Over on GitHub and YouTube, we've seen the release of Sarah Rose's new program called DeDECTive, a DECT 6.0 scanner and voice decoder for the HackRF running on Linux systems. DECT (Digital Enhanced Cordless Telecommunications) is a digital wireless protocol typically used by modern cordless phones.
Back in 2019, Sarah (previously known as Corrosive) demonstrated how to use gr-dect2 to decode DECT in a previous video. In her latest work, she's ported gr-dect2 to C++ and written a nice GUI for the decoder. This makes running and setting up the decoder a significantly better experience. The GUI has a wideband scanner and the ability to tune for a single DECT channel for full voice decoding. There is also a CLI version that will automatically tune to the first active voice channel.
We note that many DECT cordless phones use encryption, so this software may not work with those devices. In any case, please be aware that intercepting phone calls may be illegal in many jurisdictions.
Back in September 2025, we posted about the "ESP32 Bus Pirate" firmware, which transforms an ESP32-S3 into a multi-protocol debugging and hacking tool. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in radio hardware components to achieve a range of interesting feats. Recently, "Geo," the creator of the ESP32 Bus Pirate, wrote in to share some recent firmware updates with us. He writes:
The ESP32-Bus-Pirate project is an open-source firmware that transforms inexpensive ESP32-S3 boards into versatile hardware hacking and debugging tools. Inspired by tools like the Bus Pirate and Flipper Zero, the firmware allows a single ESP32 device to interact with a wide range of digital buses, radios, and hardware interfaces.
Because ESP32 boards include integrated WiFi and Bluetooth radios and can interface with many external modules, the firmware makes it possible to experiment with both hardware protocols and RF systems using very low-cost hardware.
The firmware currently supports a wide range of protocols and devices including:
I²C, SPI, UART, CAN, 1-Wire, infrared, smartcards, Sub-GHz radios, RF24 modules, WiFi, Bluetooth and cellular modems.
Major New Features in v1.5
The latest release adds several major capabilities useful for hardware analysis and RF experimentation.
Waterfall Spectrum Displays
Multiple RF modules can now display real-time waterfall visualizations, showing signal peaks and activity across frequencies. This is available for:
• Sub-GHz radios • RF24 modules • FM radio modules • WiFi channel activity
This makes it easier to visually monitor RF environments directly from the device.
Sub-GHz Improvements
The Sub-GHz subsystem has been completely reworked for improved reliability when recording, replaying and receiving RF frames. Raw payload transmission is also supported.
Cellular Modem Support
ESP32-Bus-Pirate can now interact with cellular modem modules, allowing users to inspect modem and network information and perform operations such as:
The firmware now supports an **external UART radio expansion module** called the **ESP32 Bus Expander**, which allows adding additional RF hardware modules to the system, notably for the WiFi 5GHz.
Tire Pressure Monitoring System (TPMS) privacy concerns are a topic that comes up every now and then. Most modern vehicles have wireless tire pressure sensors that communicate with the vehicle's computer to alert the driver when tire pressure falls below a safety threshold.
The privacy issue is that these TPMS sensors each transmit a unique identifier, so the computer can know which tire is being measured, and not read other vehicles' sensors by mistake. As TPMS is not encrypted in any way, anyone with an RTL-SDR or other similar radio can receive and decode TPMS messages, including the unique identifier. This raises privacy concerns as this can be used to log the presence and movement of individual vehicles.
A recent academic paper by university researchers showed how researchers deployed simple RTL-SDR + Raspberry Pi-based receivers along a road over a period of 10 weeks. They showed that TPMS transmissions can not only be used to identify, track, and detect the presence and daily routines of individual vehicles, but also to determine the type and weight of the vehicle via pressure readings. Interestingly, they also note that variations in the weight of an identified vehicle could indicate, for example, whether a truck is loaded or unloaded, or whether there are additional passengers in a car.
The researchers highlight privacy concerns, noting that such data could be collected and sold by data mining companies without the driver's knowledge.
RTL-SDR + Raspberry Pi for TPMS MonitoringThe TPMS Monitoring Setup
Thank you to Jacek / SQ5BPF for letting us know that he's recently released a modified version of the Telive TETRA decoder for Linux. The modification allows the user to listen to TEAx-encrypted voice signals if they have the decryption key. Typically, if a TETRA signal is encrypted, there is no way to listen to it, unless you have obtained the decryption key from the network operator, or extracted it from TETRA keyloader hardware.
