Detecting and Fingerprinting RF Signals Across Mobile, Drone, WLAN, Short-Range, Access-Control, RFID, Satellite, and GNSS Systems

Prepared March 05, 2026 (America/Denver). Format: IEEE-style technical report with online references.

Table of Contents

Abstract

This report surveys practical methods for detecting radio-frequency (RF) emissions and fingerprinting transmitters (RF fingerprinting / RFF) across: mobile devices (LTE/5G NR), drones (UAS command/control and remote ID), Wi‑Fi, Bluetooth, near-field payment systems (NFC), automobile key fobs and access-control remotes, home security/IoT remote control systems (Z‑Wave/Zigbee/other sub‑GHz links), RFID (HF/UHF), satellite communications, and GNSS (GPS/Galileo). It emphasizes lawful spectrum monitoring and defensive applications (asset inventory, anomaly detection, rogue transmitter identification), while avoiding guidance intended to bypass security controls.

Index Terms

RF sensing, spectrum monitoring, signal detection, modulation classification, cyclostationary analysis, preamble detection, physical-layer security, RF fingerprinting (RFF), SDR, Wi‑Fi (IEEE 802.11), Bluetooth, NFC, RFID, LTE, 5G NR, UAV detection, satellite signals, GNSS spoofing detection.

I. Introduction

Detection answers “is a signal present, and what is it?”; fingerprinting answers “which specific transmitter produced it?” Fingerprinting relies on subtle, often unintended analog hardware impairments (e.g., oscillator offset, IQ imbalance, PA nonlinearity) that imprint repeatable features onto the baseband signal. Surveys and systematizations of RF fingerprinting describe both classic feature engineering and modern deep-learning approaches, as well as open challenges in channel variability and generalization across time and environments. See [1]–[3] for broad overviews and mobile-focused RFF discussions.

Scope note. Many listed technologies use cryptography and higher-layer authentication. This report focuses on RF-layer observables (timing, spectral shape, pilots/preambles, hopping patterns, impairments) and on defensive/diagnostic uses of those observables, not on recovering protected payload contents.

II. Detection & Fingerprinting Pipeline

A. Instrumentation and Data Capture

Typical capture chains use a spectrum analyzer, channelized receiver, or software-defined radio (SDR) to produce complex I/Q samples. Critical parameters are front-end linearity, instantaneous bandwidth, sampling rate, frequency stability (TCXO/OCXO), and time synchronization if multi-sensor correlation or TDOA/AOA is required. For wideband environments (2.4 GHz ISM, cellular bands), practical deployments often pair an RF “detector” stage (fast energy/cyclostationary sensing) with selective high-rate I/Q captures for classification/fingerprinting.

B. Signal Presence Detection

C. Identification vs. Fingerprinting

After “class identification” (protocol/standard), RF fingerprinting attempts “device identification.” Systematizations of physical-layer identification highlight the distinction and the need to model channel effects (multipath, Doppler, AGC) that can mask device-specific impairments [2]. Modern RF fingerprinting surveys emphasize deep models trained on raw I/Q or spectrogram-like inputs, but also note dataset bias and time drift issues [1], [3]. For real-world evaluation, public datasets for Wi‑Fi and Bluetooth combo chipsets exist [15].

D. Common Fingerprint Features

E. Summary Table of Targets

System Typical Bands / Waveform Clues Reliable Detection Anchors Fingerprinting Levers
Mobile (LTE/5G) Sub‑6 GHz and mmWave; OFDM-based downlink, structured sync blocks PSS/SSS (LTE) [14], SSB (NR) [5], [12] CFO, IQ imbalance, EVM; base-station vs UE RFF stability [3]
Wi‑Fi (802.11) 2.4/5/6 GHz; OFDM; packet preambles STF/LTF correlation [6], [7] Training-field distortions, spectral mask, CSI statistics, timing skew [1], [6]
Bluetooth 2.4 GHz; FHSS; BLE advertising on channels 37–39 BLE adv channels [8], link-layer behavior [9] Hop timing, CFO, GFSK shaping, combo-chip cross-protocol RFF [15]
NFC 13.56 MHz near-field magnetic coupling Carrier presence & load modulation patterns [10] Analog parameter differences (field strength, modulation depth) [11]
Key fobs / access remotes Sub‑GHz (e.g., 315 MHz NA, 433/868 MHz EU); OOK/FSK bursts Burst detection + symbol-rate estimation Transient ramps, CFO, pulse-shape differences; security depends on rolling code [16]
Home security / IoT remotes Sub‑GHz (Z‑Wave) and 2.4 GHz (Zigbee/802.15.4) Z‑Wave regional freqs [17]; 802.15.4 DSSS/O‑QPSK [18] PHY impairments + device behavior (retransmits, beacon periodicity)
RFID HF 13.56 MHz; UHF 860–960 MHz backscatter EPC Gen2 reader queries and tag replies [19] Backscatter link timing, modulation depth, reader PA characteristics
Satellite comms Many bands; DVB‑S2 for broadcast; CCSDS for space links Pilots/sync words; framing/coding signatures [20], [21], [24] Carrier offsets, beam hopping patterns, terminal PA/oscillator traits
GNSS (GPS/Galileo) L‑band spread-spectrum with PRN codes Code correlation peaks; nav message structure [22], [23] Signal-quality monitoring (correlation distortion + power) [27]

