tech-weaponsby The Ghost in The Prompt2026-03-1416 min read

The RF Attack Surface: What's Exposed, What's Ignored, and What Actually Matters in 2026

There's a layer of your life that broadcasts continuously, in every direction, and asks nothing in return — no login, no password, no acknowledgment. It just transmits. Your phone tells towers where it is. Your car tells the parking lot who you are. Your office badge talks to readers you've never seen. Your smart home devices chatter with each other in a frequency band nobody's watching.

This layer is radio frequency. And it is, by design, a soft target.

"Soft target" is military language for something that is exposed, unguarded, and not expecting to be hit. The RF spectrum is soft in a very specific way: most of the signals flying through your environment were designed for convenience, not security. The people who built them optimized for range and reliability. Authentication was an afterthought. Encryption was optional. Interoperability was the goal. Verification was not.

That was fine when the receivers were expensive and the expertise was rare. Neither of those things is true anymore.

The Landscape, Briefly

Before getting into the attack surface, a rough map of what we're actually talking about.

Wi-Fi (2.4 GHz / 5 GHz / 6 GHz) — The one everyone knows. WPA2 is crackable offline if the passphrase is weak and you can capture the handshake. WPA3 is better but adoption is slow and mixed environments are common. Enterprise 802.1X is solid when configured correctly, which it often isn't.

Cellular (700 MHz – 2100 MHz and up) — Your phone's actual connection to the network. LTE is reasonably secure. 3G and 2G are not. The attack surface here is real and underappreciated: the phone picks the strongest signal it can find, and it does not verify that signal is legitimate before connecting.

Sub-GHz (300 MHz – 1 GHz) — This is where things get interesting. Garage doors, car fobs, alarm sensors, smart meters, weather stations, industrial sensors. Most of this band runs unencrypted. Some of it uses rolling codes, which are better but not perfect. A lot of it uses fixed codes, which are simply replayable.

RFID / NFC (125 kHz / 13.56 MHz) — Access cards, hotel keycards, transit passes, contactless payment, asset tags. 125 kHz (EM4100, HID Prox) is read-only and trivially cloneable. 13.56 MHz (MIFARE, DESFire) ranges from reasonably secure to embarrassingly weak depending on which card standard the building owner paid for.

Bluetooth / BLE (2.4 GHz) — Wireless keyboards, headphones, fitness trackers, IoT sensors, door locks, beacons. Pairing security varies wildly. BLE tracking is an entire discipline by itself.

IR (infrared) — TVs, projectors, HVAC controllers, some legacy access panels. No authentication whatsoever. Range-limited, but that's often the only protection.

Obvious Soft Targets

These show up in every security talk and still don't get fixed. Worth naming anyway because "obvious" doesn't mean "patched."

The Parking Garage Gate

Sub-GHz, fixed code, no rolling protection. You can capture the signal once with a Flipper or HackRF, replay it, and the gate opens. Every time. The cloned signal is indistinguishable from the real fob because they are, functionally, the same thing.

This is not hypothetical. It's routine.

The Office Badge

HID Prox badges — the thick, credit-card-sized ones in beige or white — operate at 125 kHz with the card ID broadcast in plaintext. The reader reads it. The system trusts it. There is no cryptographic handshake. A Proxmark or Flipper held near someone in an elevator, or in line at a coffee shop, reads the card without their knowledge. That ID can then be written to a blank and used freely.

A significant portion of corporate America still runs on this. Many buildings have upgraded readers but kept the same 125 kHz cards for "backward compatibility" — which is another way of saying they spent money and achieved nothing.

The WPA2 Handshake

Everyone knows this one. Walk around with a Pwnagotchi, capture four-way handshakes, crack offline with a wordlist. The window has narrowed — WPA3 SAE makes this genuinely harder — but the installed base of WPA2 networks is enormous and will remain so for years. In dense urban environments, a passive Pwnagotchi running for an afternoon captures dozens of handshakes. A meaningful percentage of them crack against common wordlists.

Bluetooth Keyboards and Mice

Unencrypted BLE HID keyboards are a known attack vector. MouseJack, the research that demonstrated wireless mouse injection attacks, is a decade old. The vulnerable hardware is still sold. MouseJack-style attacks inject keystrokes into systems from outside the room. This is the RF equivalent of someone typing on your computer while standing in the parking lot.

Less Obvious Soft Targets

The interesting ones. These don't get talked about at the same volume but the exposure is real.

