The Invisible RF Halo
A modern person, whether they realise it or not, walks through the world wrapped in a cloud of RF emissions. A typical commuter carries a smartphone radiating Wi-Fi probe requests across the 2.4, 5 and 6 GHz bands, BLE advertisements every 100 ms in 2.4 GHz, GSM/LTE/5G uplinks to the cellular network, and NFC subcarriers when paying.
Their car contributes its own halo: TPMS (tire-pressure sensors at 315 or 433 MHz, each transmitting a unique 32-bit serial whenever the wheels turn); a remote keyless-entry fob in the 315/433/868 MHz UHF range; an emerging BLE-based passive-entry system (“phone-as-key”) at 2.4 GHz; on-board infotainment with its own wireless side-channels; and increasingly an LTE telematics modem for ADAS, eCall and dealer diagnostics. The home and office add more: Zigbee smart bulbs and locks, Thread/Matter sensors, Wi-Fi access points, LoRaWAN end-devices at 915 MHz (Australia/US) or 868 MHz (EU), Z-Wave controllers, weather stations and pet trackers on 433 MHz, BLE-based AirTags and SmartTags, BLE hearing aids running the Made-For-iPhone or Google ASHA protocols, and BLE-enabled medical devices ranging from continuous-glucose monitors to insulin pumps to pacemaker programmers. Even some police tasers (the TASER X2 and TASER 7) and body-worn cameras advertise themselves over Bluetooth for evidence sync. Each of these emitters is continuously identifiable, frequently with a persistent unique address, and almost all of them transmit far more often than their owners realise.
What SDR Now Makes Visible
Software-defined radio has turned the monitoring of this whole RF cocktail from a specialist discipline into an open-source weekend project. A single $30 RTL-SDR running the rtl_433 project decodes hundreds of consumer and industrial 315/433/868/915 MHz protocols out of the box; HackRF and bladeRF with GNU Radio cover the ISM bands continuously and at much higher dynamic range; Ubertooth One (Michael Ossmann’s open-source BLE sniffer) and modern Bluetooth interfaces with vendor SDKs expose BLE advertising channels and link-layer payloads; Kismet maps the entire 2.4/5/6 GHz Wi-Fi and BLE landscape with passive monitoring; Killerbee does Zigbee; and the WiGLE.net crowd-sourced database has accumulated billions of geolocated SSIDs and BSSIDs over more than two decades. Combined into a single SDR-fed pipeline, an investigator with a laptop, a cheap antenna farm and an afternoon to spare can build, in real time, a dynamic map of every emitting device passing through a chosen volume of space — including, critically, the aggregate radio signature of any group of people moving together.
That last point is where the technology becomes contentious. Police units, military patrols, protective-detail teams, journalists, intelligence officers, undercover personnel and ordinary citizens all carry distinctive radio loadouts: department-issued portables, BLE-enabled tasers and bodycams, agency Wi-Fi clients with predictable preferred-network lists, government-procured handsets, encrypted tactical radios with their own RF signatures, AirTags clipped to kit, and standard-issue equipment with characteristic emission profiles. The aggregate of those emissions, captured by a passive monitoring station beside a road, near a known facility, or along a route of interest, can identify a moving group with high confidence — distinguishing a state-police patrol from a federal-agent convoy from a journalist team from a civilian family, by the shape, persistence and motion of their collective RF signature alone, even when every individual device implements MAC randomisation and protocol-level encryption. The privacy implications are substantial: location tracking, pattern-of-life analysis, individual re-identification across cities, and exposure of vulnerable populations such as protected witnesses, journalists, family-violence refugees and undercover officers. The operational-security implications for Defence and law enforcement are equally substantial — a patrol route, a stake-out site, an undercover vehicle, a safe-house occupancy or a VIP convoy can all be inferred from publicly receivable RF emissions without ever touching encrypted content. And there is no neat technical fix: MAC randomisation degrades over time and across protocols; periodic identifiers leak through behavioural fingerprints; vendor “continuity” features (Apple Continuity, Google Fast Pair) leak persistent metadata even when MACs rotate; and the sheer number of emitters per person makes any single mitigation futile. The questions that follow — how should consumer device manufacturers design for radio-side anonymity, what is the legal status of passive RF observation in Australia, where does legitimate spectrum research end and intrusive surveillance begin, and what emission-control measures should sensitive operations adopt — are unresolved and increasingly urgent, and they belong squarely on the conference agenda.