Note: bands are representative and region- and standard-dependent; always verify local allocations and device labeling before drawing conclusions.

III. System-Specific Techniques

A. Mobile Devices (LTE / 5G NR)

Detection: LTE and NR downlinks are structured to enable rapid cell search and synchronization. LTE uses PSS/SSS for coarse time/frequency sync and physical cell ID discovery [14]. 5G NR combines PSS/SSS with PBCH into the Synchronization Signal Block (SSB) occupying 4 OFDM symbols and 240 subcarriers (20 RBs) in a burst periodicity configured by the network [5], [12]. Practical detectors therefore use:

Fingerprinting: RF fingerprinting for cellular systems is an active research area, with features sourced from oscillator deviation, IQ imbalance, filtering, and PA effects; transient and steady-state feature categories are commonly distinguished [3]. In practice, cellular fingerprinting must control for mobility and fast channel variation; multi-capture averaging, channel equalization, and receiver calibration improve stability. Cellular RF-layer observations have also been used to characterize privacy threats and defenses (e.g., IMSI-catcher detection methodologies), underscoring the need for policy-aware monitoring [29].

B. Drones (UAS): Command/Control, Video Links, and Remote ID

Detection: Many consumer drones use 2.4 GHz and/or 5.8 GHz links for command and video; waveforms can resemble Wi‑Fi-like OFDM or proprietary variants. Detection approaches include wideband scanning for bursty traffic, protocol-feature classification, and model identification via RF fingerprints. A widely cited line of work frames UAV detection and classification as RF fingerprinting under interference and multipath [25].

Remote ID / identification signals: Some systems transmit explicit identification/telemetry messages that can be decoded for situational awareness; measurement campaigns have shown kilometer-scale detection ranges under favorable conditions [26]. (Operationally, treat decoded IDs as one sensor input; RF-only ID can be spoofed or absent.)

Fingerprinting: Fingerprinting features often combine (i) protocol-aware elements (burst timing, channel access, frame periodicity) with (ii) physical impairments (CFO, spectral shape, transient ramps). For drones, motion introduces Doppler and fast fading; robust models typically use short windows, normalization, and interference-aware training [25].

C. Wi‑Fi (IEEE 802.11)

Detection: Wi‑Fi preambles are designed for reliable packet detection and synchronization. In OFDM PHYs, the Short Training Field (STF) supports packet detection and coarse frequency estimation, while the Long Training Field (LTF) supports fine sync and channel estimation [6], [7]. Practical Wi‑Fi detectors often implement:

Fingerprinting: Wi‑Fi fingerprinting leverages transmitter impairments visible in training fields, spectral masks, and error-vector patterns, as well as channel-state information (CSI) statistics when available [1]. Public Wi‑Fi/Bluetooth datasets for RF fingerprinting of commercial devices enable benchmarking and highlight time-variation issues [15].

D. Bluetooth (Classic and BLE)

Detection: Bluetooth uses the 2.4 GHz ISM band with frequency hopping; BLE advertises on primary channels 37, 38, and 39 (with additional “extended advertising” on secondary channels in newer versions) [8]. The Bluetooth Core Specification defines link-layer states and the advertising/initiating/connection behaviors [9]. Practical detectors include:

Fingerprinting: FHSS complicates fingerprinting because each hop experiences different interference and channel response. Robust approaches normalize per-hop and aggregate across hops; combo-chip datasets capturing both Wi‑Fi and Bluetooth emissions are particularly relevant for real deployments [15].