Cell Towers You're Already Connected To

Your phone is constantly scanning for towers and connecting to the strongest signal. It has no way to verify that signal is real. An IMSI catcher — a Stingray, a DRT box, or a software-defined equivalent running on a laptop and a HackRF — impersonates a cell tower. Your phone connects. The catcher captures your IMSI identifier, which is persistent and unique. Depending on sophistication: location tracking, call interception, SMS interception, encryption downgrade to A5/1 or none.

This is not a theoretical threat. IMSI catchers have been documented at protests, courthouses, airports, political events, and border crossings in dozens of countries. The price of a capable passive unit has dropped substantially. The expertise required to operate one is available.

Your phone does not tell you when this happens. There is no indicator in iOS or Android that you are connected to a fake tower. The UX is identical to a real connection.

Smart Meters

Utility smart meters communicate over Sub-GHz RF and in some deployments, Zigbee or Z-Wave. They broadcast consumption data — and in some configurations, broadcast it in plaintext. The information isn't just energy data. Consumption patterns reveal occupancy, schedules, and behavior. When a house is empty. When people wake up. When an office is running at capacity.

Not an attack vector in the traditional sense. Passive surveillance infrastructure that exists in most buildings and is rarely considered.

Tire Pressure Monitors

TPMS sensors broadcast on 315 or 433 MHz with a unique sensor ID that is stable and tied to a specific vehicle. With a passive SDR receiver, you can log when a specific vehicle passes a fixed point, or track it across multiple points. This is how some law enforcement and investigative firms build location histories without GPS.

Again — passive collection of persistent identifiers that were never meant to be surveillance infrastructure.

Contactless Payment Skimming at Range

NFC nominal range is a few centimeters. Actual range with a directional antenna and a sensitive reader is longer — research has demonstrated reads at 40–80 cm under controlled conditions. Payment cards implement transaction limits and cryptographic verification that make actual fraud difficult. But card number, expiry, and cardholder name can still be read from some cards in plaintext. Whether that exposure matters depends on what you do with it.

The Building You're Sitting In

Commercial buildings increasingly run BACnet, Modbus, or KNX over RF for HVAC, lighting, elevator control, and access management. These protocols were designed for reliability on isolated networks. Many have minimal authentication. Some have none. They are now, in many buildings, reachable from within the building's guest Wi-Fi segment or via nearby RF.

HVAC manipulation is not glamorous. It is, however, a way to make a building unusable without touching a single computer, and it has been documented in real intrusions.

Honeypots: RF Edition

A honeypot in the traditional sense is a fake target that detects when someone's poking at it. RF honeypots are underused but genuinely useful.

Canary SSIDs. Create a Wi-Fi network with a name that looks like real infrastructure but isn't — CORP-WIFI-BACKUP, [buildingname]-GUEST. Set up logging on anything that probes or attempts to associate with it. A Pwnagotchi or Wi-Fi scanner in the area will probe remembered networks, which tells you someone with a scanning device was in range.

Fake RFID cards. Issue a set of RFID credentials that are valid in your access control system but belong to no real person. Log every time they're used. If a card that doesn't belong to anyone scans at a reader, someone cloned a card from somewhere near that reader. The which-reader tells you approximately where the clone happened.

Sub-GHz bait transmitters. A cheap Arduino or ESP32 broadcasting a recognizable Sub-GHz pattern on a frequency you monitor. If your SDR monitoring setup sees that pattern reflected or repeated from a direction it shouldn't be coming from, something nearby is capturing and replaying signals.

BLE beacons with known UUIDs. Deploy BLE beacons with logged UUIDs in sensitive areas. If a device you don't recognize starts advertising that UUID, or if a scanning sweep shows unexpected UUID collection behavior, you have a proximity indicator.

None of these are foolproof. They're tripwires. Tripwires are useful.

Detection and Alerting: What Actually Works

Monitoring the RF layer requires different tooling than network monitoring. There's no syslog to parse. You're looking at physical-layer signals.

OUT NOW

HACK LOVE BETRAY

The ultimate cyberpunk heist adventure. Build your crew, plan the impossible, and survive in a world where trust is the rarest currency.

VIEW LISTING →

For Wi-Fi

Passive probe monitoring. Devices probe for remembered networks constantly. An ESP32 running Marauder in passive mode, or a dedicated monitoring Pi with tcpdump on a monitor-mode interface, logs probe requests including the device MAC and the network name being probed. No encryption to break — you're watching what's broadcast.

