The air is the hardest network to secure. RF signals travel where they please, and any attacker with an antenna gets a copy.
8.1 SDR for security
Software-Defined Radio is the unifying tool. A single piece of hardware (RTL-SDR at 300, USRP at 5000) covers from a few MHz to several GHz with software-defined modulation, demodulation, and protocol handling. GNU Radio plus a HackRF is enough to attack most pre-2015 RF systems.
8.2 Replay attacks on legacy remotes
Old garage-door openers, gate openers, and key fobs use a fixed code transmitted on 315/433 MHz OOK or FSK. Capture, replay, done. The 2010s saw a cottage industry of "garage door hackers" demonstrating this with sub-$100 SDR setups.
8.3 Rolling-code analysis: KeeLoq and beyond
Rolling-code remotes (KeeLoq, NXP HiTag) update the code each press from a synchronized counter encrypted under a key. Replay alone fails. But the KeeLoq cryptanalysis by Eisenbarth et al. 2008 broke the 64-bit cipher with 60 chosen-plaintext queries (i.e., capturing 60 button presses with chosen counter values, achievable by jamming and re-transmitting). Later side-channel attacks on KeeLoq receivers extracted the manufacturer master key from a single power trace. Whole car-key fob fleets fell. The 2016 Tesla Model S key-fob clone (KU Leuven) extracted the encryption key over RF in seconds, then cloned a fob and drove off.
8.4 NFC/RFID skimming and the Mifare Classic crack
ISO 14443 contactless cards operate at 13.56 MHz. The Mifare Classic, the dominant transit-card chip in the 2000s, used a proprietary stream cipher called CRYPTO1 with a 48-bit key. In 2008 Karsten Nohl's group decapped a Mifare Classic, optically reverse-engineered the CRYPTO1 logic, found the cipher to be cryptographically weak, and published an attack that recovered keys from a card in seconds. Within a year every major transit system using Mifare Classic was vulnerable. The fix was migration to Mifare DESFire (AES-based), a process that took a decade across rolling stock.
8.5 Bluetooth
Bluetooth has had a chronic, repeating vulnerability story. BlueBorne (2017) was a remote-execution worm-class exploit affecting billions of devices. KNOB (2019) showed that BR/EDR negotiation could be downgraded to a 1-byte symmetric key by a man-in-the-middle, making the link essentially plaintext. BIAS (2020) spoofed paired-device identity. BLESA (2020) attacked BLE's reconnect process. The pattern: a complex protocol stack with authentication negotiated in a way that an MITM can downgrade.
8.6 Wi-Fi: KRACK and beyond
WPA2 was the gold standard for over a decade until KRACK (Key Reinstallation Attack, 2017) by Vanhoef and Piessens broke the four-way handshake by replaying handshake messages, forcing the AP to reinstall an already-used key, which resets cryptographic counters and lets the attacker decrypt. Patched in software but the fix had to be deployed across every AP and client in the world. WPA3, the successor, uses SAE (Simultaneous Authentication of Equals) with forward secrecy; it has had its own issues (Dragonblood 2019) but is structurally stronger.
8.7 Cellular: SS7, IMSI catchers, and 5G
GSM's A5/1 stream cipher was effectively broken by 2009 with rainbow tables. Nohl's lab demonstrated real-time decryption with a few seconds of capture. SS7, the inter-carrier signaling protocol, allows lawful-intercept-style traffic redirection that nation-state actors and criminals have used to bypass SMS-based 2FA. IMSI catchers (Stingrays) are rogue base stations that force nearby phones to register, leaking the IMSI and downgrading to weak ciphers. 4G LTE introduced AES-based encryption and stronger authentication; 5G further hardens with mutual authentication and IMSI encryption (SUCI), but RAN-side attacks continue (open-source srsRAN tooling).
8.8 GPS spoofing and jamming
Civil GPS signals are unencrypted and broadcast at extremely low power (-130 dBm at the receiver), making them trivial to spoof with a $300 SDR transmitting fake satellite signatures. The 2013 University of Texas yacht spoof and the 2017 Black Sea cluster (multiple ships reporting positions on land) are the canonical demonstrations. Real-time-kinematic GPS receivers and military encrypted-P-code receivers resist this; civil receivers do not, and whole-of-economy positioning depends on civil GPS.
8.9 Defenses
- Strong link-layer encryption (WPA3, BT4.2 secure connections, 5G NR encryption).
- Frequency hopping and spread spectrum (used in mil radios and Bluetooth).
- Mutual authentication.
- Replay-resistant counters.
- Anti-jam techniques (null-steering antennas, FHSS).
- Detection: spectrum monitoring for rogue base stations, GPS sanity-checking against IMU/odometry.