Everyone from first responders to hotel cleaning staff use radios operating in the sub-megahertz range to communicate, often without even encoding the transmission. While encoding and encryption are increasingly used in radio communication, an RTL-SDR adapter and smartphone are all it takes to start listening in on radio conversations happening around you.
A software-defined radio (SDR) takes the parts of radio tuning that was normally done by crystals or local oscillators and accomplishes them with software instead. The basic requirements for using an SDR are a computer, a sound card or signal processor, and a radio-frequency (RF) receiver to receive the signal. As a result, many of the processes done by dedicated hardware are now done by a computer, making the entire radio system very low-cost, flexible, and easy to get into.
Being able to take a cheap tuner originally meant for digital TV, such as Realtek's register-transfer level (RTL) DVB-T COFDM modulator, allows anyone to receive radio frequencies over a huge range. For a hacker, it translates into the ability to tap into unencoded radio messages using most common commercial two-way radios. For listening in on staff chatter, a hacker can use an RTL-SDR dongle to silently listen in on radio conversations before determining the best course of action.
Typically, an RTL-SDR setup requires a computer to be able to interpret the input from the receiver. Once this is done, you can easily find analog voice transmissions to listen in on. For some reason, much police dispatch traffic is both unencrypted and unencoded.
While encoded transmissions share the digital signature of a "waterfall," looking like a strip of digital data rather than a wavy line an analog voice transmission makes, it is relatively easy to decode them. Using a Linux computer, you can pipe the audio (which sounds like random noise) through an encoder to render it back into normal-sounding audio.
For a hacker, that all means that a simple $20 piece of hardware can give you access to the entire 500 kHz to 1.7 GHz range of radio frequency communication.
In order to use a $20 RTL-SDR dongle, the usual route is to install GQRX on a Linux computer to be able to interpret the input from the receiver. While handy, not everyone has or wants to bring a desktop or laptop computer anywhere they might want to listen in on radio broadcasts. Most laptops are far larger than the receiver itself, so the inconvenience of carrying around a laptop to use your RTL-SDR dongle can be discouraging.
Fortunately, drivers are available that allow Android phones to use and understand the RTL-SDR receiver, so it's no longer necessary to carry around a Linux computer to use your RTL-SDR on the go. Instead, you can use an OTG adapter to plug your RTL-SDR into an Android app and listen in directly on your smartphone.
For the hardware, you need to have an RTL-SDR dongle. We recommend the RTL-SDR Blog RTL2832U R820T2 1PPM TCXO SMA V3 for $21.95. You'll also need an OTG adapter that converts the USB Type-A output for the RTL-SDR dongle to whatever type of USB input your phone uses. My Samsung Galaxy S8 uses USB Type-C, but yours might use Micro-USB.
- RTL-SDR Blog RTL2832U R820T - MSRP $21.95 (Amazon | RTL-SDR Blog)
- Anker Powerline Adapter for USB-C - MSRP $7.99 (Amazon | Anker)
- UGREEN Adatper for Micro-USB - MSRP $5.95 (Amazon | UGREEN)
Not all Android phones will be able to power the RTL-SDR by itself, and even if so, when you're using it for a long time, it'll drain your battery. In these cases, it's wise to look for an OTG adapter with an additional USB-C or Micro-USB female port to accept charging at the same time. If you're on the go, a portable power bank may also be a good idea.
You'll also need an antenna. Any antenna will do, as long as it has a coaxial connection — an SMA male RF connector (not RP-SMA)— to attach to the female SMA port on the RTL-SDR dongle. If you're not sure what antenna to get, it's actually a better idea to just get the RTL-SDR dongle that comes with an antenna.
- RTL-SDR Blog RTL2832U R820T2 with Antenna - MSRP $27.95 (Amazon)
Connect the RSL-SDR dongle (which should already be connected to the antenna) to the USB Type-A female port on the OTG adapter, then connect either the USB Type-C or Micro-USB male end to your smartphone's charging port. You may need to take off any case in order to get a snug fit. When connected, your phone may ask what to do about the connected USB device, so choose the appropriate option.
