Surveillance Detection: The SDR Audit and the Logic of the Invisible Pulse

You walk into a coffee shop and pick the corner table, the one with your back to the wall. Feels private. It isn’t. In the air around your head, right now, your phone is shouting the names of every Wi-Fi network it has ever joined. Your watch is pulsing a Bluetooth address every two seconds. The shop’s own ceiling sensor is logging the signal strength of both, triangulating exactly where you sat and for how long. You chose the quiet corner. The room already knew you would.

The short version: Software-defined radio (SDR) is a $30–$300 receiver that turns invisible radio signals into a picture you can read on a laptop — from Wi-Fi beacons to IMSI-catchers (fake cell towers that hijack your phone). You can’t defend against tracking you can’t see, and almost nobody can see it. An RTL-SDR dongle plus free software like GQRX or SDR# lets you log what’s normally transmitting in your home over 24 hours, then spot the thing that doesn’t belong: a persistent transmitter outside known bands, a sudden forced drop to 2G in full 5G coverage. Receive-only auditing is legal in most places; transmitting and jamming are not. The goal isn’t paranoia. It’s a baseline — so an anomaly looks obvious instead of invisible.

What is an IMSI-catcher, and why can’t your phone warn you?

Here’s the assumption that gets people. You think a room is “quiet” because your ears say so. Your ears top out around 20 kHz. The surveillance happens between 700 MHz and 6 GHz — a thousand times higher, completely silent, completely constant.

So you walk through a world of transmitters and treat it as empty space. Retail chains run Bluetooth beacon meshes that measure how long you linger at an end-cap. Stadiums and airports triangulate you off Wi-Fi probe requests your phone sends without asking you. And the sharp end of it: an IMSI-catcher, a suitcase-sized device that impersonates a cell tower. Your phone is built to connect to the strongest tower available. The fake tower is the strongest one in the room — so your phone connects, hands over its identity, and can be downgraded to weak 2G encryption where calls and texts are interceptable.

Your phone will not warn you. It is doing exactly what it was designed to do: connect to towers and stay connected. The vulnerability isn’t a bug you can patch — it’s the phone obediently trusting whatever shouts loudest. That trust is the thing being misuseed.

The reframe: you don’t need to win the RF war, you need a baseline

Most people freeze here, because the problem sounds like it requires an electrical-engineering degree and a clean room. It doesn’t. The whole game turns on one shift in thinking.

You will never memorise every legitimate signal in your city. That’s hopeless. But you don’t have to. You only have to know what your environment normally looks like — and then watch for change. Anomaly detection beats encyclopaedic knowledge every time. A radiologist spots the tumour not by knowing every healthy body, but by knowing what this scan should look like.

So the unit of work isn’t “identify everything.” It’s record a baseline once, then compare against it. Log 24 hours of spectrum at home. Wi-Fi sits at 2.4 and 5 GHz, Bluetooth hops around 2.45 GHz, cellular lives in its allocated bands. That’s your normal. The day a narrow, persistent signal appears at an odd frequency at 3am, you don’t need to know what it is to know it wasn’t there yesterday. Yesterday is the whole defence.

How does software-defined radio work? The three-layer model

An SDR replaces a shelf of single-purpose radios with one wideband receiver and software. Three layers do the work.

• The tuner (an R820T2 chip in budget units) pulls in analogue radio across roughly 1 MHz–6 GHz. These are the ears.
• The ADC (analogue-to-digital converter) turns those waves into the digital I/Q data a computer can chew on.
• The software — SDR# on Windows, GQRX on Linux and Mac — paints it as a waterfall: a scrolling picture where the horizontal axis is frequency, the vertical axis is time, and brightness is signal strength.

The leap from an old police scanner is that you aren’t locked to one frequency. You sweep the whole band at once and read the picture. A scanner asks “is anything on channel 12?” An SDR shows you the entire room at a glance — which is the only way to catch the signal you weren’t looking for.

Start cheap. An RTL-SDR dongle costs about $30 and only receives, which is all an audit needs. A HackRF One (~$300) or BladeRF (~$400) adds transmit capability you almost certainly don’t want yet, for legal reasons covered below.

How to run a spectrum audit: the four-step protocol

The point is to get a “normal” on record, then check against it. Make the first step tiny: plug a dongle in tonight and just watch the waterfall scroll. That’s it. Recognising the shape of normal is 80% of the skill.

