How Radio Frequency Devices Can Be Analyzed, Hacked, and Secured

Introduction

Pick up your car keys right now. Press the unlock button. What just happened? You broadcast a radio signal, your vehicle received it, validated a code, and unlocked the doors. Simple. But what if someone standing nearby was recording that exact transmission? What if they could replay it an hour later, or figure out what the next valid code would be?

That is RF security in a nutshell, and it touches more of everyday life than most people stop to think about.

Aircraft overhead are broadcasting their GPS coordinates to anyone willing to listen. The contactless card you tapped at the metro this morning handed over identifying data to a reader you never examined. Smart devices scattered around your home are quietly exchanging information over frequencies nobody audits. None of this is alarmist. It is just the reality of how wireless systems got built, convenience first, security somewhere further down the roadmap.

For those of us who spend time studying these systems in the field, the last decade has been something else entirely. Hardware that used to cost thousands became affordable to independent researchers. Software tools caught up fast. The radio spectrum became a place you could genuinely explore with a laptop, a cheap dongle, and curiosity. What follows is a walkthrough of how that exploration works, what the real vulnerabilities look like, and how defenders can start pushing back.

Understanding RF Communication

Radio frequency communication covers an enormous range. The usable spectrum runs from around 3 Hz at the very low end to well past 300 GHz, and every slice of it behaves differently. VHF carries aviation voice traffic and FM broadcasts. UHF handles television and two-way radio. The 2.4 GHz band is essentially chaos, packed with Wi-Fi, Bluetooth, wireless keyboards, baby monitors, and leakage from microwave ovens all competing for the same airspace.

None of these signals travel raw. They get modulated, meaning the data is encoded onto a carrier wave. Amplitude modulation changes the strength of the wave. Frequency modulation shifts the carrier frequency up and down slightly. Modern digital systems use schemes like QAM that pack multiple bits into each transmitted symbol, trading simplicity for throughput. The right modulation choice comes down to the environment, how much noise is present, how far the signal needs to travel, how much bandwidth is available.

What transformed RF security research more than anything else was Software Defined Radio. Before SDR, studying an unknown signal meant purpose-built hardware for each frequency and expensive lab access. A RTL-SDR dongle plugged into a laptop now pulls signals from roughly 24 MHz to 1.7 GHz. HackRF One stretches that range from 1 MHz to 6 GHz with the ability to transmit as well as receive. The Portapack H2 attachment turns HackRF into a fully standalone unit with a built-in waterfall display, no laptop required, fieldwork ready. Add GNU Radio, Universal Radio Hacker, GQRX, or SDR# and you have a research platform that would have been unimaginable to put together affordably a decade ago.

Common RF Technologies and Their Exposures

ADS-B and Aircraft Tracking

Every commercial aircraft equipped with an ADS-B transponder broadcasts its GPS position, altitude, speed, and flight callsign once per second on 1090 MHz. Unencrypted. No authentication at all. This was an intentional design decision so that any receiver could participate in air traffic awareness for safety. It made complete sense when the standard was written. It looks different now that a basic antenna and free software let anyone on the ground build a live flight tracker in an afternoon.

During field research with the HackRF Portapack, ADS-B transmissions were captured passively within minutes of tuning to 1090 MHz. Decoded data included ICAO aircraft identifiers, real-time GPS coordinates, altitude readings, and ground speed. No transmission was made. No system was touched or interfered with in any way. Just listening to what was already being broadcast openly into the air.

Voice Traffic Interception

Air traffic control communications between pilots and ground controllers happen on VHF frequencies between roughly 118 MHz and 137 MHz, are sometimes unencrypted. Passive reception of these transmissions is legal in most jurisdictions, as they are publicly broadcast signals. During spectrum analysis sessions, ATC voice traffic showed up clearly on the waterfall display as distinctive narrow bursts tied to voice transmission timing. Audio quality was fully intelligible.

This is a straightforward illustration of how much sensitive operational information moves through the air without any form of protection. Understanding that exposure is the first step toward thinking seriously about how future systems should be designed differently.

