Applied SDR Hacking: Red Team SIGINT for mission-critical, automotive, aviation, and marine targets - Jos Wetzels & Wouter Bokslag (Midnight Blue) - DCTLV2026

Name of Training: Applied SDR Hacking: Red Team SIGINT for mission-critical, automotive, aviation, and marine targets
Trainer(s): Jos Wetzels & Wouter Bokslag (Midnight Blue)
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $3,250

Short Summary:

This practically-oriented course, taught by the Midnight Blue team known for their TETRA research, aims to equip security practitioners with field-relevant RF security knowledge enabling them to assess and target important but rarely addressed RF technologies such as automotive, aviation, marine, physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure.

Hands-on exercises such as intercepting and decrypting handheld radio comms and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios.

Course Description:

Have you ever had to deal with attacking an RF signal and Youtube tutorials on the Flipper Zero didn't get you anywhere? Have you ever wanted to listen in to a security team's radio communications during a physical red team engagement? Did you ever think covertly breaking into corporate vehicle fleets or garages should be in-scope, but didn't know how to approach this?

Then this is the course for you.

In an increasingly wireless world, we are surrounded by readily exploitable signals everywhere. Yet too often Red Team operations and pentests leave the RF spectrum unaddressed due to a lack of specialist knowledge and experience, especially when it comes to sensitive RF protocols not typically encountered in conventional enterprise and IoT contexts.

This practically-oriented course, taught by the Midnight Blue team known for their TETRA research, aims to equip security practitioners with field-relevant RF security knowledge and experience. While it thoroughly covers the fundamentals of RF, SDR, and SIGINT, it avoids math-heavy RF engineering with limited relevance to day-to-day operational reality.

Instead, this course will provide attendees with a structured, step-by-step approach to the Signals Intelligence (SIGINT) cycle of targeting, identifying, collecting, processing, and analyzing Signals of Interest (SOIs). This includes the often cumbersome task of getting various special-purpose SDR tools to work on current systems. Attendees will learn how to exploit such signals with commonly available tooling through awareness of common risks and pitfalls in RF security.

Where other SDR trainings tend to focus on enterprise and IoT RF protocols such as 4G/5G, WiFi, RFID, and BT, this training focuses on important but rarely addressed RF technologies such as automotive, aviation, marine, physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure. Hands-on exercises such as intercepting and decrypting handheld radio comms and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios.

Course Outline:

Course outline is preliminary and subject to minor changes and improvements.

DAY 1 - BLOCK 1: Basics of SDR and SIGINT

- Introduction to Radio Frequency (RF), Software Defined Radio (SDR), Digital Signal Processors (DSPs)
- SDR theory of operation
- Overview of SDR hardware & software
- Modulation and signal types
- Antenna selection, tuning, and positioning
- Building and working with SDR software stacks: SDRangel, Gqrx, GNU Radio, Universal Radio Hacker (URH),DragonOS, Flipper Zero
- Signals Intelligence (SIGINT) cycle

DAY 1 - BLOCK 2: Fundamentals of RF Security

- Security requirements in RF protocols
- Common risks and pitfalls: Jamming, replay, relay, cryptanalysis, etc.
- Case studies: railways, water utilities, emergency broadcasts

- Physical access control RF systems: automatic doors, gates, barriers, bollards, alarms, etc.
- Automotive access control RF systems: Remote Keyless Entry (RKE), Passive Keyless Entry (PKE)
- Automotive case study: professional car theft rings

DAY 2 - BLOCK 1: Professional Mobile Radio (PMR) / Land Mobile Radio (LMR) Security

- Introduction to PMR / LMR

- Terrestrial Trunked Radio (TETRA): Overview, security, vulnerabilities, and available tooling
- TETRA SIGINT tooling discussion
- TETRA case study: Real-world TETRA interception incidents

- APCO-25 (P25): Overview, security, vulnerabilities, and available tooling
- dPMR/NXDN: Overview, security, vulnerabilities, and available tooling
- TETRAPOL: Overview, security, vulnerabilities, and available tooling

DAY 2 - BLOCK 2: PMR continued, Marine & Aviation

- Digital Mobile Radio (DMR): Overview, security, vulnerabilities, and available tooling
- DMR SIGINT tooling discussion
- DMR case study: DMR usage and targeting in Russia-Ukraine war, Middle-Eastern conflicts, and Mexican cartels

