Most people I talk to in infosec have played with web apps, mobile apps, APIs. But when I ask, “Have you tried hacking radio?” — it’s almost always a no.
So here’s a post for those who are curious. If you’ve never touched an SDR before, or didn’t know where to begin, this is for you. I gave a talk on this back in 2018 at a DEFCON Trivandrum Chapter meetup — but everything I said then still holds up. Let’s walk through it all, from scratch.
🧭 Why Radio?
Radio doesn’t get the attention it deserves in security. Most people stay away because it feels like a black box — hardware-heavy, expensive, and full of technical terms that don’t show up in your everyday pentest.
But here’s the truth:
Radio is everywhere.
Your smart doorbell? Radio.
Your car key? Radio.
Your weather station, drone, fitness tracker? All radio.
And you can listen in — without even touching the device.
You don’t need physical access to explore RF. You just need the right gear and some curiosity.
🛠️ So, What Exactly Is Software Defined Radio?
Traditional radios have physical components — mixers, amplifiers, modulators, and so on. With Software Defined Radio (SDR), all of that gets implemented in software.
Instead of building custom hardware for every frequency or protocol, you just change the code. One USB stick + the right software = a huge chunk of the radio spectrum in your hands.
SDRs let you receive (and sometimes transmit) signals across a wide frequency range — depending on the hardware.
🔓 What Kind of Attacks Are Possible?
Here’s what you can do (or at least observe) once you start listening to the air:
- Replay attacks — record and replay RF signals like car remotes
- GPS spoofing — fake GPS signals to mislead devices
- GSM sniffing — monitor unencrypted cellular traffic
- Key fob attacks — capture and potentially clone remote control signals
Sounds wild? It is. And it’s easier than you think.💰 Hardware — From Budget to Brutal
Let’s talk gear.
🧨 The Expensive Stuff:
- USRP (Ettus Research)
→ Full-duplex, high-performance SDR. Starts around $2,000. - HackRF One
→ Half-duplex, covers 1 MHz to 6 GHz. Open source. ~$300–$400. - BladeRF
→ Full-duplex with decent range. Around ₹50,000.
These are great. But for most of us, that’s too much to throw at a new hobby.
✅ The Beginner’s Gateway Drug: RTL-SDR
This is where everything changes.
- Originally a cheap TV tuner dongle
- Re-flashed by researchers to behave like an SDR
- Cost: ₹1000 (~$10–15)
What you get:
- Receive-only (no transmit)
- Frequency range: 24 MHz to ~1.7 GHz
- Can pick up:
- Aircraft signals (ADS-B)
- Ship locations (AIS)
- GSM cell towers
- IoT device comms
- Weather stations
- And more...
This little device is what I always recommend to anyone starting out.
💻 The Software Stack
Once you’ve got your RTL-SDR plugged in, here are the tools to start exploring:
GNU Radio
- Drag-and-drop blocks to build radio receivers
- Can connect directly to SDR hardware
- Great for building custom pipelines
GQRX
- GUI-based waterfall and spectrum view
- Works on Linux and macOS
- Nice visual feedback
SDR# (SDR Sharp)
- Best option for Windows
- Clean UI, waterfall + spectrum, audio demodulation
rtl_sdr (CLI tools)
- Command-line utility to record RF samples
- Can be piped into decoding tools or just saved for replay
📶 Antennas: Choose Your Weapon
The SDR won’t hear anything without the right antenna. What you use depends on the frequency you're targeting:
- Rubber ducky – portable, basic
- Ground plane – decent for broad range
- Turnstile – good for satellite signals
- Yagi-Uda – directional, great gain for specific bands
If you’re just starting, the small whip that comes with RTL-SDR is good enough to experiment.
🧪 Real Demos I Did
During my talk, I showed two live demos:
1. Ham Radio Capture
I transmitted from my ham radio and tuned into my own signal using RTL-SDR + SDR#.
Audience could see the transmission spike in the waterfall diagram and hear the audio clearly.
2. Key Fob Sniffing
I pressed the button on my car remote and watched for RF activity.
Found a burst at 433 MHz — confirmed that’s what my key fob uses.
With RTL-SDR I could record the signal, and if the system was vulnerable, I could replay it using HackRF or a cheap custom transmitter (even a Raspberry Pi module).
RTL-SDR can’t transmit, but it can help you find and analyze these signals.🚀 Final Thoughts
Radio hacking feels like magic the first time you see it work. And for under ₹1000, it’s one of the most fun and underrated ways to explore the physical world of security.
This is just the beginning — there's a whole RF universe out there. If you're curious, plug in, tune in, and start exploring.
“If you can’t see it doesn’t mean it’s not there.”
– VU3TFQ