RF signals don’t appear in logs.
They pass through walls, bypass controls, and leave no trace.
This article shows how RF activity can be detected and analysed outside of traditional security controls using a GNU Radio setup with a HackRF One.
Most organisations monitor their networks extensively. Firewalls, SIEM platforms, EDR tools and intrusion detection systems continuously observe the digital perimeter. However, one attack surface is rarely monitored: the radio frequency spectrum inside the physical environment.
A compromised device transmitting over RF, a covert hardware implant beaconing on a schedule, or a receiver positioned just outside a facility will not appear in traditional monitoring systems.
If RF is not being monitored, there is a blind spot.
What This Setup Provides
• Wideband RF monitoring across the local environment
• Identification of signal frequencies and behaviour
• Power measurement for consistent analysis
• Detection and investigation of unusual transmissions
RF Anomaly Detection Interface
The setup uses a dual-panel interface for monitoring and inspection.
The left panel provides wideband visibility across the monitored spectrum, allowing all active signals to be seen at a glance.
The right panel provides focused inspection. Any signal identified in the wideband view can be selected and analysed in more detail, including centre frequency, bandwidth, signal structure and power relative to the noise floor.
This creates a simple workflow: detect across the spectrum, then isolate and investigate.
Real Signal Detection
Image 1: Wideband spectrum (left) and selected signal (right). A narrowband signal at 440 MHz is highlighted for closer inspection.
Signal 1 — 440.000 MHz
This frequency sits outside the 433 MHz ISM allocation and within the 70 centimetre amateur radio band, subject to verification of local licensed activity.
This is where RF monitoring moves into analysis.
Key questions include whether the transmission is expected in the environment, whether there is a known licensed source, whether the signal aligns with known device behaviour, and whether it could represent unauthorised or anomalous activity.
Initial capture indicated a strong local transmission. After gain adjustment, the signal resolved at approximately -72 dBFS, with a noise floor around -88 dBFS.
No immediate indication of malicious behaviour was observed during initial analysis. However, the same process would apply when assessing unauthorised or covert transmissions.
Image 2: Narrowband RF signal at 433 MHz observed during monitoring.
Signal 2 — 433.000 MHz
A second signal was observed, consistent with strong local transmission relative to the observed noise floor.
This aligns with expected ISM band activity such as sensors, weather stations and consumer wireless devices, and was treated as part of the baseline RF environment.
Engineering the Setup
Image 3: GNU Radio flowgraph developed for RF signal processing.
The underlying processing is implemented in GNU Radio Companion on DragonOS, using a HackRF One with a Diamond SRH789 antenna.
Raw IQ data is captured from the HackRF and processed through an FFT-based processing chain.
A 4096-point FFT converts the signal into the frequency domain, with Blackman-Harris windowing used to improve visibility of weaker signals near stronger ones.
Signal power is calculated using magnitude squared conversion and normalised into dBFS, allowing measurements to be compared consistently.
The system runs at a 20 Msps sample rate, covering roughly 20 MHz of bandwidth from 423 MHz to 443 MHz.
This allows signals to be detected and analysed clearly rather than just observed.
RF Detection Compared to Traditional Sweepers
Traditional RF sweepers indicate the presence of a signal but provide limited detail.
This setup allows signals to be identified by frequency, measured, visualised across the spectrum and analysed in context.
Rather than simply detecting activity, it makes it possible to assess whether a signal is expected or unusual.
This distinction is what separates intelligence from detection.
Why RF Monitoring Matters
Most security programmes focus on networks, applications and endpoints.
RF is rarely included, which creates an opportunity for activity that does not generate logs or alerts.
Data can be transmitted out of a secure environment without touching the network. Devices can operate silently over RF for long periods.
Signals can exist outside commonly monitored bands such as WiFi and Bluetooth.
The RF environment inside a facility is an attack surface that traditional monitoring does not cover.
Field Collection Capability
For on-site work away from the DragonOS setup, a PortaPack HM4 with an integrated HackRF One can be used for standalone field capture.
This allows RF data to be collected without a laptop and stored for later analysis.
Captured data can then be replayed through the same processing setup, keeping analysis consistent between live monitoring and post-capture review.
Future Development
The current setup provides monitoring, detection and basic analysis.
Future work will focus on building a baseline of expected RF activity and identifying deviations over time.
This would allow more structured detection of unusual or unexpected signals.
If RF is not part of your security approach, it is worth considering.
For organisations looking to better understand RF exposure and wireless risk, assessment beyond traditional controls may be required.
Contact:
info@intspired.co.uk
https://intspired.co.uk
IntSpired®
Offensive by Design. Intelligent by Nature.
Top comments (0)