BIPI
BIPI

SDR Pentesting Primer: HackRF, RTL-SDR, and Replay-Capture Attacks

Cybersecurity

Software defined radio turns every red team into a signal intelligence team. This primer walks through hardware choice, GQRX for survey work, Inspectrum and URH for demodulation, and the practical workflow for capturing and replaying garage door, key fob, and industrial telemetry signals during scoped engagements.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 14, 2023 · 10 min read

#sdr#hackrf#rtl-sdr#radio#red-team

Why SDR belongs in your kit

Building automation, fleet telematics, fire panels, and emergency radios all use sub-GHz radio. Most assume the spectrum is too obscure to attack. A 30 dollar dongle and a quiet weekend say otherwise.

Hardware tiers

  • RTL-SDR for receive-only survey work, perfect for learning.
  • HackRF One for half duplex transmit and receive across 1 MHz to 6 GHz.
  • LimeSDR or USRP B210 for full duplex and serious replay work.

Survey: see what is in the air

Start with GQRX to walk the spectrum visually. Note any narrowband signals at 315 MHz, 433 MHz, 868 MHz, and 915 MHz. These are the ISM bands where most consumer and industrial devices live.

Demodulation workflow

  1. Capture IQ samples to a .cfile with hackrf_transfer or gqrx.
  2. Open in Inspectrum to estimate symbol rate and modulation.
  3. Move to Universal Radio Hacker (URH) to decode and label payloads.

Replay vs rolling code

  • Fixed code remotes replay cleanly with hackrf_transfer transmit mode.
  • Rolling code remotes require capture-and-jam techniques, the rollback attack.
  • Always check whether the target uses Keeloq or a modern AES-based scheme.

GNU Radio for custom protocols

When a protocol does not match anything in URH, draw a flow graph in GNU Radio Companion. Source from the SDR, demodulate, slice, decode, and sink to a file. The same graph can be inverted to retransmit.

Targets you will actually see

  • Garage and gate remotes around 315 and 433 MHz.
  • Tyre pressure monitoring at 315 MHz, surprisingly leaky.
  • Industrial telemetry at 868 and 915 MHz, often unauthenticated.

Detection

  1. Spectrum monitoring at facility perimeters.
  2. Pairing logs from access systems flagged on anomaly.
  3. Procurement controls requiring rolling code or AES authenticated remotes.

Remediation

  • Move legacy remotes to AES-128 challenge response designs.
  • Add a physical button press confirmation for industrial controllers.
  • Reduce TX power on internal systems so they do not radiate to the car park.
34%
Garage fobs still fixed-code
57%
Industrial telemetry unauthenticated
81%
Average replay success
The cheapest dongle on the shelf can listen to a fire panel from across the street.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.