- Marine RF systems: AIS/VDES, GMDSS, etc.
- Marine case study: tracking & spoofing in conflict zones, piracy, and sanctions evasions

- Aviation RF systems: ADS-B, ACARS/VDL, etc.
- Drones / Unmanned Aircraft Systems (UAS): telecontrol, analog & digital video (VTX) downlink, scrambling and encryption
- Aviation case study: Counter-UAS/drone examples from the Russia-Ukraine war and Middle-Eastern conflicts

Difficulty Level:

Beginner to Intermediate

Beginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.

Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

- Basic familiarity with Linux
- Basic familiarity with Python
- Some understanding of pentesting and red teaming fundamentals

This will be a tech-forward course less suited for executives, project managers, compliance auditors, etc. Ideally, students have some basic general cybersecurity experience (or equivalent education). That being said, we've had some quick learners with different backgrounds, that benefited greatly from the hands-on nature of the course.

What Students Should Bring: 

- Modern laptop with Core i7 CPU or equivalent/better and preferably 32GB+ RAM (absolute minimum 16GB)
- Laptop should run DragonOS Noble (24.04) or newer (see https://cemaxecuter.com/). A VM is fine, but preferably native installation to reduce risk of spending time on setup problems
- Laptop should *not* be a locked-down corporate laptop, administrator privileges are a must-have
- Laptop should have USB type A (or Type C + converter) for SDR hardware
- Bring a charger

What the Trainer Will Provide:

- HackRF based SDR hardware (platform + antenna)
- Several exercise targets including: Fixed-code alarm system, rolling-code RKE/door control system
- Syllabus, exercises, exercise solutions, and tooling
- Certificate of attendance

All students will receive a hardware kit to keep as part of their registration, including:
- The versatile HackRF based SDR platform
- All the covered exercise targets
- Bonus target: a motion-based alarm system, together with an exercise sheet and solution. 

This will allow you to hone your skills in the field with familiar tools, and to continue and reproduce training exercises at home.

Trainer(s) Bio:

Jos Wetzels is a co-founding partner at Midnight Blue. His research has involved reverse-engineering, vulnerability research and exploit development across various domains ranging from industrial and automotive systems to IoT, networking equipment and deeply embedded SoCs. He has discovered zero-day vulnerabilities across tech stacks ranging from bootloaders and RTOSes to proprietary protocol implementations. At Midnight Blue, he has consulted to government agencies, grid operators, and Fortune 500 companies worldwide and has been involved in the first ever public analysis of the TETRA radio standard used by police and critical infrastructure globally - uncovering several critical vulnerabilities. Prior to founding Midnight Blue, he worked as a security researcher and reverse engineer at Forescout where he developed state-of-the-art intrusion detection capabilities for Operational Technology (OT) environments. Jos is a member of the Black Hat USA Review Board and a regular conference speaker who has presented at events such as Black Hat, DEF CON, CCC, USENIX, HITB, OffensiveCon, ReCon, EkoParty, and others.

Wouter Bokslag is a co-founding partner and security researcher at Midnight Blue. He is known for the reverse-engineering and cryptanalysis of the previously secret cryptographic algorithms used in the TETRA radio standard. He has performed specialist security assessments on RF networks of law enforcement agencies, critical infrastructure, and some of the largest companies in the world. In addition, his prior research includes reverse-engineering and cryptanalysis of several proprietary in-vehicle immobilizer authentication ciphers used by major automotive manufacturers as well as co-developing the world's fastest public attack against the Hitag2 cipher. He holds a Master's Degree in Computer Science & Engineering from Eindhoven University of Technology (TU/e) and designed and assisted in teaching hands-on offensive security classes for graduate students at the Dutch Kerckhoffs Institute for several years. He presented research at venues like Black Hat, DEF CON, USENIX, CCC, hardwear.io and many others.

Proficiency Exam Option:

This course has the option for a proficiency certificate add-on.

The proficiency exam will consist of a CTF-style challenge which incorporates major learnings from the training and evaluates the student's proficiency with the taught methodologies and tooling. In the unlikely event the challenge cannot be completed, a re-take opportunity is provided.

Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.