Work with us

Home

Services

Markets

Knowledge

Research

Cases

Blog

Company

Contact

Services
Systems & vulnerability research
Capability development
Defensive design
Knowledge
Research
Cases
Blog

sales[  ]midnightblue[  ]nl

PGP (0x9035856DF1D41F73)

Capability development

Overview

Red Team SIGINT

Practical SDR hacking for mission-critical, automotive, aviation, and marine targets

Training

Introduction

Hands-on exercises such as intercepting and decrypting handheld radio comms and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios.

This course will first be given at Black Hat Europe 2025.

This practically-oriented course, aimed at red team operators and pentesters, will teach attendees the fundamentals of RF, SDR, and SIGINT before quickly moving on to effective guidance on identifying and decoding unknown signals as well as exploiting common pitfalls in RF security.

Where other SDR trainings tend to focus on enterprise and IoT RF protocols such as 4G/5G, WiFi, RFID, and BT, this training focuses on important but rarely addressed RF technologies such as automotive, aviation, marine, and physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure.

Course overview

Have you ever had to deal with attacking an RF signal and tutorials on the Flipper Zero didn't get you anywhere?
Have you ever wanted to listen in to a security team's radio communications during a physical red team engagement?
Did you ever think covertly breaking into corporate vehicle fleets or garages should be in-scope, but didn't know how to approach this?

Then this is the course for you.

In an increasingly wireless world we are surrounded by readily exploitable signals everywhere. Yet too often Red Team operations and pentests leave the RF spectrum unaddressed due to a lack of specialist knowledge and experience, especially when it comes to sensitive RF protocols not typically encountered in conventional enterprise and IoT contexts.

This practically-oriented course, taught by the Midnight Blue team known for their TETRA research, aims to equip security practitioners with field-relevant RF security knowledge and experience. While it thoroughly covers the fundamentals of RF, SDR, and SIGINT, it avoids math-heavy RF engineering with limited relevance to day-to-day operational reality.

Instead, this course will provide attendees with a structured, step-by-step approach to the Signals Intelligence (SIGINT) cycle of targeting, identifying, collecting, processing, and analyzing Signals of Interest (SOIs). This includes the often cumbersome task of getting various special-purpose SDR tools to work on current systems.

Attendees will learn how to exploit such signals with commonly available tooling through awareness of common risks and pitfalls in RF security. Where other SDR trainings tend to focus on enterprise and IoT RF protocols such as 4G/5G, WiFi, RFID, and BT, this training focuses on important but rarely addressed RF technologies such as automotive, aviation, marine, physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure.

Hands-on exercises such as intercepting and decrypting handheld radio comms and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios.

Day 1 - Block 1

Basics of SDR and SIGINT

Open/close
  • Introduction to Radio Frequency (RF), Software Defined Radio (SDR), Digital Signals Processors (DSPs)
  • SDR theory of operation
  • Overview of SDR hardware & software
  • Antenna selection, tuning, positioning, physical proximity & vantage points
  • Building and working with SDR software stacks: SDRangel, Gqrx, GNU Radio, Universal Radio Hacker (URH), DragonOS, Flipper Zero
  • Signals Intelligence (SIGINT) cycle: Signal of Interest (SOI) targeting, identification, collection, processing and analysis on a budget
SDR RF Waterfall graph
Day 1 - Block 2

Fundamentals of RF Security

Open/close
  • Security requirements in RF protocols
  • Common risks and pitfalls: Jamming, replay, relay, cryptanalysis, etc.
  • Case studies: railways, water utilities, emergency systems• Automotive and physical access control RF systems: Remote Keyless Entry (RKE), Passive Keyless Entry (PKE), TPMS, gates, barriers, bollards, alarms, etc.
  • Automotive case study: professional car theft rings.
  • Marine case study: tracking & spoofing in piracy and sanctions evasions• Aviation RF systems: ADS-B, ACARS/VDL, Unmanned Aircraft Systems (UAS) telecontrol and telemetry protocols
  • Aviation case study: Counter-UAS examples from the Russia-Ukraine war
ship with radar
Day 2 - Block 1 & 2

Professional Mobile Radio (PMR) Security

Open/close
  • Introduction to Professional Mobile Radio (PMR) / Land Mobile Radio (LMR)
  • Overview of digital PMR standards: TETRA, DMR, P25, dPMR/NXDN, TETRAPOL
  • Geographic & use-case aspects (incl. examples of prominent & relevant users)• Terrestrial Trunked Radio (TETRA): Overview, security, vulnerabilities, and available tooling
  • TETRA SIGINT tooling discussion
  • TETRA case study: Real-world TETRA interception incidents• Digital Mobile Radio (DMR): Overview, security, vulnerabilities, and available tooling
  • DMR SIGINT tooling discussion
  • DMR case study: DMR usage and targeting in Russia-Ukraine war, Middle-Eastern conflicts, and Mexican cartels• APCO-25 (P25), dPMR/NXDN, TETRAPOL: Overview, security, vulnerabilities, and available tooling
Personnel using mobile radio

Why you should take this course:

Learn the fundamentals of RF, SDR, and the SIGINT cycle to deal with (potentially unknown) RF signals in a structured fashion
Learn how to exploit RF signals through knowledge of common flaws and how to obtain a practical, working SDR tooling setup for various signals
Learn how to analyze and exploit mission-critical, automotive, aviation, marine, and physical access control specific RF signals through unique content from instructors with deep hands-on experience consulting to global law enforcement, critical infrastructure, and Fortune 500 companies on RF security