E. Near Field Payment Systems (NFC)

Detection: NFC operates at 13.56 MHz using near-field magnetic coupling with very short typical ranges (centimeters) and supports both data exchange and, in some modes, power transfer to passive targets [10]. NFC Forum specifications build on ISO/IEC 14443 and ISO/IEC 18092 for digital protocol and analog parameters [10], [11]. Detection is typically based on carrier presence, modulation sidebands, and load-modulation signatures (for passive targets).

Fingerprinting: Potential fingerprints include reader field strength stability, modulation depth, spectral purity, and timing jitter; for tags, load-modulation characteristics and resonance/Q can differ by construction. In payment contexts, apply strict ethical constraints—use test cards and controlled environments, and do not attempt to capture sensitive transaction data.

F. Automobile Key Fobs and Access-Control Remotes

Detection: Many remote keyless entry (RKE) and garage/access remotes use sub‑GHz bands such as 315 MHz in North America and 433/868 MHz in Europe, commonly sending short OOK/ASK or FSK bursts [16], [28]. Burst detectors with narrowband channelization can estimate symbol rate and modulation to classify families of devices.

Fingerprinting: Because transmissions are short, transient-domain features (turn-on ramps, PLL settling) can be useful, as can CFO and pulse-shape. However, receiver AGC and multipath can strongly distort bursts; capturing multiple presses at varied SNR and using receiver calibration improves repeatability.

Security reality check: Academic work has shown that security properties vary widely across deployed systems, and poor cryptography can render higher-layer authentication ineffective [16]. Fingerprinting can be used defensively for anomaly detection (e.g., “expected fob” vs “unexpected transmitter near the vehicle”) but should not be treated as a replacement for cryptographic authentication.

G. Remote Control Systems (Home Security and IoT)

“Home security” RF spans multiple protocol families: sub‑GHz proprietary sensor links, Z‑Wave in sub‑GHz bands, and Zigbee/Thread over IEEE 802.15.4 at 2.4 GHz. Z‑Wave uses regional sub‑GHz allocations (e.g., 908.42 MHz in the U.S., 868.42 MHz in parts of Europe) [17]. IEEE 802.15.4 at 2.4 GHz uses DSSS with O‑QPSK (2 Mchips/s) in common Zigbee/Thread PHY profiles [18].

Detection: Use band-aware scans (sub‑GHz + 2.4 GHz). For 802.15.4, packet detectors can exploit the PHY preamble and start-of-frame delimiter (SFD) patterns; for Z‑Wave, narrowband FSK detection with region-specific center frequencies is effective.

Fingerprinting: Combine (i) physical impairments with (ii) behavioral features such as sensor periodicity, retransmission patterns, and acknowledgement timing. In multi-tenant RF environments, concurrent protocols (Wi‑Fi/Bluetooth/802.15.4) require careful interference handling and may benefit from multi-task ML models trained across protocols [1].

H. RFID (HF and UHF)

Detection: RFID spans LF/HF/UHF. UHF passive RFID (860–960 MHz) typically uses the EPC Gen2 air interface (standardized as ISO/IEC 18000-63) and relies on reader illumination with tag backscatter replies [19]. Detection often focuses on reader query bursts and the characteristic backscatter reply envelopes.

Fingerprinting: For readers: PA spectral regrowth, CFO, ramp shapes, and protocol timing are candidate fingerprints. For tags: backscatter link timing and modulation depth can vary, but strong dependence on orientation, range, and multipath complicates stable tag fingerprinting. Practical “fingerprinting” in RFID deployments often leans on explicit identifiers (EPC/TID) combined with RF anomaly detection (unexpected power levels, unusual reply timing).

I. Satellite Signals (Broadcast, LEO Constellations, Space Links)

Detection: Satellite waveforms are diverse. Broadcast TV distribution often uses DVB‑S2 (ETSI EN 302 307‑1) [20], while many space mission links follow CCSDS recommendations for modulation and coding [21]. For modern LEO broadband, blind or semi-blind identification methods can recover structure from wideband captures; a detailed open analysis of Starlink Ku‑band downlink structure provides an example of practical signal identification on 10.7–12.7 GHz [24].

Fingerprinting: Satellite fingerprinting can target (i) spacecraft transmit chains (CFO/stability, amplifier characteristics, pilot distortions), (ii) user terminals/gateways, or (iii) system-level patterns (beam hopping, scheduler periodicities). Because paths are long and Doppler can be significant (especially for LEO), normalization for frequency drift and time-varying channel is essential.

J. GNSS / GPS

Detection: GNSS signals are spread-spectrum signals identified through correlation against PRN codes. GPS interface specifications define the signal structure and carrier center frequencies; for example, L1 is centered at 1575.42 MHz (among other links) [22]. Galileo similarly publishes signal centers (e.g., L1 at 1575.42 MHz) [23].