Identifying the Person, Not the Device
The most contentious application of this monitoring capability — and the one that should most concern Defence, law enforcement, and government security planners — is the persistent identification of personnel through their equipment. The insight that matters here is operational and uncomfortable: in an environment saturated with continuously-emitting RF devices, identifying the item is rarely the point; identifying the person standing next to the item is. A typical patrol officer is issued a Bluetooth-enabled TASER X2, TASER 7 or TASER 10 that advertises itself to the duty bodycam and evidence-collection system; an Axon Body 3 or Body 4 body-worn camera with its own BLE; an agency-issued smartphone with a managed-device profile, an MDM-installed VPN client, and a predictable preferred-network list; an encrypted P25 or TETRA portable radio with a measurable RF signature; a personal smartwatch advertising health-data services on BLE; possibly a personal phone, an AirTag in the duty bag, BLE hearing protection or hearing aids, and a take-home vehicle with its own TPMS, key-fob and infotainment emissions. Each of those devices is, in isolation, anonymous in the sense that nothing about it announces “this is Officer Smith.” But the set of devices observed together, repeatedly, in the same time-and-space pattern, is not anonymous at all — it is a stable persistent signature that uniquely identifies the individual carrying them, even when MAC randomisation, Bluetooth address rotation, and protocol-level encryption are working exactly as designed. The reason is statistical: any single emitter may rotate its identifier, but the combination of seven to ten emitters appearing together at the same location at the same time, with the same arrival and departure patterns, reduces to a near-unique fingerprint within a few days of observation. Cross-reference that fingerprint with a roster, a shift pattern, a vehicle assignment, or simply with the house the cluster goes home to each night, and you have personnel-level identification without ever decrypting a single packet. The operational consequences are serious and varied. Plain-clothes officers can be distinguished from civilians by the density and composition of their RF loadout, even when nothing visible on them looks distinctive. Covert surveillance vehicles parked near a target radiate the same identifiable cluster as a marked patrol car, giving the target the location of the watcher. VIP and dignitary protection details are by their nature an unusually large, regular and coordinated cluster of agency-issued kit; the loadout effectively announces the protectee’s position continuously. Undercover officers carry their burdens in their pockets — the issued phone alone is enough to compromise them against a sophisticated adversary. Safe houses and off-duty residences acquire a recognisable nightly RF signature within weeks of occupancy. Patrol-route timing can be inferred from the regularity with which the cluster passes a fixed monitoring point. Tactical assembly areas ahead of a planned operation become detectable as an unusual aggregation of issued kit at a non-routine location. None of these inferences requires the adversary to break encryption, intercept communications, or even know what specific device produced any given emission; they require only the ability to observe and correlate, capabilities now available to anyone with a few hundred dollars of SDR hardware and an afternoon’s reading.
Mitigations and Their Limits
Mitigations exist but each carries operational cost. Faraday bags silence the kit but break communications and evidence sync. Disabling Bluetooth on tasers and bodycams degrades chain-of-custody workflows. Burner phones and rotated equipment add cost, logistics, and training overhead. Emission-control (EMCON) discipline is well understood in military contexts but cuts hard against the everyday operating model of civilian policing. MAC randomisation addresses one device at a time, never the cluster. The honest position is that off-the-shelf consumer and law-enforcement equipment is currently incompatible with sustained operational anonymity in a saturated RF environment, and the gap is widening as IoT, smart-home, smart-vehicle and wearable adoption pushes the per-person emitter count higher every year.
The conference is actively seeking presentations on the full range of mitigations and their practical evaluation: Faraday shielding standards and their RF attenuation characteristics across consumer IoT frequency bands; EMCON protocols adapted for civilian law-enforcement operating models; device-design recommendations from manufacturers for radio-side anonymity by design; tools for auditing an organisation’s own RF emissions profile before an operation or deployment; Australian and international legal frameworks governing passive RF observation in public and semi-public spaces; and comparative evaluation of MAC randomisation and BLE address rotation implementations across device categories. If your organisation has been wrestling with any part of this problem, this conference is the right room for that conversation.
For Defence, this is a familiar EMCON problem in an unfamiliar setting. For civilian law enforcement it is an emerging structural vulnerability the sector has not yet adapted to. For government workers handling sensitive material it is a pattern-of-life exposure that no current policy framework adequately addresses. These are precisely the questions the SDR Conference 2026 is positioned to put on the table — and they need to be discussed in front of the people who design the equipment, the people who issue it, and the people who carry it, in the same room.
Related Topics