Defending Against RF Reconnaissance - Why Detection is Critical for Modern COMSEC Programs

Radio frequency scanning has long been a cornerstone of signals intelligence operations, from World War II codebreaking efforts to modern military and law enforcement surveillance. What was once the exclusive domain of government agencies and sophisticated adversaries has now become accessible to a broader range of threat actors through commercial software-defined radios and readily available scanning equipment.

As organizations increasingly rely on radio communications for security, operations, and emergency response, they face surveillance techniques that were previously limited to nation-state actors and well-funded intelligence operations. The democratization of RF reconnaissance capabilities means that the same methods used by military signals intelligence units and federal law enforcement agencies are now available to corporate competitors, criminal organizations, and other threat actors.

Low-Risk, High-Reward Intelligence Gathering

RF scanning represents one of the lowest-risk reconnaissance methods available to threat actors. Unlike network penetration attempts or physical surveillance, passive RF monitoring leaves no digital footprints on target systems, operates from significant distances and requires minimal technical expertise with modern software-defined radios.

Common Offensive RF Reconnaissance Techniques

Sequential Frequency Scanning

Attackers systematically sweep through frequency ranges, identifying active channels and communication patterns. This reveals which frequencies are actively used, communication schedules and patterns, equipment types and capabilities, and organizational structure through radio protocols. The same technique is employed by law enforcement to monitor criminal communications during investigations, by military forces for battlefield intelligence gathering, and by red teams testing organizational COMSEC procedures during authorized assessments.

Targeted Frequency Monitoring

Once interesting frequencies are identified, attackers establish persistent monitoring stations to intercept sensitive communications, learn radio protocols and encryption methods, identify key personnel and operational procedures, and map communication networks and backup frequencies.

Active RF Probing

Advanced threat actors may use active techniques to test response procedures by triggering communications, identify direction-finding capabilities, map coverage areas and dead zones and force organizations to reveal backup communication plans.

The Defensive Imperative - Automated Scanner Detection

Given the stealth and effectiveness of RF reconnaissance, organizations must implement proactive detection capabilities. The RF Scanner Detection System we have developed, demonstrates how modern COMSEC programs can leverage software-defined radio technology to identify scanning activities in real-time.

System Architecture Overview

The detection system implements a multi-layered approach using HackRF One software-defined radio hardware, combined with GNU Radio processing and advanced signal analysis algorithms. The core components of the application include a hardware controller that manages the SDR hardware interface and frequency sweeping, a spectrum analyzer that implements pattern detection algorithms, a detection engine that orchestrates the entire detection process, and advanced analytics for machine learning-based signature analysis and threat intelligence integration.

Real-World Detection Output

When the system identifies potential RF reconnaissance activities, it generates alert logs with detailed technical analysis. Here's an example of actual system output when detecting targeted monitoring:

═══════════════════════════════════════════════════════════════
RF SCANNER DETECTION ALERT
═══════════════════════════════════════════════════════════════

BASIC DETECTION INFO:
├─ Detection Type: TARGETED
├─ Timestamp: 2025-08-01 15:25:43
├─ Frequency: 31.337500 MHz
├─ Signal Strength: -13.1 dBm
├─ Confidence Score: 0.382 (LOW)
└─ Duration: 22.94 seconds

SIGNAL FINGERPRINT:
├─ Signal-to-Noise Ratio: 45.5 dB
├─ Bandwidth: 0 Hz
├─ Modulation Type: Spread Spectrum/Noise
├─ Rise Time: 0.0000 ms
├─ Peak Frequency: 31.900000 MHz
└─ Signal Stability: Stable

PATTERN ANALYSIS:
├─ Dwell Time: 22.9 seconds
├─ Power Variance: 4.16 dB²
├─ Sample Count: 7
└─ Monitoring Pattern: Targeted Monitoring

THREAT ASSESSMENT:
├─ Threat Level: LOW (3.91/10)
├─ Likelihood: May be routine scanner usage
├─ Recommended Action: Normal monitoring
└─ Follow-up: Log for trend analysis

TECHNICAL DETAILS:
├─ Center Frequency: 31.900000 MHz
├─ Frequency Offset: 0 Hz
├─ Phase Noise: 3.169
├─ Spectral Purity: 0.00%
└─ Equipment Signature: Professional SDR Equipment

TIMING ANALYSIS:
├─ Detection Latency: 184.57 ms
├─ Signal Onset: First seen 23s ago
└─ Previous Activity: Last 24h: 2 targeted detections, 1 targeted_enhanced detections
═══════════════════════════════════════════════════════════════

This example shows a targeted monitoring detection on 31.337 MHz with moderate signal strength but extended dwell time. The system correctly identified this as potential surveillance equipment, though the confidence score remains low due to the signal characteristics suggesting possible legitimate usage.