But because the TEA1 encryption was broken due to a backdoor being discovered in 2023, he has also added support for using the 32-bit short key directly, which can be automatically recovered from TETRA traffic using his other software called teatime. TEA1 encryption is being phased out, but many deployments still use it.
The software is designed for advanced users to compile and run, so very little documentation is provided. However, there is a blog post here that explains the overall steps. Some additional information can be found on SQ5BPF's RadioReference post here.
Over on YouTube, The Thought Emporium channel has uploaded a video outlining how mobile phones constantly leak unique IMSI identifiers over the air, making passive location tracking much easier than most people expect. While LTE and 5G improve security, older 2G and 3G protocols still expose permanent subscriber IDs that can be collected and linked to movement over time.
The video highlights how accessible this surveillance is. A cheap RTL-SDR USB dongle, basic antenna, and free software pre-installed on DragonOS are enough to passively collect IMSI numbers from nearby phones running on 3G. Once you know a person's unique IMSI number, you can easily track their movements if you have cheap radios monitoring the areas they frequent.
They also show how it's possible to use a more advanced TX-capable SDR like a USRP B210 to create a Stingray device, which is a fake cell-tower base station that you can force nearby cell phones to connect to. Once connected to the Stingray, all communications from your phone can be tapped. Finally, they discuss SS7 attacks, which, while difficult and/or expensive to gain access to the SS7 walled garden, can allow malicious actors to easily reroute security-related messages, such as 2-factor authentication.
The video finishes with potential defenses, including turning phones off when needed, forcing more secure LTE/5G-only connections, and using tools that detect fake cell towers. Privacy-focused mobile services that rotate identifiers are also discussed.
Earlier in the year on YouTube, Yaniv Hoffman and Occupy The Web haved discussed research showing how Wi-Fi signals can be used to detect and track people through walls. The idea is simple from an RF point of view. Wi-Fi is just radio, and when those signals pass through a room they reflect and scatter off walls, furniture, and human bodies. By analyzing these reflections, it is possible to infer movement and even rough human outlines without placing any hardware inside the room.
Using low-cost SDRs, a standard PC, an NVIDIA GPU, and open-source AI tools like DensePose, researchers can reconstruct basic 3D human shapes in real time. In some cases, the system does not even need to transmit its own signal. It can passively analyze reflections from an existing Wi-Fi router already operating in the home.
The speakers note that this raises obvious privacy concerns. While there are some benign uses like motion-based home security or monitoring breathing in elderly care, the same techniques could be misused. Countermeasures are limited, as Wi-Fi uses spread spectrum techniques that make jamming difficult.
If you're interested, we posted about something similar in 2015, where USRP radios were being used to detect the presence of people behind walls.
They’re Watching You Through Wi-Fi… And You Have No Idea
Over on YouTube, Rob VK8FOES has uploaded a video showing how to install and use the "dontlookup" open-source Linux Python research tool for evaluating satellite IP link security. Back in October, we posted about a new Wired article that discussed how many geostationary satellites are broadcasting sensitive, unencrypted data in the clear and how a cheap DVB-S2 receiver and satellite dish can be used to eavesdrop on them.
In the video, Rob discusses the new dontlookup tool, which is an excellent one-stop shop open-source tool for parsing IP data from these satellites. He goes on to show the full steps on how to install and use the tool in Linux. The end result is private internet satellite data being visible in Wireshark (blurred in the video for legal reasons). In the video description, Rob writes:
I thought I would make a video showcasing this new open-source Python tool for Linux. 'Don't look up' is the result of a research campaign conducted by a group of cyber security researchers from the USA for decoding DVB-S2 satellite data transponders.
Geostationary communications satellites are somewhat of a 'perfect target' to malicious threat actors, due to their downlink signals covering large portions of earth surface. This gives attackers are large attack surface to intercept IP traffic being transmitted from space. To most peoples surprise, little-to-no security, such as encryption, are being used on these data transponders!
