IN DEVELOPMENTSDR · RF FORENSICS

RF Surveillance Detector

Passive broadband RF monitoring for detecting IMSI catchers, rogue access points, and unknown transmitters — using commodity SDR hardware and probabilistic spectral baseline analysis.

Detection Capabilities

Four threat detection modules, each using a different RF characterisation approach.

ACTIVE

IMSI Catcher Detection

Tracks GSM/LTE base station identity (LAC, CID, MCC, MNC) across time. Scores anomalies: unexpected identifiers, stronger-than-expected signal, rapid appearance after silence, absence from carrier maps.

ACTIVE

Rogue AP Detection

Passive 802.11 monitoring builds a profile of expected APs (BSSID, SSID, channel, signal). Flags access points impersonating known networks on unexpected hardware or unexpected locations.

ACTIVE

Spectral Baseline Analysis

Two-week learning window computes per-frequency-band baseline power distributions. Deviations above configurable sigma thresholds trigger alerts — catching unknown RF transmitters across 10 MHz–6 GHz.

IN-PROGRESS

Geolocation Correlation

Mobile deployment mode: GPS timestamps correlate detections with physical location. Builds heatmaps of anomalous RF activity across a patrol route or building survey.

Threat Coverage Matrix

Detectable threats, primary indicators, confidence level, and effective detection range.

Threat	Primary Indicator	Confidence	Detection Range
IMSI Catcher (Stingray)	Unexpected LAC/CID, elevated signal, no carrier map entry	High	0–500m
Evil Twin AP	Known SSID on unknown BSSID, channel mismatch	High	0–100m
GSM Bug	Narrowband GSM transmitter not matching registered base stations	Medium	0–200m
Active RF Transmitter	Spectral deviation above baseline in unknown frequency band	Low–Medium	0–50m

Processing Pipeline

From raw I/Q samples to analyst-reviewable threat alerts.

1
RTL-SDR hardware captures raw I/Q samples across configurable frequency ranges
2
GNU Radio flowgraph demodulates and extracts per-band power and protocol identity frames
3
Python pipeline classifies frames: GSM/LTE beacons, 802.11 beacons, unknown narrowband
4
Baseline comparator scores each observation against learned spectral profile
5
Multi-signal IMSI catcher heuristic combines LAC/CID, signal, timing, and map correlation
6
Alert engine routes findings to REST API and dashboard with confidence scoring
7
Analyst review interface: acknowledge, tag, export, add to watchlist

Technical Stack

RF Layer

RTL-SDR v3 (HF-capable)
GNU Radio 3.10
gr-gsm (GSM decoder)
Kismet (802.11 passive)
SoapySDR abstraction

Analysis Layer

Python 3.12 async pipeline
NumPy / SciPy (spectral)
SQLite (event persistence)
Pydantic v2 (models)
OpenCelltower API

Interface Layer

FastAPI REST backend
React + Tailwind UI
Recharts spectrum display
Leaflet.js geolocation map
WebSocket live alerts

Development Status

Core RF pipeline and IMSI catcher heuristics are functional in lab testing against simulated targets. Rogue AP detection is active. Geolocation correlation and the React dashboard are in active development.

✓ GNU Radio pipeline✓ GSM/LTE decoder✓ Spectral baseline✓ IMSI catcher heuristic✓ Rogue AP detector○ Geolocation correlation○ React dashboard○ Field validation

Loading

Initializing quantum state...

Detection Capabilities

Four threat detection modules, each using a different RF characterisation approach.

ACTIVE

IMSI Catcher Detection

ACTIVE

Rogue AP Detection

Passive 802.11 monitoring builds a profile of expected APs (BSSID, SSID, channel, signal). Flags access points impersonating known networks on unexpected hardware or unexpected locations.

ACTIVE

Spectral Baseline Analysis

IN-PROGRESS

Geolocation Correlation

Mobile deployment mode: GPS timestamps correlate detections with physical location. Builds heatmaps of anomalous RF activity across a patrol route or building survey.

Threat Coverage Matrix

Detectable threats, primary indicators, confidence level, and effective detection range.

Threat	Primary Indicator	Confidence	Detection Range
IMSI Catcher (Stingray)	Unexpected LAC/CID, elevated signal, no carrier map entry	High	0–500m
Evil Twin AP	Known SSID on unknown BSSID, channel mismatch	High	0–100m
GSM Bug	Narrowband GSM transmitter not matching registered base stations	Medium	0–200m
Active RF Transmitter	Spectral deviation above baseline in unknown frequency band	Low–Medium	0–50m

Processing Pipeline

From raw I/Q samples to analyst-reviewable threat alerts.

RTL-SDR hardware captures raw I/Q samples across configurable frequency ranges

GNU Radio flowgraph demodulates and extracts per-band power and protocol identity frames

Python pipeline classifies frames: GSM/LTE beacons, 802.11 beacons, unknown narrowband

Baseline comparator scores each observation against learned spectral profile

Multi-signal IMSI catcher heuristic combines LAC/CID, signal, timing, and map correlation

Alert engine routes findings to REST API and dashboard with confidence scoring

Analyst review interface: acknowledge, tag, export, add to watchlist

Technical Stack

RF Layer

RTL-SDR v3 (HF-capable)
GNU Radio 3.10
gr-gsm (GSM decoder)
Kismet (802.11 passive)
SoapySDR abstraction

Analysis Layer

Python 3.12 async pipeline
NumPy / SciPy (spectral)
SQLite (event persistence)
Pydantic v2 (models)
OpenCelltower API

Interface Layer

FastAPI REST backend
React + Tailwind UI
Recharts spectrum display
Leaflet.js geolocation map
WebSocket live alerts

Development Status

✓ GNU Radio pipeline✓ GSM/LTE decoder✓ Spectral baseline✓ IMSI catcher heuristic✓ Rogue AP detector○ Geolocation correlation○ React dashboard○ Field validation