One thing to note is that this adapter can get downright hot while working. Make sure you're aware of this, as the aluminum heat sink body can get warm quickly.
In order for any app to communicate with the RTL-SDR, you'll need to install the appropriate drivers, which will allow a number of apps to take advantage of data coming in from the RTL-SDR dongle.
To get the drivers, install "RTL2832U driver" by Martin Martinov from the Google Play Store. The app doesn't require many permissions, so it should be fast and easy. Afterward, open the app and the drivers should be installed on your phone automatically. If not, follow the prompts to install the drivers. When it's complete, you should see a message starting with "The driver has been installed successfully!"
- Play Store Link: RTL2832U driver (free)
With this complete, you can move on to the step for selecting an application to use.
Next, you'll put the drivers to work by downloading an application to take advantage of them. While there are many Android applications for connecting to the RTL-SDR, many require payment after a few minutes of operation. My application of choice is SDRoid by hOne, which is totally free but also asks for more permissions than it may need. I make it a habit of denying these requests, as I see no reason for it to be able to access my internal storage.
- Play Store Link: SDRoid (free)
After installed, open SDRoid up but deny all the permissions requests for location data and photos, media, and files that pop up. Again, they are not necessary to the functioning of the SDR software.
Once that's done, tap "Start Radio" to get started. Up at the top of the screen, tap the play (arrow) button, then you'll be asked to allow the RTL-SDR driver to access the USB device connected, so tap "OK" (you can also select "Use by default for this USB device" so you don't have to do this again next time).
Once you agree, the receiver should start, and you'll be able to see the tuning and waterfall data.
If everything went well, you have the entire spectrum the RTL-SDR can tune into at your disposal. For practice, tune to a channel between 88 MHz and 102 MHz, the standard range for FM radio.
Set your device to mono or stereo, depending on which sounds better, and tap on a strong signal you can see in that range. You should hear audio play since you're tuning into public broadcasts. Explore up and down the frequency to start finding other unencoded broadcasts.
Looking at the pattern of the transmission, you can tell something is analog rather than digital because you can see the rise and fall as the audio gets louder and quieter. Of the screenshots below, the one on the left is analog. In a digital transmission, the entire channel width will be full the entire time, as seen in the right screenshot. Learning to spot the difference between these transmissions is part of the fun of software-defined radio!
The left screenshot above is the kind of analog transmission we're looking for, in my case, a classical song on the radio. By looking for conversations with the characteristics of human speech, you can start to identify conversations you can listen in on.
Some signs of human speech to look for in signal patterns are human-like behaviors like transmissions that turn on and off at irregular intervals. Humans do not talk continuously or in regular patterns, so this makes it easier to ignore automated transmissions. It's also important to look for the tell-tale rise and fall of analog transmissions because tuning into digital waterfall transmissions will just make a horrible noise.
If you've found a transmission you're interested in, you might find that the default "Wide FM" filter is too wide to receive it clearly. Let's say you are a red team, and you've zeroed in on a hotel cleaning staff's two-way radios, allowing you to know which rooms are open and when. To lock on to a two-way radio and avoid interference, you'll need to switch your radio into "narrow-band FM" mode.
Narrow FM will let you select and listen in on two-way radio conversations you discover. Often these are security companies, bar staff, and cleaning crews. To switch to narrow FM, tap on the button that says "Wide FM," and a demodulation selection menu will open — select "narrow-band FM" from the list.
Now, you can zoom in on any two-way radio conversation you see and tune into it with a narrow FM filter. I recommend looking up your town's first responder channels and seeing which are encrypted. In Los Angeles, the vast majority of radio transmissions are not encrypted or encoded.
Everything from garage door openers to logistics operations use radio signals which can be detected with an RTL-SDR connected to a smartphone. No matter what your target is, it's useful to be able to detect transmissions in the area and tune into analog broadcasts nearby. Knowing where the security and cleaning staff are moving and what they are thinking can give an edge to any hacker, and it only costs around $20 to get started using RTL-SDR.
I hope you enjoyed this guide to using software-defined radio on an Android smartphone! If you have any questions about this tutorial on SDR or you have a comment, feel free to reach me on Twitter @KodyKinzie.
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.