The Layer Everyone Forgets
Defenders obsess over the logical network — firewalls, ports, packets — and walk past the layer underneath it every single day. The physical layer is not just cables. It is the electromagnetic spectrum saturating your building: badge readers, wireless keyboards, IoT sensors, rogue access points, cellular, the key fob in everyone's pocket. Most organizations have zero visibility into it. That is a gap, and the discipline that closes it is passive RF collection.
This is a defensive primer. Everything here is about listening to your own environment, under authorization, within the law. Receiving is not the same as transmitting, and authorization is not the same as a free pass. Both distinctions matter and I will come back to them.
The Hardware Reality
You do not need exotic gear to start seeing the spectrum.
- RTL-SDR — a sub-$40 receive-only dongle. Astonishing capability for the price: ADS-B aircraft, weather sats, broadcast, plenty of unencrypted telemetry. Receive-only is also the safest legal posture — it physically cannot transmit.
- HackRF One — a wide-band (1 MHz–6 GHz) half-duplex transceiver. The community workhorse. Can transmit, which is exactly where responsibility starts.
- Antennas matter more than radios. The right antenna for the band you are surveying does more for your results than a more expensive SDR.
What Passive Survey Actually Reveals
Point a receiver at your own facility and the inventory writes itself:
- Rogue and shadow wireless. The unsanctioned access point under someone's desk, the personal hotspot bridging your segmented network to the open internet.
- IoT and building systems beaconing in the clear — sensors, cameras, HVAC controllers announcing make, model, and sometimes more.
- Legacy unencrypted links. Old wireless serial, some industrial telemetry, devices nobody remembers deploying.
- Spectrum baseline. Once you know what "normal" looks like, a new strong emitter that appears overnight is an anomaly worth investigating.
# Capture a wide swath of the 2.4 GHz band for offline analysis (receive-only)
hackrf_transfer -r survey_2400.iq -f 2400000000 -s 20000000 -n 200000000
# Or just look first with a waterfall and learn your environment
gqrx # point at your own ISM bands, watch what your building emits
Run that survey quarterly and you will find things your network scanners never could, because those devices were never on the network you were scanning. They were on the air.
The Ethics Are the Whole Discipline
This is where amateurs get themselves in real trouble, so read carefully.
- Receiving vs. transmitting. In most jurisdictions, passively receiving signals is broadly permitted; transmitting on regulated spectrum without a license is a serious offense. A HackRF can transmit. The discipline is knowing that you almost never should, and never without explicit legal basis.
- Decryption and interception law. Capturing a baseline of emissions in your own facility is one thing. Intercepting and decoding the content of protected communications is regulated by wiretap and computer-misuse statutes. Authorization to be on a network is not authorization to decrypt everything in the air around it.
- Scope, in writing. "Wardriving" your own campus under a signed assessment scope is professional work. Doing it to your neighbor is not. The line is consent and authorization, and it is bright.
The operators who do this for a living are more careful about these lines, not less — because they understand precisely how much capability a $300 board represents.
Why a Defender Should Care
If you cannot see the RF layer, you are defending a building with a wall on three sides. An attacker who understands spectrum can exfiltrate over a channel your SOC does not monitor, bridge an air gap with a cheap transmitter, or clone a badge from across a lobby. You close that gap the same way you close every gap: by seeing it first. Buy the $40 dongle. Learn your building's baseline. Then decide whether you are comfortable with everything it is saying.