Every property of antennas has a flip side from an offense or defense perspective.
9.1 Directional eavesdropping (TEMPEST)
Every electronic device emits unintended RF, primarily at clock harmonics and on every transition. Reciprocity says: a directional antenna pointed at the device receives those emissions exactly as well as it would transmit. A Yagi or small dish at the right frequency, combined with a low-noise receiver and DSP, can recover:
- Video signals from a CRT or LCD (the original "Van Eck phreaking").
- Keystrokes from old PS/2 or USB keyboards.
- Power-line currents that leak crypto operations.
- Activity patterns of CPUs running cryptographic primitives.
The attacker's antenna size, gain, and steering capability all set the stand-off range. A 20 dBi antenna can pick up emissions from 30 m away that an isotropic could not detect from 3 m. Faraday cages (rooms wrapped in conductive mesh) defend by absorbing or reflecting these emissions before they can be received outside.
9.2 GPS jamming and spoofing
GPS L1 signals at the Earth's surface arrive at about W (–130 dBm). That is below thermal noise; the satellite's spread-spectrum coding pulls it out by correlation gain. Because the signal is so weak, even a small jammer (a few mW) can overwhelm it from a few km away. Truck drivers have jammed entire airports unintentionally with fleet-tracking jammers.
Spoofing is more sinister: transmit fake GPS signals slightly stronger than the real ones to make a victim's receiver report wrong positions. Demonstrated on yachts and trucks, used in real conflicts. Defenses include directional antennas (phased arrays that steer nulls toward jamming sources) and inertial navigation cross-checks.
9.3 Wi-Fi and Bluetooth eavesdropping at range
A high-gain Yagi or dish can pick up Wi-Fi from a parking lot or further. If the WLAN is encrypted, the attacker still gets metadata (which devices are present, how much they transmit, their MAC addresses), enough for tracking and timing analysis. Encrypted handshakes can be captured for later offline cracking.
Bluetooth Low Energy (BLE) advertisements, AirDrop, AirTag pings, NFC initiation: all of these have been exploited at much-greater-than-spec ranges using high-gain antennas.
9.4 Side-channel via radiated emissions
Even when a chip is air-gapped (no network connection), it still radiates. A near-field probe (a small loop) held within centimeters of a CPU can pick up fluctuations correlated with the secret key being processed. The classic example: AES key recovery from a smartcard chip in a few hours of measurements, demonstrated repeatedly at academic conferences. The defender's countermeasures include masking, blinding, hardware noise injection, and physical shielding.
9.5 RF fingerprinting
Even nominally identical devices have slightly different antenna impulse responses, transmitter nonlinearities, and oscillator drift. Well-designed receivers can fingerprint individual devices by these features, identifying a specific phone's radio even when its MAC address is randomized. Used for both legitimate network security and for adversarial tracking.
9.6 Beam-forming for offense and defense
An adaptive array that nulls jammers can also null legitimate receivers if the attacker controls it. A directional broadcast can be focused on a specific receiver while remaining invisible to others. 5G mm-wave networks use beam-forming both for capacity and for partial physical-layer security (an attacker not in the beam cannot eavesdrop on the link).
9.7 Faraday rooms
A Faraday cage works because the conductive walls force the tangential E-field to zero at the boundary, attenuating any external field by typically 60 to 120 dB. Sensitive operations (key generation, hardware security modules, classified comms) are performed inside such rooms. Doors are the weak point; RF gaskets, double-door airlocks, and filtered power feeds all have to be carefully designed. Rooms typically also include the floor and ceiling in the cage, since RF will leak through any seam.