Fingerprinting & spoofing detection: “Fingerprinting” is often applied to interference sources (jammers/spoofers) rather than satellites, using receiver-observable artifacts such as correlation function distortion, power anomalies, and consistency checks across channels. The Power-Distortion detector is a representative signal-quality monitoring method that classifies interference-free, multipath, spoofed, and jammed conditions using received power and correlation distortion observations [27].

IV. Operational Considerations

A. Receiver Calibration and Repeatability

Fingerprinting accuracy is frequently limited by receiver-induced variation (LO drift, IQ imbalance, AGC nonlinearity). Use stable frequency references where possible, calibrate IQ/DC offsets, and keep gain states consistent. When multiple receivers are used, synchronize clocks and calibrate relative phase/frequency offsets; otherwise, models may learn “receiver fingerprints” instead of transmitter fingerprints.

B. Channel Effects (Multipath, Mobility, Doppler)

Multipath can mimic device-specific spectral features; mobility introduces fast fading and Doppler (notably for drones and LEO satellite links). Common mitigations include equalization using known pilots/training sequences, feature normalization, training on diverse environments, and decision fusion across time windows.

C. Dataset Design and Model Generalization

Public datasets help, but real deployments face time drift, firmware updates, and temperature-dependent RF behavior. Prefer evaluation protocols that separate training and test captures across time, power levels, and environments; multi-condition datasets for Wi‑Fi/Bluetooth support such testing [15].

D. Multi-Sensor Correlation (Optional)

For wide-area monitoring, combining multiple sensors enables geolocation via TDOA/AOA, and helps disambiguate co-channel emitters. This can be paired with fingerprinting: location bounds reduce candidate sets; fingerprints reduce false associations between tracks.

V. Privacy, Policy, and Ethics

RF detection and fingerprinting can enable legitimate operations (spectrum management, interference hunting, asset inventory, safety and compliance), but also create surveillance risk. In many jurisdictions, intercepting communications or attempting to decode protected content without authorization is unlawful. Even passive identifiers (MAC addresses, Remote ID) can create privacy externalities; treat identifiers as sensitive.

