Roughly half of geostationary satellite signals carrying sensitive consumer, corporate and government communications remain unencrypted and vulnerable to eavesdropping, according to research from the University of California San Diego and University of Maryland that intercepted data from 39 satellites using equipment costing less than $800.
The three-year study captured samples of T-Mobile cellular calls and text messages, airline passenger in-flight WiFi data, US and Mexican military communications revealing personnel locations, and critical infrastructure system communications including electric utilities and offshore oil platforms, reports Wired.
“It just completely shocked us. There are some really critical pieces of our infrastructure relying on this satellite ecosystem, and our suspicion was that it would all be encrypted,” said Aaron Schulman, UCSD professor who co-led the research. “And just time and time again, every time we found something new, it wasn’t.”
The researchers presented their paper titled “Don’t Look Up” at an Association for Computing Machinery conference in Taiwan this week. The team assembled their satellite receiver system using a $185 satellite dish, $140 roof mount with $195 motor, and $230 tuner card, totalling less than $800 in off-the-shelf components.
From a single vantage point on a university building roof in La Jolla, California, the system captured communications from satellites positioned between 61 degrees west and 129 degrees west longitude, representing approximately 15 per cent of global geostationary satellite transponder communications. The researchers identified 411 independent Ku-band transponders across 25 distinct longitudes.
Among the most significant exposures, the team obtained samples from T-Mobile’s cellular network backhaul connecting remote cell towers to core infrastructure. From just nine hours of recording, researchers collected phone numbers of more than 2,700 users along with all calls and text messages those users received during that period.
“When we saw all this, my first question was, did we just commit a felony? Did we just wiretap?” said Dave Levin, University of Maryland computer science professor who co-led the study. The team determined they had not actively intercepted communications but only passively listened to signals being broadcast to over 40 per cent of Earth’s surface at any given time.
T-Mobile responded by encrypting its satellite transmissions within weeks of notification in December 2024. “Last year, this research helped surface a vendor’s encryption issue found in a limited number of satellite backhaul transmissions from a very small number of cell sites, which was quickly fixed,” a T-Mobile spokesperson stated. The company later added Session Initiation Protocol encryption for all customers across the US.
The research revealed unencrypted communications from Mexican telecom TelMex included voice calls, whilst AT&T Mexico transmitted raw data containing users’ internet traffic and calling metadata. AT&T Mexico also exposed decryption keys researchers believe could have been used to decipher other sensitive network information.
Mexican military and law enforcement communications proved particularly exposed. Researchers found unencrypted transmissions with remote command centres, surveillance facilities and military units, including sensitive intelligence on narcotics trafficking activities. The data included military asset tracking and maintenance records for aircraft including Mil Mi-17 and UH-60 Black Hawk helicopters, sea vessels and armoured vehicles, along with their locations and mission details.
“When we started seeing military helicopters, it wasn’t necessarily the sheer volume of data, but the extreme sensitivity of that data that concerned us,” Schulman stated.
US military communications showed both unencrypted traffic including DNS, ICMP, SIP and SNMP protocols, and encrypted IPSec and TLS traffic from sea vessels. Researchers identified vessel names from addresses in plaintext SIP packets and determined the ships were formerly privately-owned vessels now owned by the US military.
Critical infrastructure operators showed significant vulnerabilities. Mexico’s Comisión Federal de Electricidad, the state-owned electric utility serving nearly 50 million customers, transmitted internal communications in plaintext including work orders containing customer names and addresses, equipment failure reports and safety hazard communications.
Corporate exposures included extensive unencrypted internal traffic from Walmart Mexico’s inventory management systems. Researchers observed plaintext credentials via telnet, inventory records transferred via unencrypted FTP including UPC and SKU numbers, and unencrypted internal corporate emails.
Financial institutions Grupo Santander Mexico, Banjército and Banorte showed varying levels of exposure. Santander confirmed the traffic came from a small group of ATMs in remote areas where satellite connections were the only available option, though the company stated no customer information or transactions were compromised.
In-flight WiFi systems from at least 10 airlines using Intelsat and Panasonic infrastructure showed unencrypted metadata about passenger browsing activities and unencrypted audio from news programmes and sports games broadcast to passengers. Researchers also discovered fragments of RSA private keys in the data, which they successfully recovered using advanced cryptanalytic techniques.
The researchers spent nearly a year warning affected companies and agencies whose data they found exposed. Most responded quickly to encrypt communications, though some US critical infrastructure owners alerted more recently have yet to add encryption.
The study required overcoming significant technical challenges. The team developed new methods for aligning consumer-grade satellite equipment and built a general parser capable of decoding seven different proprietary protocol stacks used across the satellite ecosystem. Their work identified and characterised unencrypted traffic that prior academic tools could not parse.
“The fact that this much data is going over satellites that anyone can pick up with an antenna is just incredible,” said Matt Green, Johns Hopkins University computer science professor who reviewed the study. “This paper will fix a very small part of the problem, but I think a lot of it is not going to change.”
Green added he would be shocked if intelligence agencies of any size are not already exploiting the same vulnerabilities. The US National Security Agency warned about lack of encryption for satellite communications in a 2022 security advisory, though the agency did not respond to requests for comment.
The researchers are releasing their open-source software tool for interpreting satellite data on GitHub, arguing it will push more organisations to encrypt their communications despite potentially enabling malicious actors. “As long as we’re on the side of finding things that are insecure and securing them, we feel very good about it,” Schulman stated.
Multiple factors contribute to the persistent lack of encryption, according to the researchers. These include economic disincentives such as additional licence fees for enabling terminal encryption, efficiency concerns with 20 to 30 per cent capacity losses, reliability requirements for emergency services, usability challenges including systems failing open when encryption is misconfigured, and legacy export controls on cryptography.
The Satellite Industry Association stated it remains diligent in monitoring the threat landscape and continues participating in security efforts with government agencies, industry working groups and international standards bodies, though it declined to comment on specific company issues.