Who should take this course:

Red Team operators
seeking to build understanding and capability in the RF domain
Physical pentesters and "Black Team" covert entry operators
seeking to build understanding and capability in the RF domain
Pentesters, security consultants, and researchers
seeking to build understanding and capability in the RF domain
Secure procurement evaluators
looking to assess the security of a to-be-procured RF solution
Designers and integrators of embedded RF systems
wishing to understand offense to play more effective defense

Course Exercises

Exercise 1: Getting the SDR software stack operational

Exercise 2: Spectrum exploration

Exercise 3: Capturing and demodulating the handheld radio signal

Exercise 4: Simple jamming attack

Exercise 5: Breaking an analog voice inversion scrambler

Exercise 6: Sniff & replay attack on automotive RF system

Exercise 7: Breaking a simple rolling code system

optional exercise: Aviation / Marine RF oriented exercise

Exercise 8: TETRA SOI identification

Exercise 9: Building and extending existing SDR software for TETRA

Exercise 10: Replaying captures for demodulation, decoding, intercepting clear TETRA and network information collection

Exercise 11: Decrypting AIE-protected SDS traffic

Exercise 12: DMR SOI identification

Exercise 13: Building and extending existing SDR software for DMR

Exercise 14: Replaying captures for demodulation, decoding, intercepting clear DMR and network information collection

Exercise 15: Breaking DMR basic/enhanced encryption

Course Exercises

Exercise 1

SDR software stacks

Exercises surrounding the (oftentimes tedious) installation, troubleshooting and use of various SDR  tools and their underlying libraries.
Exercise 2

Spectrum exploration

Learn how to use an SDR to explore the RF spectrum, and learn how to map certain signals to their likely underpinning technology.
Exercise 3

Capturing and demodulating the handheld radio signal

Learn how to locate a specific signal in the RF spectrum, and how to demodulate it using open-source tools.
Exercise 4

Simple jamming attack

A demonstration complementing the covered theory on how jamming can and cannot be used to jam a signal.
Exercise 5

Breaking an analog voice inversion scrambler

An exercise aimed at reconstructing original voice data from a real-world voice scrambler design.
Exercise 6

Sniff & replay attack on automotive RF system

Learn how to capture a vehicle remote keyless entry signal, and replay it in order to gain access to a vehicle.
Exercise 7

Breaking a simple rolling code system

A wholistic exercise involving signal capture, demodulation and analysis, in order to recover a cryptographic key used for access control.
Exercise 8

TETRA SOI identification

Practical complement to theory on how to accurately identify signals encountered in the wild.
Exercise 9

Building and extending existing SDR software for TETRA

Learn how to use the TETRA tooling as an example for advanced open-source SDR software and how to make small modifications to suit your use case.
Exercise 10

Replaying captures for demodulation, decoding, intercepting clear TETRA and network information collection

Learn how to use or modify tooling to capture RF signals to files, and how to replay those files. Use this to intercept TETRA signals and analyze them.
Exercise 11

Decrypting AIE-protected SDS traffic

Learn the theoretical background and attack in practise a TETRA network, then use the obtained material to decrypt communications.
Exercise 12

DMR SOI identification

Practical exercises covering the DMR radio technology.
Exercise 13

Building and extending existing SDR software for DMR

Work with and extend open-source tooling supporting DMR.
Exercise 14

Replaying captures for demodulation, decoding, intercepting clear DMR and network information collection

Make DMR captures suitable for repeatable analysis, enabling tweaking of parameters and/or tooling.
Exercise 15

Breaking DMR basic/enhanced encryption

Mount practical attacks against DMR.

Provisions and requirements

Students should at least have:

Basic familiarity with Linux and Python
Understanding of pentesting and red teaming fundamentals
Basic familiarity with cryptographic concepts (e.g. block vs stream ciphers, symmetric vs asymmetric cryptography)

Students should bring:

Modern laptop with Core i7 CPU or equivalent/better and preferrably 32GB+ RAM (absolute minimum 16GB)
Laptop should run DragonOS Noble (24.04) or newer. VMs are possible but not preferred due to potential issues.
Laptop should have USB 3.0+ port for SDR hardware

Students will be provided with (as part of the course fee):

SDR hardware (platform + antenna)
Several exercise targets to keep after the course (e.g. automotive security systems, physical access controls, etc.)
Thumb drive with syllabus, exercises, and tooling
Certificate of completion
Course contents are an outline only and may be updated at Midnight Blue's discretion.

Upcoming Trainings

Black Hat logo

Black Hat Europe 2025

Attendance

In person

Trainers

Jos Wetzels
Wouter Bokslag

Dates

December 9-10

Location

London, United Kingdom

Register

Related knowledge items

All items

Jan 2018
Blog

Analyzing the TRITON industrial malware

A discussion of an incident targeting Schneider Triconex, along with its background, the TRITON attack framework and the attack payload.

Read more

30 Minutes
Aug 2017
Research

Immobilization revisited - ECU authentication in modern vehicles

While vehicle immobilizer transponders have gotten increasingly advanced, the authentication between the BCM and ECM is still overlooked. We analyze three systems and break two

Read more

10 Minutes