References

  1. A. Jagannath et al., “A comprehensive survey on radio frequency (RF) fingerprinting: traditional approaches, deep learning, and open challenges,” Computer Networks, 2022. [Online]. Available: https://dl.acm.org/doi/10.1016/j.comnet.2022.109455 (accessed 2026-03-05).
  2. B. Danev, D. Zanetti, and S. Capkun, “On physical-layer identification of wireless devices,” ACM Computing Surveys, 2012. [Online]. Available: https://dl.acm.org/doi/10.1145/2379776.2379782 (accessed 2026-03-05).
  3. H. Fu et al., “Radio Frequency Fingerprint Identification for 5G Mobile Communications,” 2023. [Online]. Available: https://pmc.ncbi.nlm.nih.gov/articles/PMC10814099/ (accessed 2026-03-05).
  4. ETSI, “5G Standards,” (includes FR1/FR2 overview), [Online]. Available: https://www.etsi.org/technologies/mobile/5g (accessed 2026-03-05).
  5. R. Tuninato et al., “A comprehensive study on the synchronization procedure in 5G NR,” 2023. [Online]. Available: https://link.springer.com/article/10.1186/s13638-023-02317-5 (accessed 2026-03-05).
  6. Tektronix, “Wi‑Fi Overview: 802.11 physical layer and transmitter measurements,” (STF/LTF roles), [Online]. Available: https://www.tek.com/en/documents/primer/wi-fi-overview-80211-physical-layer-and-transmitter-measurements (accessed 2026-03-05).
  7. V. Ninkovic and M. Karlsson, “Preamble-Based Packet Detection in Wi‑Fi,” 2020. [Online]. Available: https://arxiv.org/pdf/2009.05740 (accessed 2026-03-05).
  8. Novelbits, “Bluetooth Low Energy Advertisements (channels 37, 38, 39),” 2020. [Online]. Available: https://novelbits.io/bluetooth-low-energy-advertisements-part-1/ (accessed 2026-03-05).
  9. Bluetooth SIG, “Bluetooth Core Specification (Link Layer),” [Online]. Available: https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-54/out/en/low-energy-controller/link-layer-specification.html (accessed 2026-03-05).
  10. NFC Forum, “NFC Technology,” (13.56 MHz basics), [Online]. Available: https://nfc-forum.org/learn/nfc-technology/ (accessed 2026-03-05).
  11. NFC Forum, “Specifications (Digital Protocol, Analog),” [Online]. Available: https://nfc-forum.org/build/specifications (accessed 2026-03-05).
  12. MathWorks, “Introduction to 5G NR Signal Detection,” (SSB contents and detection concepts), [Online]. Available: https://www.mathworks.com/help/wireless-hdl/gs/intro-to-5G-signal-detection.html (accessed 2026-03-05).
  13. D. Estevez, “LTE downlink synchronization signals (PSS/SSS),” 2022. [Online]. Available: https://destevez.net/2022/04/lte-downlink-synchronization-signals/ (accessed 2026-03-05).
  14. MathWorks, “Synchronization Signals (PSS and SSS) in LTE,” [Online]. Available: https://www.mathworks.com/help/lte/ug/synchronization-signals-pss-and-sss.html (accessed 2026-03-05).
  15. A. Jagannath et al., “Bluetooth and WiFi Dataset for Real World RF Fingerprinting of Commercial Devices,” 2023. [Online]. Available: https://arxiv.org/abs/2303.13538 (accessed 2026-03-05).
  16. F. D. Garcia et al., “Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems,” USENIX Security, 2016. [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garcia.pdf (accessed 2026-03-05).
  17. DigiKey, “The Basics of Z‑Wave (frequencies 908.42 MHz U.S., 868.42 MHz EU),” 2011. [Online]. Available: https://www.digikey.com/en/articles/the-basics-of-zwave-and-why-you-should-consider-it (accessed 2026-03-05).
  18. Keysight, “IEEE 802.15.4 ZigBee (DSSS at 2.4 GHz),” [Online]. Available: https://helpfiles.keysight.com/csg/n7610b/Content/Main/IEEE%20802.15.4%20ZigBee.htm (accessed 2026-03-05).
  19. GS1, “EPC Gen2 Protocol Standard (ISO/IEC 18000-63 context),” [Online]. Available: https://www.gs1.org/sites/default/files/docs/epc/Gen2_Protocol_Standard.pdf (accessed 2026-03-05).
  20. ETSI, “EN 302 307‑1: DVB‑S2,” 2014. [Online]. Available: https://www.etsi.org/deliver/etsi_en/302300_302399/30230701/01.04.01_20/en_30230701v010401a.pdf (accessed 2026-03-05).
  21. CCSDS, “Radio Frequency and Modulation Systems—Part 1 (CCSDS 401.0‑B‑32),” 2021. [Online]. Available: https://ccsds.org/Pubs/401x0b32.pdf (accessed 2026-03-05).
  22. U.S. Coast Guard Navigation Center, “GPS Interface Specification IS‑GPS‑200N,” 2022. [Online]. Available: https://www.navcen.uscg.gov/sites/default/files/pdf/gps/IS-GPS-200N.pdf (accessed 2026-03-05).
  23. ESA, “Galileo navigation signals and frequencies,” [Online]. Available: https://www.esa.int/Applications/Satellite_navigation/Galileo/Galileo_navigation_signals_and_frequencies (accessed 2026-03-05).
  24. T. E. Humphreys et al., “Signal Structure of the Starlink Ku‑Band Downlink,” 2023. [Online]. Available: https://radionavlab.ae.utexas.edu/wp-content/uploads/starlink_structure.pdf (accessed 2026-03-05).
  25. M. Ezuma et al., “Detection and Classification of UAVs Using RF Fingerprints in the Presence of Interference,” 2019. [Online]. Available: https://arxiv.org/pdf/1909.05429 (accessed 2026-03-05).
  26. V. Stepanyan et al., “Drone Detection and Tracking Using RF Identification Signals,” 2023. [Online]. Available: https://www.researchgate.net/publication/373677766_Drone_Detection_and_Tracking_Using_RF_Identification_Signals (accessed 2026-03-05).
  27. T. E. Humphreys et al., “GNSS Signal Authentication via Power and Distortion (Power‑Distortion detector),” 2020. [Online]. Available: https://radionavlab.ae.utexas.edu/images/stories/files/papers/pincer.pdf (accessed 2026-03-05).
  28. F. D. Garcia et al., “Lock It and Still Lose It—(Supplementary: frequency bands mention),” supporting material, [Online]. Available: https://kasper-oswald.de/wp-content/uploads/2013/03/paper.pdf (accessed 2026-03-05).
  29. T. Tucker et al., “Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic,” NDSS, 2025. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2025-1115-paper.pdf (accessed 2026-03-05).