The alert provides detection classification to categorize the type of scanning activity detected, signal analysis for technical fingerprint and equipment identification, threat scoring for quantitative risk assessment with actionable recommendations, and historical context showing patterns and previous activity on the same frequency.

High-Threat Detection Example

When the system detects high-confidence scanning activity, the alerts become more urgent and detailed:

═══════════════════════════════════════════════════════════════
RF SCANNER DETECTION ALERT - HIGH PRIORITY
═══════════════════════════════════════════════════════════════

BASIC DETECTION INFO:
├─ Detection Type: SCANNING
├─ Timestamp: 2025-08-01 16:42:17
├─ Frequency: 462.575000 MHz (GMRS Channel 15)
├─ Signal Strength: -24.8 dBm
├─ Confidence Score: 0.847 (HIGH)
└─ Duration: 15.30 seconds

SIGNAL FINGERPRINT:
├─ Signal-to-Noise Ratio: 52.3 dB
├─ Bandwidth: 25000 Hz
├─ Modulation Type: FM/Digital
├─ Rise Time: 0.0821 ms
├─ Peak Frequency: 462.575000 MHz
└─ Signal Stability: Very Stable

PATTERN ANALYSIS:
├─ Hop Rate: 28.4 channels/second
├─ Frequencies Detected: 47
├─ Frequency Range: 462.550 - 467.725 MHz
├─ Channel Spacing: 25.0 kHz
└─ Scanner Type: Fast Analog Scanner

THREAT ASSESSMENT:
├─ Threat Level: HIGH (7.23/10)
├─ Likelihood: Likely surveillance activity
├─ Recommended Action: Investigate and monitor closely
└─ Follow-up: Review communication security

TECHNICAL DETAILS:
├─ Center Frequency: 462.575000 MHz
├─ Frequency Offset: 0 Hz
├─ Phase Noise: 0.042
├─ Spectral Purity: 73.24%
└─ Equipment Signature: Crystal-Controlled Scanner

TIMING ANALYSIS:
├─ Detection Latency: 67.23 ms
├─ Signal Onset: First seen 15s ago
└─ Previous Activity: No previous activity
═══════════════════════════════════════════════════════════════

This high-confidence detection shows classic scanner behavior: rapid frequency hopping at 28.4 channels per second across GMRS frequencies with 25kHz channel spacing, which is characteristic of a commercial scanner monitoring business or public safety communications.

Sequential Scanning Detection

The system monitors for rapid frequency hopping patterns by analyzing frequency change patterns in real-time. When we detect someone jumping between channels faster than normal communications would require, it is highly probable that scanning equipment is active.

The hop rate analysis detects scanning speeds of 8 or more channels per second. This threshold is important because normal radio communications rarely require frequency changes this rapid. When someone is monitoring multiple channels in sequence, they're either using a scanner or conducting some form of surveillance activity.

Channel spacing analysis is particularly revealing because different types of scanning equipment use predictable frequency steps. Commercial scanners typically use 12.5kHz, 25kHz, or 50kHz channel spacing that matches established band plans. When we see signals appearing at these regular intervals, it indicates purpose-built scanning equipment rather than random interference or normal communications.

The system validates these patterns by looking for signal strength consistency across the frequency hops. Real scanner activity produces relatively consistent signal strengths as the equipment sweeps through channels, while interference or spurious signals tend to have more random power levels.

Pattern consistency validation ensures we're seeing actual scanning behavior rather than coincidental frequency usage. The detection algorithms require multiple frequency hops with regular spacing before generating an alert, which significantly reduces false positives from legitimate communications or environmental interference.

Targeted Monitoring Detection

For persistent monitoring detection, the system analyzes signal consistency and dwell time. If someone parks on a frequency for an extended period with very stable signal characteristics, that suggests dedicated monitoring equipment rather than normal communications.

Dwell time analysis identifies sustained presence on single frequencies. Normal communications have natural pauses, power variations, and timing irregularities. Monitoring equipment, however, tends to maintain consistent presence with minimal power fluctuations. When we see a signal that remains stable for extended periods, particularly longer than typical conversation lengths, this indicates possible surveillance equipment.

