates the capture of WPA/WPA2 4-way authentication handshakes when a client associates with a network.

It does not capture plaintext passwords.

A captured handshake only enables offline password testing; it does not reveal the network key unless the passphrase can be correctly guessed.

Recovering a passphrase therefore requires testing candidate passwords against authentication material derived from the 4-way handshake. Common approaches include:

• GPU-accelerated password guessing
• Dictionary attacks
• Rule-based mutations
• Hybrid attacks
• Testing known breached credentials

There is currently no known practical method to directly decrypt traffic from properly configured WPA2-AES or WPA3-SAE networks without knowledge of the network credential.

This process does not break AES encryption. It simply tests candidate passwords against the captured handshake. If the passphrase is long, unique, and high entropy, the attack fails.

Strong credential hygiene defeats this class of attack.

Deauthentication Attacks Do Not Break Encryption

Deauthentication attacks:

• Force clients to disconnect
• Trigger reauthentication attempts
• May enable handshake capture in certain scenarios

They do not:

• Reveal passwords
• Decrypt traffic
• Break AES encryption

Deauthentication is a disruption technique, not a cryptographic attack.

Networks using Management Frame Protection, defined in IEEE 802.11w, significantly reduce exposure to spoofed deauthentication and disassociation frames.

Even without Management Frame Protection, deauthentication creates an opportunity for capture, not automatic compromise.

Rainbow Tables and “Decryption” Claims

Rainbow tables are precomputed lookup tables used to reverse hashes.

In modern wireless assessments, they are rarely the primary method.

In WPA2-PSK, the SSID is used as the salt in the PBKDF2 key derivation process. This means rainbow tables must be generated for a specific network name, which significantly limits practicality.

In real-world assessments, GPU-accelerated offline password guessing is still far more common than maintaining large precomputed rainbow tables.

Rainbow tables are effective only when:

• Passwords are short
• Passwords are common
• Credentials are reused
• The SSID is predictable and widely reused

They do not defeat strong, high-entropy passphrases.

There is no practical real-time decryption of properly configured WPA3-SAE networks.

AirSnitch and Client Isolation Research

Research such as AirSnitch highlights weaknesses in certain implementations of client isolation on consumer routers.

This is valuable work.

However, it demonstrates configuration and architectural flaws in specific devices. It does not represent a universal break of Wi-Fi encryption.

The issue is implementation, not cryptography.

Channel Hopping: What It Actually Means

Channel hopping is a scanning technique in which a wireless adapter cycles through Wi-Fi channels to observe activity.

It does not refer to an access point changing its operating channel, which may occur automatically due to interference or optimisation policies.

It is also different from client roaming, where a device reassociates between access points or frequency bands.

Because a single wireless radio can observe only one channel at a time, scanning tools rotate across channels to build broader visibility. Multi-radio monitoring systems can observe multiple channels simultaneously.

This behaviour is common in:

• Passive scanning
• Wireless intrusion detection systems
• Spectrum analysis
• Site surveys
• Security research

The same physical limitation applies to attackers. To transmit deauthentication frames or conduct other active attacks, the radio must be tuned to the target’s channel. A single radio cannot transmit on multiple channels simultaneously.

Channel hopping does not:

• Bypass encryption
• Defeat WPA2-AES
• Defeat WPA3-SAE
• Decrypt traffic
• Grant network access

It increases visibility. It does not create compromise.

Where Wi-Fi Actually Fails

Wi-Fi compromise rarely occurs because encryption is broken. It more often results from operational and configuration weaknesses, including:

• Weak or predictable passphrases
• Reused credentials across networks or services
• WPS enabled
• Misconfigured wireless security settings
• Flat network architecture with no segmentation
• Poor monitoring or visibility of wireless activity
• Exposed internal services accessible from the network
• Weak authentication controls once network access is obtained
• Unpatched access points or outdated firmware

Once network access is gained, attackers often move laterally within the environment. The access point is rarely the final objective.

Final Point
When modern Wi-Fi is properly configured, including:

• WPA2-AES with strong, unique passphrases
• WPA3-SAE
• Management Frame Protection enabled (802.11w / PMF)
• WPS disabled

there is currently no known practical method for directly breaking the encryption in real-world conditions.

Modern Wi-Fi cryptography is rarely the weak link. Configuration and operational discipline are.

INTSPIRED®
Offensive by Design. Intelligent by Nature.

Home

We apply intelligence-led methods to identify cyber and wireless risks before they can be exploited.

intspired.co.uk