- GSM A5/1 broken (2003-2010). $20 SDR + Kraken rainbow tables = real-time eavesdropping on 2G voice. Most operators have decommissioned 2G; some have not.
- IMSI catchers (Stingrays). Active rogue base stations capture phone IDs. Used legitimately by law enforcement, illegally by surveillance operators. Mitigated by mutual authentication in 4G/5G; downgrade attacks remain.
- SS7 attacks. Signaling System 7 is the inter-carrier signaling protocol. Designed in 1975 with no authentication. Attackers with SS7 access can locate any phone, intercept SMS (including 2FA codes), and redirect calls. Documented attacks against bank customers, dissidents, and journalists.
- SIM cloning. Older COMP128-1 algorithm in early SIMs allowed cloning by querying the SIM with crafted RAND values. Modern SIMs use COMP128-2/3 or AES-Milenage; cloning is much harder.
- eSIM and remote provisioning. Centralized profile management is a target for supply-chain attacks.
- GPS jamming/spoofing. $20 jammer; few-hundred-dollar spoofer with SDR. Real attacks against ships, drones, civilian aviation in conflict zones.
- Satellite phone interception. Iridium L-band downlink was unencrypted historically. gr-iridium SDR tools demodulate pager messages.
- Starlink firmware extraction. Demonstrated 2022 via voltage glitching boot ROM.
- WSN node capture. Physical access to deployed sensor nodes lets attacker extract keys, reprogram, inject false data into network.
- LoRaWAN replay attacks. Pre-1.0.4 implementations failed to enforce frame counter; replay attacks were trivial. AppKey extraction from compromised devices breaks one device family.
- Mirai-style IoT botnets. Default credentials, unpatched firmware, weak crypto. Powered the largest DDoS attacks in history.
- Bluetooth attacks. BlueBorne (2017), KNOB (2019), BLESA (2020). Affects billions of devices.
- Wi-Fi attacks. WPA2 KRACK, WPA3 Dragonblood, Pixie Dust on WPS, FragAttacks (2021).
section 5 of 82 min read