Step one — baseline your home. Run GQRX continuously for 24 hours and note which frequencies are always lit and which stay dark. Flag anything narrow and persistent that sits outside the known Wi-Fi, Bluetooth, and cellular allocations.

Step two — read the waterfall. Horizontal lines are constant transmitters — normal for Wi-Fi and towers. Vertical spikes are bursts; Bluetooth makes them as it hops ~1,600 times a second across 2.4 GHz. Rapid frequency-hopping is standard inside the 2.4 GHz band and suspicious when it’s slow and sitting somewhere it shouldn’t.

Step three — audit your phone, not just the air. Run an IMSI-catcher detector such as SnoopSnitch (Android), or the gr-gsm scripts, during your daily transit. The classic tell: your phone forced down to 2G in an area with good 4G/5G, weaker encryption, odd authentication patterns.

Step four — signal hygiene. Turn on MAC-address randomisation so your devices stop broadcasting one consistent identifier. Switch Wi-Fi and Bluetooth off when you’re not using them — every live radio is another beacon. For genuinely sensitive moments, a Faraday pouch silences the phone entirely. The cheapest win on this whole list is the off switch: a radio that isn’t transmitting can’t be tracked.

Attribution without IDs: physical-layer fingerprinting

Here’s the part that turns a hobby into evidence. Every transmitter has tiny, involuntary quirks — minute variations in modulation, timing, and clock behaviour baked in by its hardware. Spoofing an ID doesn’t change them. They’re a fingerprint the device can’t take off.

That matters for one reason: it tells the difference between transient and permanent. A signal that appears once is noise. The same physical-layer fingerprint appearing in the same place across days or weeks is an installation — something that was put there and left. Tools like gr-fingerprint and wireless intrusion-detection systems automate the matching, but learning to recognise the pattern by eye is the part that actually makes you sovereign over your own air.

Frequently asked questions

Is owning an SDR illegal?
In most jurisdictions, owning and using an SDR for receive-only monitoring is legal — you’re listening, not broadcasting. Transmitting needs a licence (in the US, FCC Part 15 permits only low-power unlicensed transmit on certain bands). Rules vary by country, so check before buying transmit-capable hardware. Running an IMSI-catcher detector on your phone is legal everywhere; it only listens and alerts.

How far away can I detect a transmitter?
It depends on the transmitter’s power, your antenna gain, and the frequency. A Wi-Fi access point at 20 dBm (100 mW) is typically readable within 100–300 metres indoors. A higher-power IMSI-catcher can show up from one to three kilometres. A directional antenna and a low-noise amplifier extend that range; a basic home baseline needs only 10–20 metres.

What if I detect an unknown transmitter in my home?
Document the frequency, time, duration, and any direction or stability you can observe. Cross-reference against known devices — smart-home gear, neighbours’ Wi-Fi, nearby towers. Most unknown frequencies are benign. If one persists and you genuinely can’t place it, a professional TSCM (technical surveillance counter-measures) sweep is the next step. Documentation first, conclusions later.

Can I use an SDR to jam the signals I find?
No. Jamming is illegal almost everywhere without explicit authorisation, because it knocks out legitimate services — emergency, aviation, maritime — and carries criminal penalties. Your blocking tools are passive only: Faraday pouches, RF shielding, and simply turning radios off. An audit tells you where the risk signals are; it never licenses you to incident them.

How often should I run an audit?
For your home base, a 24-hour baseline once a year is plenty. For mobile use, leave IMSI-catcher detection running while you travel. Before a sensitive meeting or in a high-risk location, a quick 5–10 minute sweep is enough. You’re hunting for changes, not staring at noise all day.

You started this thinking the air around you was empty. It never was — you were just the only one in the room without instruments. That’s the real shift, and it happens the moment the waterfall first scrolls across your screen and you realise you can finally see the thing that could always see you. You don’t need a clean room or a clearance. You need a $30 dongle, one quiet night of logging, and the decision to stop being the only blind node in your own space. Plug it in. Watch what normal looks like. From here on, the anomaly is the one that has to hide — not you.

—

Related reading on TUH: InsideTracker Review, Aura Ring Review, Levels Health Review.