Why Pentesters Can't Ignore the Radio Spectrum in 2025

A call to arms (and antennas) for cybersecurity pros — with examples from real-world RF vulnerabilities.

Michael Preston

Radio Hackers

· ~5 min read · October 22, 2025 (Updated: October 22, 2025) · Free: No

1. The Forgotten Frontier of Cybersecurity

When I started in pentesting, I thought "network" meant TCP/IP, ports, and packets. Wireshark was my microscope. Burp Suite was my scalpel. But somewhere between the rise of IoT and the explosion of connected devices, I realized we were leaving a blind spot untouched — the radio spectrum.

In 2025, this blind spot has become a playground for attackers. Cars, smart locks, medical devices and drones all talk over the air. Yet most pentesters still operate as if Wi-Fi is the only frequency that matters. That's a mistake. The RF layer has vulnerabilities that can't be firewalled, logged, or patched remotely.

Ignoring it today is like ignoring the web in 2000.

2. What "Radio Spectrum" Really Means for Pentesters

When people hear "radio," they imagine FM broadcasts or old walkie-talkies. But in the context of cybersecurity, radio means everything that transmits data wirelessly. That includes Bluetooth, Zigbee, LoRa, NFC, RFID, GSM, LTE, Wi-Fi, satellite links, and proprietary low-frequency bands that industrial systems still depend on.

Each of these technologies carries authentication tokens, control commands, and data that often never touches a traditional IP network. And that's where the opportunity and risk lie.

To a pentester, the radio spectrum is another network layer, just one you can't see without the right tools.

3. The Tools of the Modern RF Hacker

The first time I captured a signal from a smart lock, it felt like magic. I was holding a cheap RTL-SDR dongle connected to my laptop and watching frequencies light up in real time. It wasn't just "noise", it was structured data being exchanged between a key fob and the door.

Today, RF pentesting setups are surprisingly affordable and powerful. A few essential tools every pentester should get familiar with in 2025 include:

HackRF One: A full-duplex SDR capable of transmitting and receiving signals from 1 MHz to 6 GHz. Perfect for replay attacks and protocol fuzzing.
Yard Stick One: A simple sub-1 GHz transceiver great for low-frequency IoT devices.
Flipper Zero: The multi-tool for hackers — a compact RF Swiss Army knife.
GNU Radio / SDR++ / URH: Software suites for capturing, visualising, and decoding radio signals.

And when you pair these with Python? The real magic happens.

4. Python in the Airwaves: Automating RF Recon

Python has quietly become the go-to language for RF security research. With libraries like scapy-radio, gnuradio, and pyserial, it's now possible to automate everything from signal scanning to packet injection.

Here's an example of a simple script I used to automate signal detection on a 433 MHz smart device band — a frequency used by garage doors, remotes, and older IoT devices:

import numpy as np
from rtlsdr import RtlSdr

sdr = RtlSdr()
sdr.sample_rate = 2.4e6
sdr.center_freq = 433.92e6
sdr.gain = 'auto'

samples = sdr.read_samples(256*1024)
power = 10 * np.log10(np.abs(samples))
print("Peak signal detected at:", np.max(power))
sdr.close()

What looks like a small block of code can identify signals that carry unlock commands, telemetry data, or authentication packets. Combine this with FFT visualization, and you can literally see the data invisible to most pentesters.

5. Real-World RF Vulnerabilities That Changed My Perspective

Let's get practical. Over the past year, I've encountered three real-world scenarios that prove why radio is no longer optional in cybersecurity testing:

a) Car Key Fob Replay Attack: A client asked me to audit the security of their connected vehicle system. Using an SDR and a basic replay script, I could capture and retransmit the unlock signal from a key fob, effectively opening the car without the actual key.

The system used rolling codes, but it wasn't properly synchronised. Once I found that flaw, it was game over.

b) Industrial Sensor Interception: At a manufacturing site, I discovered that environmental sensors were transmitting temperature and vibration data over 868 MHz — unencrypted. Anyone could have injected fake readings to trigger false shutdowns or safety alarms.

c) Medical Device Data Leak: This one hit close to home. A wearable glucose monitor was sending unencrypted telemetry data over Bluetooth Low Energy (BLE). Anyone within range could sniff it and reconstruct readings. That's personal health data — exposed because encryption wasn't considered at the RF layer.

These aren't theoretical. They're happening everywhere, and most organisations don't even realise their "airspace" is leaking data.

6. How to Integrate RF Testing into Your Pentest Workflow

So, how do you actually make RF part of your standard pentesting process?

Here's the framework I use when assessing a new environment:

Recon the Spectrum: Use an SDR and a tool like gqrx or SDR++ to visualize active frequencies in the area. Look for recurring patterns or bursts — these often indicate a device-to-device handshake.
Identify Protocols: Match signal characteristics (bandwidth, modulation, timing) with known RF protocols. Tools like URH can help decode binary payloads.
Capture and Analyze Data: Record raw IQ samples for further analysis. If data appears structured, use Python to detect repeating bit sequences, a sign of protocol headers or payloads.
Attempt Replay / Injection: With authorization, transmit captured packets back to the device to test if it accepts unauthenticated inputs.
Correlate With Network Behaviour: Often, RF data interacts with IP networks downstream. Mapping both sides reveals hybrid vulnerabilities that pure network scans miss.

This workflow ensures RF testing is a pillar of your audit methodology.

7. The Ethical Side of the Spectrum

RF pentesting is fun, but it comes with serious legal and ethical boundaries. Transmitting on licensed frequencies without authorisation can violate federal laws. The golden rule: capture all you want, transmit only in controlled environments.

That's why in every engagement, I isolate the test setup within a Faraday enclosure or use frequency bands designated for experimentation.

Security research should illuminate vulnerabilities, not cause harm.

8. The Future: RF Meets AI and Cloud

Here's where things get even more interesting. In 2025, AI models can now analyze RF signal patterns and classify devices automatically. I've seen teams combine TensorFlow with SDR datasets to detect anomalies in wireless environments — essentially turning spectrum analysis into a machine learning problem.

We're moving toward autonomous signal reconnaissance — systems that can sweep frequencies, identify unknown transmitters, and raise alerts without human intervention.

At the same time, cloud platforms like AWS IoT Core and Azure Digital Twins are integrating RF telemetry streams, making the boundary between cloud security and RF security thinner than ever.

In the next few years, pentesters will need to think beyond "networks and endpoints" and start thinking in frequencies and waveforms.

9. Why This Matters in 2025

If you're a cybersecurity professional today, your attack surface isn't just IP addresses, it's everything that transmits. The old perimeter is gone. And as we move deeper into IoT, smart infrastructure, and autonomous systems, the RF spectrum becomes a battlefield that few are trained to fight in.

Learning RF pentesting isn't optional anymore. It's a skill gap waiting to be exploited — by either you or your adversary.

The best part? It's not magic. With a $50 SDR, a Python script, and curiosity, you can uncover an entire world of vulnerabilities hiding in plain sight, or rather, hiding in the air.

Final Thought: I used to think the airwaves were just background noise. Now, I see them as the rawest, most transparent form of communication — and one of the biggest security blind spots of our time.

#pentesting #cybersecurity #cyber-security-awareness #online-attack