Walkie-Talkie and Handheld Radio Signals

Consumer walkie-talkies and many handheld radios operate across VHF and UHF bands, typically without any encryption. During spectrum sweeps, these signals appeared as distinctive narrow bursts on the waterfall tied directly to voice transmissions. Protocol analysis on captured samples revealed plaintext audio with no meaningful access control. The range of these devices is limited, but within that range, anyone monitoring the spectrum can receive everything being said.

RFID and Smart Cards

Transit ticketing cards, office access badges, and NFC payment cards all rely on radio to exchange data at short range. Older systems transmitted a card's unique identifier with basically no challenge-response mechanism, which made cloning straightforward for a researcher with the right hardware. Newer implementations are considerably better, using mutual authentication. But older cards remain deployed in large numbers and that situation is not resolving itself quickly.

Car Key Fobs and Rolling Codes

Rolling codes were a smart solution to an obvious problem. Instead of transmitting the same signal every time, the fob and vehicle share a counter that advances with each button press, generating a new unpredictable value each time. Replay attacks that worked trivially against fixed-code systems do not work here. What does work, and has been demonstrated repeatedly in real conditions, are relay attacks. Two people with signal amplifiers, one near the car and one near wherever the key is sitting inside a building, can extend the key's effective range without touching any cryptography. The car thinks the key is nearby because the signal says so. It is not.

IoT and Consumer Wireless Devices

Consumer IoT is where things get genuinely messy from a security standpoint. Devices communicating over 433 MHz or 915 MHz ISM bands are everywhere, and the protocol implementations researchers find in practice range from reasonably secure to quite poor. Hardcoded encryption keys, no authentication at all, completely unencrypted payloads transmitted openly. These are not hypothetical concerns found only in discontinued hardware. They show up in products that are actively being manufactured and sold.

One area that came up during field research was shopping cart locking systems used in retail environments. Some implementations rely on RF signals to lock or unlock cart wheels at boundary zones. Passive capture and analysis of these signals revealed simple fixed-code transmissions with no rolling code or authentication mechanism. This kind of finding illustrates exactly how deployment pressure often overrides security considerations in low-cost consumer systems.

GPS and Satellite Signals

GPS signals arrive at the ground at very low power levels, which creates two distinct problems. Jamming them is easy because almost any transmitter operating in the right frequency range will overpower them. Spoofing, broadcasting counterfeit signals at higher power than the real ones, is physically feasible and has been observed in real environments well outside of lab settings. For navigation systems, autonomous vehicles, or anything using GPS for timing synchronization, both of these represent serious and growing risk.

RF Research in Practice

Most legitimate RF research starts entirely passively. Plug in an antenna, open a waterfall display pointed at a frequency of interest, and watch. A waterfall maps signal activity across frequency on one axis and time on the other, with intensity rendered as color. It gives you an immediate visual sense of what is happening in a band. A repeating burst at regular intervals is probably a sensor beacon. A narrow persistent spike is likely a carrier sitting idle. Wide spectral smearing often points to spread-spectrum traffic designed to resist interference.

The waterfall is where most investigations actually begin, and it is worth spending real time learning to read what you are seeing before moving to active analysis. Different signal types have recognizable visual signatures once you have looked at enough of them.

Decoding unknown protocols takes considerably more patience. You are looking for preamble sequences, synchronization words, field boundaries, and data encoding patterns. Tools like Universal Radio Hacker automate significant portions of this process, but substantial manual analysis is still required when you are working with a protocol you have not seen before. Getting from raw samples to a fully characterized protocol can take days of methodical work.

How RF Attacks Work

Replay Attacks

Conceptually the simplest attack. Record a transmission, play it back later. It works when the receiving system has no mechanism to detect that the same code has already been used. Fixed-code garage door openers and older key fobs were entirely vulnerable to this approach. Rolling codes exist specifically because replay attacks were so effective against earlier designs.