Signal stability assessment examines power variance over time. Legitimate communications show natural variations in signal strength due to voice modulation, movement, and normal transmission characteristics. Monitoring receivers, especially when used with external antennas and stable power supplies, produce much more consistent signal characteristics. Low power variance combined with extended dwell time is a strong indicator of dedicated monitoring equipment.

Duration scoring increases confidence levels for longer monitoring periods. Brief monitoring might be coincidental or related to legitimate scanning activity, but sustained monitoring over many minutes or hours suggests intentional surveillance of specific communications.

This type of detection is particularly important because targeted monitoring often indicates intelligence gathering on specific communications of interest, which is much more concerning than general scanning activity. It suggests that an adversary has already identified frequencies of value and moved to persistent collection mode.

Active Probe Detection

The system detects active RF probes that may indicate direction-finding or jamming attempts. These are often brief, high-power signals used to test response procedures or locate transmitters.

Dynamic threshold calculation is essential for reliable probe detection. Rather than using fixed power thresholds that might miss weak probes or generate false alarms from strong legitimate signals, the system continuously calculates the local noise floor and adjusts detection sensitivity accordingly. This adaptive approach accounts for varying RF environments and ensures consistent detection performance across different locations and times.

The dynamic threshold works by analyzing the statistical distribution of received signal power and establishing detection thresholds that are typically 20-30 dB above the local noise floor. This ensures that probe signals stand out clearly from background noise while accounting for normal variations in the RF environment.

Legitimate signal filtering helps distinguish between routine transmissions and active probes. The system maintains awareness of known broadcast frequencies, licensed services, and typical communication patterns in the monitored spectrum. Signals that appear on known legitimate frequencies or exhibit characteristics of normal communications are less likely to be classified as probes, reducing false positive rates.

Power analysis examines the relationship between signal strength and other characteristics to identify probe-like behavior. Active probes often have distinctive power profiles - they may be stronger than typical communications, appear briefly, or have unusual timing patterns that distinguish them from normal transmissions.

Active probes are especially significant because they indicate an adversary who has moved beyond passive surveillance to active reconnaissance techniques. This escalation suggests more sophisticated threat actors and potentially imminent operational activity.

Hardware Fingerprinting

One of the most powerful features of the software application is the ability to fingerprint specific scanner hardware. Every piece of RF equipment has unique characteristics, like a digital fingerprint, that we attempt to identify and track over time.

The system analyzes multiple signal characteristics to create these fingerprints. DC offset characteristics reveal how well the mixer and analog-to-digital converter are balanced in the receiver hardware. Every piece of equipment has slight imperfections in this balance that create unique offset patterns. These patterns are typically consistent enough to identify specific devices but subtle enough that they don't interfere with normal operation.

Phase noise profiling examines the quality and characteristics of the local oscillator used in the receiver. Different manufacturers use different oscillator designs, and even units from the same manufacturer have slight variations in phase noise characteristics. By analyzing the phase noise signature, we can often determine the class of equipment and sometimes identify specific hardware models.

Frequency response flatness analysis looks at how consistently the receiver responds across its bandwidth. Cheaper equipment often has more variation in frequency response, while professional gear maintains flatter response curves. The specific pattern of frequency response variations can help identify equipment categories and track individual devices.

ADC bit depth estimation examines signal quantization characteristics to determine the resolution of the analog-to-digital converter. ADC (Analog-to-Digital Converter) bit depth refers to how many discrete levels the converter can represent—an 8-bit ADC can represent 256 levels, while a 16-bit ADC can represent 65,536 levels. Higher bit depth means finer signal resolution and typically indicates more sophisticated, expensive equipment. Consumer-grade scanners typically use 8-12 bit ADCs, while professional monitoring equipment employs 16+ bit converters. This resolution difference creates distinct signal characteristics that help classify equipment sophistication and distinguish between amateur and professional surveillance operations.

Clock precision assessment analyzes timing stability to determine the quality of the reference oscillator. Professional equipment typically has much more stable timing than consumer gear, and specific timing characteristics can help identify equipment classes.

Device Tracking and Persistence Assessment

Once the application has fingerprinted a device, it tracks its behavior over time. This gives us valuable intelligence about the scope and persistence of surveillance activities. This allows us to establish persistence levels based on detection frequency and time spans.

