01 The Spectrum of Risk: Radio Frequency Vulnerabilities in Physical Security
Physical security systems have evolved beyond simple hardwired connections to embrace wireless technologies that promise flexibility, reduced installation costs, and easier maintenance. However, this evolution has introduced a new attack surface that many security professionals are only beginning to understand: the radio frequency spectrum itself.
Unlike traditional physical attacks that require direct access to hardware or network breaches that target IP infrastructure, RF attacks exploit the very medium through which wireless security devices communicate. These attacks can be executed from considerable distances, often without triggering traditional security alerts, making them particularly insidious.
The implications extend far beyond simple device compromise. RF vulnerabilities can enable attackers to map entire security infrastructures, understand operational patterns, and execute precisely timed attacks that bypass detection systems entirely. For security integrators, understanding these risks is essential for designing resilient security architectures.
02 What is a Replay Attack?
A replay attack targets wireless transmissions with elegant simplicity. An attacker records a legitimate RF packet, for example, a "door unlock" signal, and later transmits it verbatim at the right moment. That replayed packet can trick a device into performing the same action, without ever stealing credentials or tampering with hardware. It's like overhearing someone swipe their card, then later mimicking that exact swipe to gain entry.
Replay attacks are not always isolated incidents; they can be executed independently or in conjunction with other tactics, such as jamming. Consider this illustrative scenario: an attacker records two signals from a wireless door contact, for instance, a periodic "supervisory" (or heartbeat) signal and a "door closed" status. Employing a jammer to block the sensor's legitimate transmission, the attacker can then replay the recorded heartbeat and closed signals. This action maintains a false "normal" status for the system, allowing the adversary to physically bypass the entry point while the sensor's actual status is obscured.
While simplified, this example reflects a practical attack method frequently utilized, most notably by vehicle thieves targeting keyless entry systems. The same principles apply to building security systems, where the stakes can be considerably higher.
03 Vulnerable Systems: The Scale of the Problem
The scope of vulnerability is staggering. According to a 2024 IEEE PerCom study titled "Is Your Kettle Smarter Than a Hacker? A Scalable Tool for Assessing Replay Attack Vulnerabilities on Consumer IoT Devices," almost 75% of security devices that support local connectivity are vulnerable to replay attacks.
A significant number of wireless systems remain highly vulnerable to replay attacks due to their reliance on static or easily predictable transmission codes. This vulnerability is particularly evident in several common categories:
These systems broadcast the same badge ID repeatedly, making a simple recording sufficient for indefinite unauthorized access. The lack of encryption or time-based validation means a single captured signal can be replayed indefinitely.
Including older versions of products like SimpliSafe or X10, these systems use fixed codes lacking encryption or verification, rendering them susceptible to replay. The popularity of these frequencies makes them attractive targets for attackers.
Models from manufacturers such as Chamberlain, Genie, and Linear, utilizing either static or weak rolling codes, can often be compromised by simply capturing the signal with accessible radio hardware and replaying it.
04 How Attacks Play Out: The Three-Phase Approach
Reconnaissance & Interception
An attacker using low-cost tools, RTL-SDR dongle ($35), HackRF One ($300), or Flipper Zero (~$200), can silently monitor RF transmissions around a facility, even from a parked vehicle. They never transmit, so they're invisible. They're just listening.
This phase can continue for hours, days, or even weeks, building a comprehensive picture of the target's RF environment without triggering any security alerts.
Protocol Analysis and Decoding
Tools like Inspectrum or Audacity are used by the attacking party to visualize, analyze, and organize bit patterns and waveform structures. Attackers identify repeating data patterns or signals such as door "open/closed", badge ID, heartbeat pings, forming a "dictionary" of signals.
This analysis phase transforms raw RF data into actionable intelligence, allowing attackers to understand the communication protocols and timing patterns of the target system.
Replaying the Signal
The execution varies depending on the sophistication of the target system. For devices employing fixed codes, the technique is straightforward: a recorded signal is simply replayed at a later time. Against more advanced setups, the approach may involve jamming the legitimate signal transmission to prevent detection, followed by sending a captured signal burst precisely aligned with the system's expected timing.
Even systems designed with rolling codes can exhibit vulnerabilities if their underlying algorithm can be brute-forced or predicted, rendering them susceptible to advanced replay techniques.
05 RF Intelligence: Passive Reconnaissance Through Radio Signals
Radio frequency chatter from wireless devices offers a wealth of unintended intelligence for potential attackers. Beyond the message content itself, the timing, frequency, and reach of these transmissions provide valuable metadata. A motion detector's routine 60-second pulse won't trigger an alert or appear in standard system logs, yet an adversary passively monitoring the RF spectrum will readily detect and make note of this operational signature.