Jamming

Flooding a frequency band with noise stops communication on that band entirely. No decryption required. No protocol knowledge needed. It is a blunt approach but effective at denying service. It is also illegal in virtually every jurisdiction, with no exceptions carved out for research purposes.

Spoofing

More sophisticated than jamming because you are crafting signals intended to be accepted as legitimate by the receiving system. GPS spoofing is the most documented version of this in open research. Signal injection attacks against poorly authenticated protocols follow the same general principle but operate at different layers of the stack.

Relay Attacks

Relay attacks stand apart because they do not involve breaking any cryptography. They exploit a physical assumption built into the system design, specifically that signal proximity implies authorized presence. When that assumption can be defeated without touching the crypto, the security model collapses regardless of how strong the encryption algorithm is. This is why proximity assumptions need to be enforced through means other than signal range alone.

Defensive Strategies

Encryption matters but it is not sufficient by itself. Key management, implementation quality, and how cryptography is actually used inside firmware all matter as much as the choice of algorithm. Mutual authentication, where both sides of a communication verify each other before proceeding, closes off a wide range of spoofing-based attacks that one-sided authentication leaves exposed.

Frequency hopping spread spectrum is one of the more robust physical-layer defenses available. When transmitter and receiver continuously switch channels in a synchronized pseudo-random pattern, effective jamming requires covering the entire band rather than a single frequency. That is a significantly harder task for an attacker.

At the monitoring layer, RF intrusion detection gives defenders visibility into anomalous activity. Signals appearing on unexpected frequencies, duplicate message identifiers that suggest replay attempts, unusual timing patterns. None of these alone is conclusive evidence of an attack, but together they build a picture that is worth investigating.

Treating the wireless environment as part of a regular security assessment program, the same way you would approach a network penetration test, is still uncommon in most organizations. It is becoming increasingly necessary as the number of RF-connected devices in any given environment continues to grow.

Legal and Ethical Considerations

Passive reception of publicly broadcast signals is legal in most places. ADS-B, amateur radio, ATC voice traffic, weather broadcasts — listening to any of these is generally permissible. Active transmission is a fundamentally different situation. Most frequency bands require a license, and transmitting without one carries real legal consequences in nearly every country.

Jamming is illegal essentially everywhere. There are no research exceptions. Unauthorized interception of private communications is a serious criminal offense in most jurisdictions. The legal line between research and illegal activity runs directly through authorization. If you do not have explicit permission to interact with a system, passive observation is where your engagement has to stop.

Good research practice means documenting methodology clearly, reporting findings through responsible disclosure channels, and being straightforwardly honest about what the findings actually demonstrate versus what they might imply. The security community's credibility depends on that discipline being maintained.

The Road Ahead

The RF attack surface is expanding faster than the industry is hardening it. Smart city infrastructure is going to run on dense wireless sensor networks. Connected vehicles are already on the road in growing numbers and the fleet is expanding rapidly. 5G introduces new protocols and new potential weaknesses at a scale that makes previous wireless generations look simple. Satellite communications are becoming foundational to services that people and organizations depend on daily.

AI-driven RF analysis is beginning to shift the equation on both sides. Machine learning is being applied to signal classification and anomaly detection by defenders. The same techniques are accessible to anyone running capable hardware and software. The field is accelerating.

The researchers and engineers who genuinely understand how these systems work at the radio layer are going to matter a great deal in the next decade of infrastructure security. That knowledge is not optional for serious security work anymore. It is foundational.

Conclusion

RF security keeps getting treated as a specialty topic when it is really a foundational layer of modern infrastructure security. The signals passing through walls, across cities, and up to satellites carry real data, control real systems, and create real exposure when nobody is paying close attention to what is in them.

Knowing how to analyze a radio signal, recognize where a protocol has a weakness, and contribute to building something more resilient is exactly the kind of work that matters right now. The airwaves are busier than they have ever been. The only question worth asking is who actually understands what is moving through them.

All research described in this article was conducted within legal boundaries using passive signal reception and authorized hardware. No unauthorized transmissions were made. All demonstrations were performed in controlled environments with appropriate permissions.

Author: Harbeer Singh