This is all old news to myself, and the fans of my YouTube channel that have been following my TV-satellite hobby for the past couple of years. Most of this was already possible with consumer-grade satellite equipment and a Python application called GSExtract. However, the scope of GSExtract was a lot more narrower than that of DontLookUp, with the developers claiming to have achieved an exponential packet recovery rate compared to GSExtract.
Join me in this video today where I will be showing my users how to patch and build the TBS5927 USB satellite receiver drivers for RAW data capturing. I'll also be showcasing the software application called 'DVBV5-Zap' which interfaces with our satellite receiver to capture RAW data from a satellite. And finally, I will finish-off the video by demonstrating the actual usage of DontLookUp itself. To make the tutorial as accessible as possible, I'm doing the entire process inside a Linux virtual machine!
This tutorial will probably only work in DragonOS FocalX R37 Linux by the wonderful @cemaxecuter. You are welcome to try on other Linux distributions, but your mileage will vary! Also, due to the TBS5927 using something called a 'Isochronous Endpoint', it's only possible to use this satellite receiver via USB Passthrough in VMWare versions 17.5 and above. VirtualBox does not support Isochronous USB Endpoints in any version. It's always best to run Linux on 'bare-metal' by installing it directly to your PC's internal SSD, or running it from a bootable USB thumb drive.
Please understand that if you own an internal PCI-E satellite receiver card from TBS, it is not possible to 'pass it through' to Linux running inside in a Type-2 Hypervisor (VMware, VirtualBox etc.) Installing Linux on bare-metal is the only hope for PCI-E card owners. Thanks very much for watching!
HARDWARE: TBS5927 USB Satellite Receiver 90cm 'Foxtel' Satellite Dish Golden Media GM202+ LNB Hills RG-6 Coaxial Cable (F-Type Connectors, 75 Ohm)
SOFTWARE: VMWare Workstation 17.6.2 DragonOS FocalX R37 Linux TBS 'Linux_Media' Drivers 'RAW Data Handling' Patch DVBV5-Zap DontLookUp
If you're interested in this topic, Rob's YouTube channel has many videos on this topic that are worth checking out.
Don't Look Up (No, Not The Movie): A New Research Tool To Evaluate Satellite IP Link Security!
The researchers used a simple off-the-shelf 100cm Ku-band satellite dish and a TBS-5927 DVB-S/S2 USB Tuner Card as the core hardware, noting that the total hardware cost was about $800.
Simple COTS hardware used to snoop on unencrypted satellite communications.
After receiving data from various satellites, they found that a lot of the data being sent was unencrypted, and they were able to obtain sensitive data such as plaintext SMS and voice call contents from T-Mobile cellular backhaul and user internet traffic. The researchers notified T-Mobile about the vulnerability, and to their credit, turned on encryption quickly.
They were similarly able to observe uncrypted data from various other companies and organizations, too, including the US Military, the Mexican Government and Military, Walmart-Mexico, a Mexican financial institution, a Mexican bank, a Mexican electricity utility, other utilities, maritime vessels, and offshore oil and gas platforms. They were also able to snoop on users' in-flight WiFi data.
Cellular Backhaul We observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas. This traffic included unencrypted calls, SMS, end user Internet traffic, hardware IDs (e.g. IMSI), and cellular communication encryption keys.
Military and Government We observed unencrypted VoIP and internet traffic and encrypted internal communications from ships, unencrypted traffic for military systems with detailed tracking data for coastal vessel surveillance, and operations of a police force.
In‑flight Wi‑Fi We observed unprotected passenger Internet traffic destined for in-flight Wi-Fi users on airplanes. Visible traffic included passenger web browsing (DNS lookups and HTTPS traffic), encrypted pilot flight‑information systems, and in‑flight entertainment.
VoIP Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call audio and metadata from end users.
Internal Commercial Networks Retail, financial, and banking companies all used unencrypted satellite communications for their internal networks. We observed unencrypted login credentials, corporate emails, inventory records, and ATM networking information.
Critical Infrastructure Power utility companies and oil and gas pipelines used GEO satellite links to support remotely operated SCADA infrastructure and power grid repair tickets.
The technical paper goes in depth into how they set up their hardware, what services and organizations they were able to eavesdrop on, and how they decoded the signals. The team notes that they have notified affected parties, and most have now implemented encryption. However, it seems that several services are still broadcasting in the clear.