This capability provides a form of passive reconnaissance, similar to using radar to map a building. By tracking how signals propagate and interact with the environment, a skilled attacker can infer device locations and gain other important insights. This includes identifying the placement of the most accessed doors or recognizing sensors struggling with signal strength due to repeated message attempts.
Beyond simply identifying devices, analyzing the timing patterns of their RF communications reveals crucial insights into daily routines and operational rhythms. Observing clusters of signals at specific times, such as a surge of badge swipes around 8:55 a.m. and 5:10 p.m. suggesting shift changes, or recurring sensor activations every Thursday afternoon possibly indicating a cleaning crew, allows adversaries to map predictable behaviors.
06 Precision Mapping: The Mathematics of RF Triangulation
Armed with software defined radio equipment (SDR) costing less than a smartphone, an attacker can position multiple receivers around a property's perimeter. As each device transmits, the receivers measure signal strength and timing with mathematical precision. Using basic triangulation principles, the same technology that powers GPS, they can calculate exact device locations.
The process is surprisingly accurate. Signal strength measurements can pinpoint devices within 3 to 5 meters (9-16 feet), while time of arrival techniques can narrow this to under two meters (6 feet) in optimal conditions. An attacker parked outside can determine not just which rooms contain sensors, but often their exact mounting positions on walls and ceilings.
Over several hours of passive monitoring, a detailed picture emerges. A front door contact sensor appears strongest from the street facing receiver. A kitchen motion detector's signal pattern can reveal its corner mounting position. Upstairs bedroom sensors betray the property's floor plan through their relative signal strengths and timing relationships.
This reconnaissance phase is completely undetectable. No alarms trigger, no logs register suspicious activity, and occupants remain unaware that their security system's layout has been mapped down to individual device placement. The attacker now possesses a radio frequency blueprint of the property's defenses.
07 Surgical Strikes: Selective Replay Attacks
With device locations mapped, the adversary can craft surgical replay attacks. Rather than blindly jamming all frequencies and triggering immediate alerts, they know exactly which sensors guard specific entry points. They can selectively replay captured "all clear" signals to specific devices while leaving others operational, creating invisible corridors through the security perimeter.
This capability allows for highly selective attacks. An adversary doesn't need to trigger a full system alert; they can simply disable a single back door contact sensor while the front door alarm continues reporting, or suppress a first floor motion detector while upstairs zones remain active. This leaves monitoring services and users with a false sense of security, as the system reports status quo right up until the moment of intrusion.
The sophistication of these attacks represents a fundamental shift in how we must think about wireless security. Traditional security models assume that an attacker must physically breach a perimeter to disable sensors. RF attacks eliminate this assumption, allowing remote manipulation of security systems without any physical presence at the protected location.
08 In the news...
Industry Minister Melanie Joly cited national security concerns as the official reason for the directive, following a security and intelligence review. This action follows prior U.S. restrictions against Hikvision and includes a new ban on Canadian government purchases of the company's products. Hikvision Canada disputed the order, stating it lacks factual basis and reflects bias influenced by geopolitical tensions. The move underscores rising government scrutiny on security technology supply chains based on national origin for businesses operating in the sector.
While experts suggest its direct battlefield impact may be limited by factors like range and battery life, its tiny size could prove useful for accessing hard-to-reach areas, including indoors. The development highlights continued advancements in miniaturization within drone technology globally. Such micro-drones also raise potential dual-use implications for surveillance and integration into strategies like asymmetric warfare, or operations involving corporate espionage.
The compromised data, stolen in a September 2023 ransomware attack, reportedly includes not only personal and financial information but also building floor plans and physical security details. Alarmingly, JCI only began notifying affected individuals in July 2025, nearly two years after discovering the incident. This massive delay and the nature of the exposed data raise serious concerns about identity theft and physical security risks for victims. Consequently, a law firm is now actively investigating a potential class action lawsuit against JCI regarding the breach and notification delay.
09 About the project and the curator
I'm Timur (or Tim), and I have over a decade of experience in the security integration field. I've worked with industry leaders such as Siemens and Johnson Controls, serving clients across the Canadian market. Originally from Toronto and now based in Ottawa, Ontario, my background covers the full range of our industry. Access control, intrusion detection, surveillance systems, and the infrastructure that connects them all.
The Physical Layer was born from a simple observation; unlike the AI or software world, our industry lacks insightful, fast moving newsletters that keep integrators informed and ahead of the curve. While other sectors have embraced dynamic, insight driven newsletters, physical/electronic security has largely stuck to dry product announcements and vendor press releases.
This newsletter changes that. Each quarter, I will try to deliver the strategic insights, emerging trends, and practical knowledge that help security integrators stay ahead of the curve. From AI implementation guides to market analysis, I will focus on what matters most, which is helping you grow your business and expand your capabilities.