Hardware Security

HackRF One for Defensive RF Awareness

How blue teams use HackRF One for defensive RF awareness — spectrum baselining, rogue-transmitter detection, a WIDS monitoring approach, and RF hardening.

A HackRF One software-defined radio on a dark workbench with an antenna and a cyan spectrum waveform behind it
Threat reference

HackRF One is usually framed as an offensive tool, but for a blue team it is a defensive RF awareness instrument. A wide-band software-defined radio (1 MHz–6 GHz) lets you baseline the radio environment around a facility, spot rogue transmitters and unauthorized wireless devices, and verify that RF controls actually work. The defensive value is not in transmitting — it is in listening well enough to know what normal looks like, so the abnormal stands out. This guide covers the spectrum-awareness workflow, the detection, and the hardening.

Radio is the one attack surface most security programs never monitor. Rogue access points, unauthorized IoT, and covert transmitters all live in spectrum that no SIEM ingests. Bringing an SDR into the blue-team toolkit maps to MITRE ATT&CK T1200 — Hardware Additions, the technique for unauthorized devices introduced into an environment.

What is HackRF One and why does it matter for defenders?

HackRF One is an open-source, half-duplex software-defined radio that tunes from 1 MHz to 6 GHz with up to 20 MHz of capture bandwidth. Where a Wi-Fi adapter only sees 2.4/5 GHz Wi-Fi, an SDR sees the whole band — garage remotes at 315/433 MHz, TPMS sensors, IoT radios, paging, and more. For a defender, that visibility is the point: you cannot protect a layer you cannot observe.

The defensive use is reconnaissance of your own environment. What transmits near your building? Is there an unexpected device on a sensitive frequency? Did a “secure” wireless control actually use a rolling code, or a replayable fixed one? Those questions are answerable with receive-only SDR work and a disciplined baseline.

How do defenders use a HackRF One?

Use caseWhat you observe (receive-only)Defensive outcome
Spectrum baseliningNormal transmitters, frequencies, powerA reference to detect new/rogue signals
Rogue-device discoveryUnexpected emitters in sensitive bandsFind unauthorized IoT/covert devices
Control validationWhether a remote uses rolling vs fixed codePrioritize replaceable weak controls
Wireless inventoryDevices and protocols actually in useClose the gap between policy and reality

The throughline: every use is passive observation that builds a baseline. The attacker uses an SDR to find a weak signal to abuse; the defender uses the same radio to find that weak signal first and fix it.

How to detect rogue RF devices

RF threats show up in two places: on the air and on the host that drives the radio. Cover both.

On the host: unauthorized SDR or RTL hardware

An SDR plugged into a corporate workstation is a hardware addition worth flagging. Endpoint device-control or USB telemetry catches the common chipsets.

Sigma Unauthorized SDR or RTL Device Attached to a Host
title: Unauthorized SDR or RTL Device Attached to a Host
id: 5d1a8c34-darkpwn-illustrative
status: experimental
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    DeviceDescription|contains: ['HackRF','RTL2832','Great Scott','Realtek SDR','Airspy','bladeRF']
  condition: selection
falsepositives:
  - Authorized RF/research workstations (allowlist by host)
level: medium

On the air: a wireless IDS baseline

A wireless IDS (Kismet, nzyme) records the air around you; alerting on deviations from your baseline surfaces rogue APs and unexpected transmitters — the same behavioral-baseline approach used in Sigma rules that actually fire.

SPL Rogue Transmitter or Unexpected BSSID From WIDS Telemetry
index=wids sourcetype=kismet:device
| stats earliest(_time) AS first_seen, max(signal_dbm) AS power by bssid, ssid, channel
| lookup wireless_baseline bssid OUTPUT status
| where isnull(status) AND power > -70
| sort - power

How to set up a defensive RF lab safely

  1. Start receive-only with HackRF One (or a cheap RTL-SDR for learning) and a tool like GQRX or SDR++ to visualize the spectrum.
  2. Baseline your environment: capture the normal signals, frequencies, and power levels at different times and locations.
  3. Add a wireless IDS (Kismet/nzyme) for continuous 2.4/5 GHz monitoring and rogue-AP alerting.
  4. For any transmit testing (e.g., validating a rolling code), use a shielded enclosure so you never radiate into regulated spectrum.

How to harden against RF threats

  • Device-control policy on endpoints to block or alert on unauthorized SDR/USB radios.
  • Physical RF surveys of sensitive areas to find covert transmitters that no network tool would ever see.
  • Map RF assets — know every authorized transmitter so the unauthorized one stands out.

Common RF-monitoring mistakes

  • No baseline. Without a reference of “normal,” every signal looks suspicious or none does. Baseline first.
  • Transmitting carelessly. Radiating in regulated bands is illegal and unsafe — receive-only by default.
  • Ignoring the host side. A rogue SDR on a corporate machine is invisible to air monitoring; cover endpoints too.
  • Treating Wi-Fi as the whole spectrum. Most RF risk lives outside 2.4/5 GHz.

HackRF defensive RF awareness checklist

  1. Acquire an SDR (HackRF One, or RTL-SDR to learn) and a spectrum viewer (GQRX/SDR++).
  2. Baseline the normal spectrum and wireless inventory by location and time.
  3. Deploy a wireless IDS (Kismet/nzyme) for continuous rogue-AP/transmitter alerts.
  4. Add endpoint device-control telemetry for unauthorized SDR/RTL hardware.
  5. Keep all monitoring receive-only; shield any transmit testing.
  6. Alert on new strong emitters, unexpected BSSIDs, and unauthorized RF hardware.
  7. Retire fixed-code/unencrypted RF; enforce rolling codes, encrypted badges, WPA3/802.11w.
  8. Run periodic physical RF surveys of sensitive areas.

The takeaway

HackRF One earns its place on the blue team as a defensive RF awareness tool: listen, baseline, and detect the rogue transmitter before an attacker exploits it — all receive-only and within the law. Pair it with WPA2 PMKID capture detection and WiFi deauthentication detection, or explore the full Hardware Security pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • HackRF OneThe wide-band SDR used for the spectrum-awareness lab work in this guideLab Hardware
    Check price
  • TryHackMeAuthorized labs to build wireless and RF security skillsSecurity Training
    Start training

Frequently asked questions

What is a HackRF One used for in defense?

A HackRF One is a wide-band software-defined radio (1 MHz–6 GHz) that blue teams use for defensive RF awareness — baselining the normal radio environment around a facility, spotting rogue transmitters and unauthorized wireless devices, and validating that controls like rolling codes and management-frame protection behave as expected in a controlled lab.

Is using a HackRF One legal?

Owning and receiving with an SDR is broadly legal in most jurisdictions, but transmitting is heavily regulated (in the US, FCC rules) and intercepting certain communications is restricted. Use it for receive-only spectrum awareness, and only transmit in a shielded lab or on bands you are licensed for, against systems you own or are authorized to test.

How do you detect rogue RF devices?

Baseline the expected spectrum and wireless inventory, then alert on deviations — new BSSIDs, unexpected transmitters in sensitive bands, and unauthorized SDR/RTL hardware attached to corporate hosts. A wireless IDS (Kismet, nzyme) plus endpoint device-control telemetry covers both the air and the host.

What is the difference between HackRF One and an RTL-SDR?

An RTL-SDR is a cheap, receive-only dongle covering roughly 24 MHz–1.7 GHz — fine for learning and basic monitoring. HackRF One is a half-duplex transceiver covering 1 MHz–6 GHz with a much wider capture bandwidth, which is why it is the common choice for serious RF research and lab work.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.