T0887: Wireless Sniffing
Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. [1] The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum.
Adversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. [2] Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. [3]
In the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. [3]
Analyst context for executives and security teams
Wireless Sniffing matters because some industrial and cyber-physical systems rely on radio communications for remote control and reporting. If those RF messages can be captured, especially when not encrypted, an adversary may gain information needed for later misuse such as spoofing or replay, as suspected in the Dallas siren case referenced by ATT&CK.
Executive priority
Leaders should treat this as a resilience and safety-risk validation item for facilities that use industrial wireless, public-safety spectrum, remote sensors, actuators, or field communications. The key business question is not only whether the IT network is monitored, but whether RF communications can be observed outside controlled areas, whether sensitive wireless traffic is encrypted, and whether compliance or risk evidence includes RF propagation and industrial wireless design reviews.
Technical view
SOC, IR, OT, and engineering teams should validate visibility around RF communications used by remote control and reporting systems. ATT&CK provides no official detection text for this technique, but relationship context identifies DET0743, Detection of Wireless Sniffing, and mitigations M0806 Minimize Wireless Signal Propagation and M0808 Encrypt Network Traffic. Because sniffing can be passive, endpoint or network logs from workstations and Field I/O may not show the capture event; detection often depends on RF monitoring, propagation assessment, and correlation with later suspicious wireless command activity.
Likely telemetry
- RF spectrum survey or monitoring data around facilities and perimeters
- Industrial wireless gateway/controller logs where available
- Wireless protocol management records for environments using technologies such as WirelessHART, Zigbee, WIA-FA, or 700 MHz communications
- Configuration evidence showing whether wireless links use strong encryption
- Operational test records for sirens, sensors, actuators, Field I/O, or remote reporting systems
Detection direction
- Confirm whether DET0743-style coverage exists in practice; ATT&CK does not provide detection implementation details for this object.
- Prioritize passive-sniffing blind spots: the capture device may not be authenticated, addressed, or visible to normal IT/OT logging.
- Tune investigations around anomalous RF observations, unexpected signal presence near facility boundaries, and suspicious activity following scheduled wireless system tests.
- Account for false positives from authorized maintenance, RF surveys, public-safety communications, and nearby third-party wireless systems.
- Correlate RF findings with asset context, especially Workstations and Field I/O that support configuration, diagnostics, sensing, or actuation.
Mitigation priorities
- First inventory wireless control and reporting paths and document where RF signals propagate beyond intended operational areas.
- Apply M0806 by detecting, understanding, and reducing unnecessary wireless signal propagation, especially outside organizational boundaries.
- Apply M0808 by using strong cryptographic techniques and protocols to reduce the value of captured wireless traffic.
- Review industrial wireless deployment choices against protocol, frequency, antenna, facility-layout, and operational-test realities.
- Include RF risk and encryption evidence in OT security assessments, incident response plans, and compliance documentation where wireless control systems are in scope.
Analyst notes and limits
This technique is especially relevant where cyber-physical operations depend on wireless command, telemetry, or reporting. The ATT&CK description highlights SDRs, handheld radios, and demodulator-equipped computers as possible capture tools, but defensive planning should focus on exposure, encryption, and monitoring rather than the attacker’s equipment.
The supplied ATT&CK object has no platforms, tactics, aliases, or official detection text. Relationship context confirms one detection strategy and two mitigations, but does not provide detailed analytic logic. Local engineering diagrams, RF surveys, protocol details, and encryption configurations are required to determine actual exposure and coverage.
Wireless Sniffing
Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. [1] The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum.
Adversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. [2] Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. [3]
In the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 327840355307… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018
Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01
Open source URL -
[2]
Bastille April 2017
Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06
Open source URL -
[3]
Gallagher, S. April 2017
Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01
Open source URL -
[4]
mitre-attack T0887Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.