Category: Security

DeDECTive: A DECT 6.0 Cordless Phone Scanner and Voice Decoder for the HackRF

Over on GitHub and YouTube, we've seen the release of Sarah Rose's new program called DeDECTive, a DECT 6.0 scanner and voice decoder for the HackRF running on Linux systems. DECT (Digital Enhanced Cordless Telecommunications) is a digital wireless protocol typically used by modern cordless phones.

Back in 2019, Sarah (previously known as Corrosive) demonstrated how to use gr-dect2 to decode DECT in a previous video. In her latest work, she's ported gr-dect2 to C++ and written a nice GUI for the decoder. This makes running and setting up the decoder a significantly better experience. The GUI has a wideband scanner and the ability to tune for a single DECT channel for full voice decoding. There is also a CLI version that will automatically tune to the first active voice channel.

We note that many DECT cordless phones use encryption, so this software may not work with those devices. In any case, please be aware that intercepting phone calls may be illegal in many jurisdictions.

DeDECTive: The DECT Toolkit

ESP32 Bus Pirate: Update Brings Waterfall Displays, Cellular Modem Support and External Radio Expander

Back in September 2025, we posted about the "ESP32 Bus Pirate" firmware, which transforms an ESP32-S3 into a multi-protocol debugging and hacking tool. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in radio hardware components to achieve a range of interesting feats. Recently, "Geo," the creator of the ESP32 Bus Pirate, wrote in to share some recent firmware updates with us. He writes:

The ESP32-Bus-Pirate project is an open-source firmware that transforms inexpensive ESP32-S3 boards into versatile hardware hacking and debugging tools. Inspired by tools like the Bus Pirate and Flipper Zero, the firmware allows a single ESP32 device to interact with a wide range of digital buses, radios, and hardware interfaces.

Because ESP32 boards include integrated WiFi and Bluetooth radios and can interface with many external modules, the firmware makes it possible to experiment with both hardware protocols and RF systems using very low-cost hardware.

The firmware currently supports a wide range of protocols and devices including:

I²C, SPI, UART, CAN, 1-Wire, infrared, smartcards, Sub-GHz radios, RF24 modules, WiFi, Bluetooth and cellular modems.

Major New Features in v1.5

The latest release adds several major capabilities useful for hardware analysis and RF experimentation.

Waterfall Spectrum Displays

Multiple RF modules can now display real-time waterfall visualizations, showing signal peaks and activity across frequencies. This is available for:

• Sub-GHz radios
• RF24 modules
• FM radio modules
• WiFi channel activity

This makes it easier to visually monitor RF environments directly from the device.

Sub-GHz Improvements

The Sub-GHz subsystem has been completely reworked for improved reliability when recording, replaying and receiving RF frames. Raw payload transmission is also supported.

Cellular Modem Support

ESP32-Bus-Pirate can now interact with cellular modem modules, allowing users to inspect modem and network information and perform operations such as:

• Dumping SIM card data
• sending SMS
• dialing calls

External Radio Expander

The firmware now supports an **external UART radio expansion module** called the **ESP32 Bus Expander**, which allows adding additional RF hardware modules to the system, notably for the WiFi 5GHz.

Links

Project:
https://github.com/geo-tp/ESP32-Bus-Pirate

Web Flasher:
https://geo-tp.github.io/ESP32-Bus-Pirate/webflasher/

Documentation:
https://github.com/geo-tp/ESP32-Bus-Pirate/wiki

Scripts collection:
https://github.com/geo-tp/ESP32-Bus-Pirate-Scripts

ESP32 Bus Expander:
https://github.com/geo-tp/ESP32-Bus-Expander

ESP32 Bus Pirate. Left - Running on COTS ESP32-S3 based devices. Right - ESP32 Bus Pirate Interface
ESP32 Bus Pirate. Left - Running on COTS ESP32-S3 based devices. Right - ESP32 Bus Pirate Web Interface

Exploring the Privacy Risks of Tire Pressure Monitoring Systems with RTL-SDR

Tire Pressure Monitoring System (TPMS) privacy concerns are a topic that comes up every now and then. Most modern vehicles have wireless tire pressure sensors that communicate with the vehicle's computer to alert the driver when tire pressure falls below a safety threshold.

The privacy issue is that these TPMS sensors each transmit a unique identifier, so the computer can know which tire is being measured, and not read other vehicles' sensors by mistake. As TPMS is not encrypted in any way, anyone with an RTL-SDR or other similar radio can receive and decode TPMS messages, including the unique identifier. This raises privacy concerns as this can be used to log the presence and movement of individual vehicles. 