High persistence indicates sustained surveillance over hours with many detections, suggesting dedicated monitoring operations. Medium persistence shows extended monitoring sessions lasting 30 minutes or more, which might indicate intelligence gathering on specific events or timeframes. Low persistence covers brief scanning activities that could be routine monitoring or intelligence reconnaissance. Minimal persistence represents single detection events that might be coincidental or very limited surveillance activity.

Behavioral pattern tracking monitors whether a device primarily performs scanning, targeted monitoring, or active probing. This classification helps assess threat intent and capability. Devices that consistently perform targeted monitoring are more concerning than those that only occasionally scan frequencies, as this suggests focused intelligence collection rather than general reconnaissance.

Equipment evolution tracking monitors changes in device fingerprints over time. Stable fingerprints suggest the same equipment being used consistently, while changing fingerprints might indicate multiple devices or equipment modifications. This information helps assess the scale and sophistication of surveillance operations.

Equipment Classification

Based on the technical fingerprint, the application attempts to identify the class of equipment being used. Professional SDR equipment typically shows high ADC resolution, excellent phase noise characteristics, and precise timing stability. These systems are often used by sophisticated adversaries with significant technical capabilities.

Commercial scanners exhibit moderate specifications with crystal-controlled frequency synthesis and decent but not exceptional performance characteristics. These represent the most common threat, as commercial scanning equipment is readily available and requires minimal technical expertise to operate effectively.

Consumer equipment typically shows lower resolution, higher phase noise, and less precise timing characteristics. While these systems may indicate less sophisticated threats, they should not be dismissed as they can still provide valuable intelligence to adversaries.

Logging and Analysis

The system maintains detailed operational logs that provide security teams with actionable intelligence:

2025-08-01 15:25:43,127 - rf_scanner_detection - WARNING - Scanner detected: 28.4 hops/sec across 47 frequencies
2025-08-01 15:25:43,134 - rf_scanner_detection - WARNING - Targeted monitoring detected on 462.575 MHz for 22.9s
2025-08-01 15:25:44,891 - rf_scanner_detection - INFO - SIEM event sent successfully: RF_RECONNAISSANCE_DETECTED
2025-08-01 15:25:45,203 - rf_scanner_detection - CRITICAL - SECURITY INCIDENT [HIGH] RF_DETECTION: Scanner detected at 462.575 MHz
2025-08-01 15:26:12,445 - rf_scanner_detection - WARNING - RECOMMENDATION: Consider frequency change
2025-08-01 15:26:12,447 - rf_scanner_detection - WARNING - RECOMMENDATION: Increase monitoring for 24 hours

These logs can integrate seamlessly with existing SIEM platforms, enabling correlation with other security events and automated incident response workflows.

Open Source Implementation

The complete RF Scanner Detection System is available as an open-source project, enabling organizations to implement and customize the solution for their specific requirements:

🔗 GitHub Repository: https://github.com/sec0ps/rf_surveillance/

The repository includes complete source code for all detection algorithms, configuration templates for various deployment scenarios, installation and setup documentation, testing frameworks and validation tools, integration examples for common SIEM platforms, and performance optimization guidelines.

Assess Your RF Threat Exposure

Most organizations have no visibility into RF reconnaissance activities targeting their communications. While you're reading this, threat actors could be systematically mapping your radio communications, learning your operational patterns and gathering intelligence for future attacks.

Don't wait for a communications compromise to discover you've been under surveillance.

We help organizations implement comprehensive RF threat detection and COMSEC programs that provide early warning of surveillance activities. Our team has extensive experience in both offensive RF reconnaissance and defensive countermeasures, giving us unique insight into how these threats actually work in practice.

We can help you:

• Assess your current RF threat landscape and communication vulnerabilities

• Design and implement RF scanner detection systems tailored to your operational frequencies

• Integrate RF threat detection with your existing security infrastructure

• Develop incident response procedures for RF reconnaissance activities

• Train your security team on RF threat indicators and response protocols

The RF Scanner Detection System discussed in this post represents just one component of a comprehensive COMSEC program. Let's discuss how to protect your organization's communications before they become a source of intelligence for your adversaries.

Ready to evaluate your RF security posture? Let's start with a strategic discussion about your communication security requirements and threat landscape.

Keith Pachulski

Red Cell Security, LLC

keith@redcellsecurity.org

www.redcellsecurity.org

📅 Book time with me