"Every signal is a compromise between bandwidth, power, and noise immunity." — Understanding Digital Signal Processing, Richard Lyons (3rd ed., Introduction)
Lecture (50 min)
1.1 What Is a Radio Wave?
Radio waves are electromagnetic radiation, part of the same spectrum as visible light and X-rays. The difference is frequency. A 2.4 GHz Wi-Fi signal oscillates 2.4 billion times per second; FM radio at 100 MHz oscillates 100 million times per second; your home's AC power line at 60 Hz oscillates 60 times per second.
The key properties:
Frequency (f): oscillations per second, measured in Hz. Higher frequency = shorter wavelength.
Wavelength (λ): physical distance one cycle covers. Determined by: λ = c / f, where c = 3 × 10^8 m/s (speed of light). At 2.4 GHz: λ = 0.125 m (12.5 cm). At 433 MHz: λ = 0.69 m (69 cm). This is why 2.4 GHz antennas are shorter than sub-GHz antennas.
Amplitude: signal strength (power). Measured in watts (absolute) or dBm (decibels relative to 1 milliwatt). dBm = 10 × log10(P / 0.001). A Wi-Fi AP at 20 dBm outputs 100 mW. A signal at -90 dBm is at the noise floor.
Phase: offset of the waveform relative to a reference. Phase shifts encode information in PSK modulation.
1.2 The ISM Band Map
Industrial, Scientific, and Medical (ISM) bands are globally allocated for unlicensed operation. FCC Part 15 governs US use.
| Band | Frequency | Common Use |
|---|---|---|
| Sub-GHz | 315 MHz | US garage door openers, key fobs |
| Sub-GHz | 433 MHz | EU sensors, temperature monitors, alarms |
| Sub-GHz | 868 MHz | EU LoRa, Z-Wave Europe |
| Sub-GHz | 915 MHz | US LoRa, Zigbee, RFID |
| 2.4 GHz | 2.400-2.4835 GHz | Wi-Fi (802.11b/g/n/ax), Bluetooth, Zigbee, microwave ovens |
| 5 GHz | 5.150-5.825 GHz | Wi-Fi (802.11a/n/ac/ax), UNII-1 through UNII-3 |
| 6 GHz | 5.925-7.125 GHz | Wi-Fi 6E, Wi-Fi 7 (802.11ax/be) |
Why this matters for security: ISM bands are crowded and uncoordinated. Any device operating at legal power levels within these bands can be received by anyone within range. There is no inherent authentication for "who transmitted this." The security layer, if any, lives in the protocol above the RF layer -- not in the spectrum allocation.
1.3 Modulation Basics: How Data Rides a Carrier
A carrier wave alone carries no information. Modulation encodes data by varying one of three properties:
AM (Amplitude Modulation): Vary the amplitude. On/off keying (OOK) and amplitude shift keying (ASK) are AM variants. Sub-GHz remote controls and RFID often use ASK: logical 1 = carrier on, logical 0 = carrier off (or reduced).
FM (Frequency Modulation): Vary the frequency. Frequency shift keying (FSK) is the digital variant. Bluetooth uses GFSK (Gaussian-filtered FSK). LoRa uses chirp spread spectrum, a swept-frequency variant of FM.
PM (Phase Modulation): Vary the phase. Phase shift keying (PSK) is the digital variant. Wi-Fi uses BPSK, QPSK, and 16/64/256/1024-QAM (which combines phase and amplitude). BPSK uses two phase states (0°, 180°). QPSK uses four (0°, 90°, 180°, 270°) encoding 2 bits per symbol.
Why the modulation matters for attack: Different modulation schemes require different demodulation. An RTL-SDR can receive any signal within its bandwidth; the demodulation (AM, FM, PSK) must be configured correctly. Getting the modulation wrong produces noise. Getting it right decodes the signal.
1.4 The Wireless Security Attack Surface
Wireless protocols inherit the full IP stack attack surface (from NET-101 and SEC-101) and add RF-specific attack vectors:
| Layer | RF-Specific Threat |
|---|---|
| Physical | Jamming; replay; eavesdropping; TEMPEST |
| Data Link | Deauthentication attacks; PMKID capture; rogue AP |
| Network | Evil twin; DNS spoofing via rogue AP |
| Application | WPA2-PSK dictionary attack; rolling-code Rolljam |
The attacker who can receive RF is one step ahead of the attacker who cannot: they can observe protocol exchanges, capture cryptographic material, and replay signals without ever touching the target network's IP layer.
Lab Preview
Lab 1 walks you through your first spectrum survey using the RTL-SDR and GQRX. You will tune to FM broadcast, the 2.4 GHz ISM band, and your first sub-GHz band (433 MHz in EU / 315 MHz in US). The goal is to confirm your SDR setup works and to observe real signals in the wild.
Homework
Reading (45 min): Lyons, Understanding Digital Signal Processing 3rd ed., Ch 1 (Discrete Sequences and Systems) and the Preface (framing of DSP in practice). Do not worry about the math yet; absorb the vocabulary.
Hands-on (60 min): Open GQRX, tune to the FM broadcast band (88-108 MHz), and find at least three stations. Take a screenshot of the waterfall for each. Then tune to 2.4 GHz and observe (but do not record or capture) the Wi-Fi activity. Write a 1-paragraph observation log: what do you see, and what does the signal density tell you about the environment?
Toolchain Diary Entry
First-introduce this week: GQRX, rtl_test, rtl_power
GQRX: spectrum analyzer and AM/FM demodulator GUI for SDR hardware. Quickstart: gqrx, select your RTL-SDR device, set center frequency, widen the waterfall zoom.
rtl_test -t: hardware smoke test for RTL-SDR. Confirm sample rate and no dropped samples before any lab.
rtl_power -f START:STOP:STEP -g GAIN -1 output.csv: wide-band power sweep. Useful for band surveys that exceed the RTL-SDR's instant bandwidth (~2.4 MHz).
Key Terms
- IQ samples (in-phase / quadrature): the complex baseband representation of a received signal; the raw output of every SDR
- Sample rate: how many IQ samples per second the SDR captures; limits the observable bandwidth (Nyquist: bandwidth ≤ sample_rate / 2)
- dBm: decibel-milliwatt; power level relative to 1 mW; 0 dBm = 1 mW; -90 dBm = noise floor for most consumer SDRs
- ISM: Industrial, Scientific, Medical; globally allocated unlicensed spectrum bands
- OOK / ASK: on-off keying / amplitude shift keying; simplest digital modulation; on = 1, off (or attenuated) = 0