A recent academic paper by university researchers showed how researchers deployed simple RTL-SDR + Raspberry Pi-based receivers along a road over a period of 10 weeks. They showed that TPMS transmissions can not only be used to identify, track, and detect the presence and daily routines of individual vehicles, but also to determine the type and weight of the vehicle via pressure readings.  Interestingly, they also note that variations in the weight of an identified vehicle could indicate, for example, whether a truck is loaded or unloaded, or whether there are additional passengers in a car.

The researchers highlight privacy concerns, noting that such data could be collected and sold by data mining companies without the driver's knowledge. 

RTL-SDR + Raspberry Pi for TPMS Monitoring
RTL-SDR + Raspberry Pi for TPMS Monitoring
The TPMS Monitoring Setup
The TPMS Monitoring Setup

Setting RF Based Atomic Clocks via Computer Speakers

Over on YouTube, Jeff Geerling has uploaded an interesting video showing how RF-based atomic clocks can be set via signals generated from a computer speaker. In the USA, RF-based atomic clocks typically receive their atomic time signal from the WWVB 60 kHz longwave radio station, operated near Fort Collins, Colorado. In other countries, different time signal transmitters operate on different frequencies. However, these time signals cannot be received everywhere due to interference or geographic limitations, making RF atomic clocks useless in these situations. 

As Jeff points out, a Time Station Emulator program can be used to locally emulate the WWVB or other time signals, which, while not providing atomic time accuracy, could still make these clocks useful again.

Most interestingly, the emulator program requires no special RF transmission hardware. Instead, it simply uses your computer speakers to broadcast the time signal.

By carefully crafting a waveform at a specific audio frequency (out of normal human hearing range), the digital-to-analog converter will generate higher frequency RF harmonics, and one harmonic will match the time signal frequency required by the RF-based atomic clock. The wires running to the speakers, and the speakers themselves, will act as antennas, leaking these harmonics into the surrounding environment. This means that cheaper unshielded speakers, such as those found in phones and tablets, tend to work better.  

In the video, Jeff uses a HydraSDR and an upconverter to receive the time signal generated by the speakers. While the time signal cannot be seen on the spectrum itself, in the demodulated audio, you can hear the signal's pulses.

Van Eck Phreaking time to atomic clocks

Telive osmo-tetra-sq5bpf: An Experimental TETRA Decoder that Enables Voice Decryption (If You Have the Key)

Thank you to Jacek / SQ5BPF for letting us know that he's recently released a modified version of the Telive TETRA decoder for Linux. The modification allows the user to listen to TEAx-encrypted voice signals if they have the decryption key. Typically, if a TETRA signal is encrypted, there is no way to listen to it, unless you have obtained the decryption key from the network operator, or extracted it from TETRA keyloader hardware.

But because the TEA1 encryption was broken due to a backdoor being discovered in 2023, he has also added support for using the 32-bit short key directly, which can be automatically recovered from TETRA traffic using his other software called teatime. TEA1 encryption is being phased out, but many deployments still use it.

The software is designed for advanced users to compile and run, so very little documentation is provided. However, there is a blog post here that explains the overall steps. Some additional information can be found on SQ5BPF's RadioReference post here.

TETRA Decoding (with telive on Linux)
TETRA Decoding (with telive on Linux)

The Thought Emporium Explores IMSI Cell Phone Tracking and Other Advanced Cell Phone Attacks with Software Defined Radios

Over on YouTube, The Thought Emporium channel has uploaded a video outlining how mobile phones constantly leak unique IMSI identifiers over the air, making passive location tracking much easier than most people expect. While LTE and 5G improve security, older 2G and 3G protocols still expose permanent subscriber IDs that can be collected and linked to movement over time.

The video highlights how accessible this surveillance is. A cheap RTL-SDR USB dongle, basic antenna, and free software pre-installed on DragonOS are enough to passively collect IMSI numbers from nearby phones running on 3G. Once you know a person's unique IMSI number, you can easily track their movements if you have cheap radios monitoring the areas they frequent.

They also show how it's possible to use a more advanced TX-capable SDR like a USRP B210 to create a Stingray device, which is a fake cell-tower base station that you can force nearby cell phones to connect to. Once connected to the Stingray, all communications from your phone can be tapped. Finally, they discuss SS7 attacks, which, while difficult and/or expensive to gain access to the SS7 walled garden, can allow malicious actors to easily reroute security-related messages, such as 2-factor authentication.

The video finishes with potential defenses, including turning phones off when needed, forcing more secure LTE/5G-only connections, and using tools that detect fake cell towers. Privacy-focused mobile services that rotate identifiers are also discussed.