# Minimal probe request logger with scapy
from scapy.all import sniff, Dot11ProbeReq

def log_probe(pkt):
    if pkt.haslayer(Dot11ProbeReq):
        ssid = pkt[Dot11ProbeReq].info.decode('utf-8', errors='ignore')
        src = pkt.addr2
        if ssid:
            print(f"[PROBE] {src} -> '{ssid}'")

sniff(iface="wlan0mon", prn=sniff_probes, store=0)

Put this on a monitor-mode adapter, pipe output to a file, and you have a log of every device that passed through scanning for a remembered network. Useful for detecting scanning tools (they probe aggressively) and for behavioral analysis.

Deauth attack detection. Deauth frames are unauthenticated in 802.11 — they can be spoofed. A spike in deauth frames targeting your BSSID is a signal someone is running a deauth attack against your network. 802.11w mitigates this but adoption is patchy.

# Watch for deauth frames on a specific BSSID
tshark -i wlan0mon -Y "wlan.fc.type_subtype == 0x000c" \
  -T fields -e wlan.sa -e wlan.da -e wlan.bssid 2>/dev/null | \
  awk '{print "[DEAUTH]", $0}'

For Cellular: Clutch

This is where Clutch comes in — and why it exists.

Clutch watches the signals your phone's cellular hardware actually sees, not approximations. On iOS it uses CoreTelephony to read real hardware state. On Python/Linux it uses ModemManager. It's watching for the patterns that distinguish legitimate towers from the ones that aren't.

The detection logic uses IsolationForest — an anomaly detection algorithm that works well here because IMSI catcher behavior is inherently anomalous relative to a baseline of normal cellular network behavior. You don't need labeled training data of real vs. fake towers. You need a baseline of what your normal cellular environment looks like and you alert on deviations.

# Simplified version of Clutch's anomaly detection core
from sklearn.ensemble import IsolationForest
import numpy as np

def build_baseline(readings):
    """
    readings: list of dicts with keys:
      rssi, timing_advance, cell_id, frequency, encryption_level
    """
    features = np.array([
        [r['rssi'], r['timing_advance'], r['frequency'], r['encryption_level']]
        for r in readings
    ])
    model = IsolationForest(contamination=0.05, random_state=42)
    model.fit(features)
    return model

def score_reading(model, reading):
    """Returns -1 for anomaly, 1 for normal"""
    features = np.array([[
        reading['rssi'],
        reading['timing_advance'],
        reading['frequency'],
        reading['encryption_level']
    ]])
    return model.predict(features)[0]

The full Clutch implementation adds DBSCAN for geographic clustering, RF fingerprinting, timing analysis, and a WebSocket coordination layer for teams running multiple monitoring points. The core logic is above — the rest is infrastructure around it.

A TA=0 combined with a signal jump of +28 dBm and an encryption downgrade is not a glitch. It's a pattern. That's what Clutch is watching for, continuously, without requiring you to interpret raw cellular data yourself.

For Sub-GHz / RF Replay

An RTL-SDR in continuous scan mode with rtl_power generates a wideband power sweep you can log and baseline. Deviations — unexpected transmissions on frequencies that are normally quiet — get flagged. This won't tell you what's happening, but it tells you something is.

# Sweep 300MHz-1GHz, log power per frequency, 1 second interval
rtl_power -f 300M:1000M:1M -i 1 -g 40 -e 1h rf_baseline.csv

# A second run for comparison
rtl_power -f 300M:1000M:1M -i 1 -g 40 -e 1h rf_current.csv

# Diff for anomalous spikes (crude but effective)
python3 - <<'EOF'
import csv, collections

def load(f):
    freqs = collections.defaultdict(list)
    with open(f) as fh:
        for row in csv.reader(fh):
            if len(row) < 7: continue
            freq_start = float(row[2])
            step = float(row[4])
            powers = [float(x) for x in row[6:] if x.strip()]
            for i, p in enumerate(powers):
                freqs[freq_start + i*step].append(p)
    return {k: sum(v)/len(v) for k,v in freqs.items()}

baseline = load('rf_baseline.csv')
current  = load('rf_current.csv')

for freq, pwr in current.items():
    delta = pwr - baseline.get(freq, pwr)
    if delta > 15:  # 15 dB spike threshold
        print(f"[SPIKE] {freq/1e6:.2f} MHz  +{delta:.1f} dB")
EOF

The Human Problem

Tools are easier than people. People are the actual attack surface.

An RFID clone attack requires someone to get within a meter of a badge — which means the cafe near the office, the elevator, the lobby. Tailgating is still more common than technical badge cloning. USB drops remain effective. Shoulder surfing for PINs is not exotic.

The RF layer doesn't exist in isolation from the physical and social layer. A Flipper Zero is useful. So is a hi-vis vest and a clipboard. The combination is more useful than either alone.

