We have sprinkled tie-ins throughout. Here is the consolidated map.
- TEMPEST eavesdropping. Old CRT video radiated as AM-like sidebands at clock harmonics. Modern LCDs leak similar emissions through pixel-clock harmonics. Demodulation involves both AM (envelope of clock harmonics) and FM-like (jitter on the clock). RTL-SDR and a directional antenna are sometimes enough to reconstruct screen content from across a room.
- Replay attacks on simple AM-OOK. Garage door openers, low-end car remote keys, wireless doorbells — anything using a fixed-code AM-OOK system at 300 to 400 MHz can be captured and replayed by a $30 SDR. Rolling codes (HCS301, KeeLoq) and modern challenge-response (e.g., AES-CCM in modern keyless entry) defend against this.
- Capture-effect jamming. A slightly stronger transmitter on an FM frequency completely silences the legitimate signal. Trivial DoS in rural areas.
- AGC saturation jamming. A strong off-frequency signal saturates the receiver's LNA before the IF filter can cull it. The legitimate signal is buried as the AGC drives gain to the floor. GPS receivers in particular are vulnerable; military spec receivers have hardened front-ends with high IP3 LNAs and fast-settling AGC.
- Spread-spectrum as a jamming countermeasure. Modulate the data with a high-rate pseudorandom code (DSSS) or hop the carrier rapidly across a wide band (FHSS); a jammer must cover the entire spread-spectrum range to deny the legitimate signal, raising the jamming power requirement by a factor of the spreading gain. This is why GPS C/A code at 1.023 Mchips/sec (for a 50 bps signal) is so robust to narrow-band interference.
- Transmitter fingerprinting. No two transmitters are exactly alike. Manufacturing variations in oscillator phase noise, mixer balance, amplifier nonlinearity, and amplifier transient behavior all show up in subtle ways in the transmitted spectrum. SIGINT services routinely identify individual radios by their spectral signature, even without decoding the content.
- Side-channel demodulation of crypto-leaking emissions. A chip running AES emits subtle electromagnetic radiation that is modulated by the data being processed. Treating these emissions as a tiny radio signal and applying analog-style demodulation (envelope detection, frequency discrimination) is one technique used in EM-based side-channel attacks. The "antennas" are sometimes near-field probes, sometimes resonant cavities, sometimes a wire dangling near the chip.
The unifying theme: every wireless system, every chip-level emission, every covert channel, is subject to the same modulation/demodulation theory we built in this chapter. Knowing that theory turns "magical RF stuff" into "an analog signal I can demodulate, capture, replay, jam, or fingerprint."