Recreating ICE Spy Tech Was WAY Too Easy

 

A Discussion on How WiFi Can Be Used To See Through Walls

Earlier in the year on YouTube, Yaniv Hoffman and Occupy The Web haved discussed research showing how Wi-Fi signals can be used to detect and track people through walls. The idea is simple from an RF point of view. Wi-Fi is just radio, and when those signals pass through a room they reflect and scatter off walls, furniture, and human bodies. By analyzing these reflections, it is possible to infer movement and even rough human outlines without placing any hardware inside the room.

Using low-cost SDRs, a standard PC, an NVIDIA GPU, and open-source AI tools like DensePose, researchers can reconstruct basic 3D human shapes in real time. In some cases, the system does not even need to transmit its own signal. It can passively analyze reflections from an existing Wi-Fi router already operating in the home.

The speakers note that this raises obvious privacy concerns. While there are some benign uses like motion-based home security or monitoring breathing in elderly care, the same techniques could be misused. Countermeasures are limited, as Wi-Fi uses spread spectrum techniques that make jamming difficult. 

If you're interested, we posted about something similar in 2015, where USRP radios were being used to detect the presence of people behind walls.

They’re Watching You Through Wi-Fi… And You Have No Idea

Using the Don’t Look Up Tool to Eavesdrop on Insecure Private Satellite Communications

Over on YouTube, Rob VK8FOES has uploaded a video showing how to install and use the "dontlookup" open-source Linux Python research tool for evaluating satellite IP link security. Back in October, we posted about a new Wired article that discussed how many geostationary satellites are broadcasting sensitive, unencrypted data in the clear and how a cheap DVB-S2 receiver and satellite dish can be used to eavesdrop on them.

In the video, Rob discusses the new dontlookup tool, which is an excellent one-stop shop open-source tool for parsing IP data from these satellites. He goes on to show the full steps on how to install and use the tool in Linux. The end result is private internet satellite data being visible in Wireshark (blurred in the video for legal reasons). In the video description, Rob writes:

I thought I would make a video showcasing this new open-source Python tool for Linux. 'Don't look up' is the result of a research campaign conducted by a group of cyber security researchers from the USA for decoding DVB-S2 satellite data transponders.

Geostationary communications satellites are somewhat of a 'perfect target' to malicious threat actors, due to their downlink signals covering large portions of earth surface. This gives attackers are large attack surface to intercept IP traffic being transmitted from space. To most peoples surprise, little-to-no security, such as encryption, are being used on these data transponders!

This is all old news to myself, and the fans of my YouTube channel that have been following my TV-satellite hobby for the past couple of years. Most of this was already possible with consumer-grade satellite equipment and a Python application called GSExtract. However, the scope of GSExtract was a lot more narrower than that of DontLookUp, with the developers claiming to have achieved an exponential packet recovery rate compared to GSExtract.

Join me in this video today where I will be showing my users how to patch and build the TBS5927 USB satellite receiver drivers for RAW data capturing. I'll also be showcasing the software application called 'DVBV5-Zap' which interfaces with our satellite receiver to capture RAW data from a satellite. And finally, I will finish-off the video by demonstrating the actual usage of DontLookUp itself. To make the tutorial as accessible as possible, I'm doing the entire process inside a Linux virtual machine!

This tutorial will probably only work in DragonOS FocalX R37 Linux by the wonderful @cemaxecuter. You are welcome to try on other Linux distributions, but your mileage will vary! Also, due to the TBS5927 using something called a 'Isochronous Endpoint', it's only possible to use this satellite receiver via USB Passthrough in VMWare versions 17.5 and above. VirtualBox does not support Isochronous USB Endpoints in any version. It's always best to run Linux on 'bare-metal' by installing it directly to your PC's internal SSD, or running it from a bootable USB thumb drive.

Please understand that if you own an internal PCI-E satellite receiver card from TBS, it is not possible to 'pass it through' to Linux running inside in a Type-2 Hypervisor (VMware, VirtualBox etc.) Installing Linux on bare-metal is the only hope for PCI-E card owners. Thanks very much for watching!

HARDWARE:
TBS5927 USB Satellite Receiver
90cm 'Foxtel' Satellite Dish
Golden Media GM202+ LNB
Hills RG-6 Coaxial Cable (F-Type Connectors, 75 Ohm)

SOFTWARE:
VMWare Workstation 17.6.2
DragonOS FocalX R37 Linux
TBS 'Linux_Media' Drivers
'RAW Data Handling' Patch
DVBV5-Zap
DontLookUp

If you're interested in this topic, Rob's YouTube channel has many videos on this topic that are worth checking out.

Don't Look Up (No, Not The Movie): A New Research Tool To Evaluate Satellite IP Link Security!