A few things that help on the human side and are rarely implemented:

Visual badge inspection habits. Most people don't look at badges. Training people to notice unfamiliar faces with badges — and to actually read the badge, not just see that one exists — closes a gap that no technical control addresses.

Reporting culture for RF anomalies. If someone's phone is behaving oddly — calls dropping in a specific location that usually has good coverage, SMS delivery failures, unexpected network switches — that's potentially relevant. But only if there's a channel to report it and someone who knows what to do with the report. In most organizations, that channel doesn't exist.

Challenge protocol for unfamiliar devices. "What's that?" is a sentence that costs nothing and catches a lot. An unknown device plugged into a port, an unfamiliar gadget on a desk, a Pwnagotchi in a bag — any of these can be noticed and raised. The organizational culture either supports that or it doesn't.

What 2026 Actually Looks Like

A few things have shifted that change the calculation.

AI-assisted signal analysis. RTL-SDR and HackRF generate enormous amounts of data. Historically, analyzing it required expertise. That bar is lower now — not because the underlying knowledge is less, but because language models and pattern recognition tools can help interpret captures, identify protocols, and flag anomalies without requiring deep RF expertise from the operator. The gap between "I have the hardware" and "I understand what I'm seeing" is narrower than it has ever been.

BLE tracking is mainstream. Apple AirTags and Tile have made the public aware that BLE can be used for location tracking. What's less understood is that any device with a stable BLE MAC address is trackable by the same mechanism, and that most older devices don't rotate their MACs the way modern iOS/Android devices do by default. Deployed BLE infrastructure for "asset tracking" in commercial buildings is a surveillance layer that nobody audited before installing.

The Sub-GHz market exploded. Cheap wireless sensors for home automation, industrial monitoring, and agriculture have put enormous amounts of unencrypted Sub-GHz traffic into every environment. Each one is a potential information leak or replay target. The sheer volume makes systematic auditing difficult.

IMSI catchers got cheaper and the operators got less sophisticated. The threat model used to be: state-level actor with significant resources and technical depth. That's still true. But the floor has dropped. The hardware required to run a passive cellular interception setup is now within reach of a well-funded criminal operation or a moderately resourced PI firm. The proliferation question isn't whether the technology exists — it's who's running it.

WPA3 transition is real but uneven. WPA3 SAE closes the offline dictionary attack on Wi-Fi handshakes. Modern hardware supports it. But mixed environments — one WPA3 AP, a dozen legacy WPA2 devices — often fall back to WPA2 transition mode, which doesn't close the gap. The attack surface shrank. It did not disappear.

The Practical Stack, Assembled

If you wanted to actually monitor your RF environment — home, small office, mobile — here's what that looks like in 2026:

Passive Wi-Fi monitoring: Raspberry Pi with a monitor-mode capable adapter (Alfa AWUS036ACH is the workhorse), running a custom probe logger and deauth detector. Logs to SQLite. Alerts on anomalies. Da Bklyn Bridge if you want the full intelligence layer.

Cellular monitoring: Clutch on iOS for mobile. The Python backend on a dedicated Linux machine at fixed locations. WebSocket coordination if you have multiple monitoring points.

Sub-GHz sweep: RTL-SDR v4 with rtl_power for baseline and anomaly detection. HackRF if you want to transmit or do deeper signal analysis. Both, ideally.

RFID audit: Proxmark3 for serious analysis. Flipper Zero for quick field checks. The goal here is not ongoing monitoring — it's knowing what your cards actually are before someone else finds out.

Alerting: Pipe everything to a single SQLite database or a local Grafana instance. Set thresholds. Get notified. Review daily.

None of this is a product. It's a collection of tools, scripts, and attention. The attention is the part that can't be purchased.

Closing

The RF spectrum is not a niche concern. It is the physical layer of most of the access control, communication, and tracking infrastructure that modern environments run on. It was built without a serious adversary in mind. The adversary has arrived.

The gap is not technical. The tools to monitor, detect, and audit the RF layer are available, cheap, and well-documented. The gap is attention. Most organizations spend significant effort on network security and almost no effort on the layer below the network — the one that handles who gets through the door, which tower the phones connect to, and what the sub-GHz sensors are broadcasting.

That layer is soft. It doesn't have to be.

Clutch is open source at github.com/ghostintheprompt/clutch. MIT licensed. Designed for journalists, activists, security professionals, and anyone who needs to know what their cellular layer is actually doing.

GhostInThePrompt.com // The target was soft. The signal was the truth. The rest is methodology.