Geostationary satellites are broadcasting large volumes of unencrypted data to Earth, including private voice calls and text messages as well as consumer internet traffic, researchers have discovered.
Scientists at the University of California, San Diego, and the University of Maryland, College Park, say they were able to pick up large amounts of sensitive traffic largely by just pointing a commercial off-the-shelf satellite dish at the sky from the roof of a university building in San Diego.
In its paper, Don't Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites [PDF], the team describes how it performed a broad scan of IP traffic on 39 GEO satellites across 25 distinct longitudes and found that half of the signals they picked up contained cleartext IP traffic.
This included unencrypted cellular backhaul data sent from the core networks of several US operators, destined for cell towers in remote areas. Also found was unprotected internet traffic heading for in-flight Wi-Fi users aboard airliners, and unencrypted call audio from multiple VoIP providers.
According to the researchers, they were able to identify some observed satellite data as corresponding to T-Mobile cellular backhaul traffic. This included text and voice call contents, user internet traffic, and cellular network signaling protocols, all "in the clear," but T-Mobile quickly enabled encryption after learning about the problem.
More seriously, the team was able to observe unencrypted traffic for military systems including detailed tracking data for coastal vessel surveillance and operational data of a police force.
In addition, they found retail, financial, and banking companies all using unencrypted satellite communications to link their internal networks at various sites. The researchers were able to see unencrypted login credentials, corporate emails, inventory records, and information from ATM cash dispensers.
Reg readers will no doubt find this kind of negligence staggering after years of security breaches and warnings about locking down sensitive data. As the researchers note in their report: "There is a clear mismatch between how satellite customers expect data to be secured and how it is secured in practice; the severity of the vulnerabilities we discovered has certainly revised our own threat models for communications."
The team noted that the sheer level of unencrypted traffic observed results from a failure to encrypt at multiple levels of the communications protocol stack.
At the satellite link/transport layer, streams using MPEG encoding have the option to use MPEG scrambling. While TV transponders mostly do this, only 10 percent of the non-TV transponders did. Only 20 percent of transponders had encryption enabled for downlinks, and just 6 percent consistently used IPsec at the network layer.
The report notes that organizations with visibility into these networks have been raising alarms for some time. It cites a 2022 NSA security advisory about GEO satellite links that warns: "Most of these links are unencrypted, relying on frequency separation or predictable frequency hopping rather than encryption to separate communications."
The team states that it obtained clearance from legal counsel at their respective institutions for this research, and that it securely stored any unencrypted data collected from transmissions. It also claims that it made efforts to contact the relevant parties wherever possible to inform them of the security shortcomings.
T-Mobile has been in touch with a statement since the publication of the story:
"T-Mobile immediately addressed a vendor's technical misconfiguration that affected a limited number of cell sites using geosynchronous satellite backhaul in remote, low-population areas, as identified in this research from 2024. This was not network-wide, is unrelated to our T-Satellite direct-to-cell offering, and we implemented nationwide Session Initiation Protocol (SIP) encryption for all customers to further protect signaling traffic as it travels between mobile handsets and the network core, including call set up, numbers dialed and text message content.
"We appreciate our collaboration with the security research community, whose work helps reinforce our ongoing commitment to protecting customer data and enhances security across the industry."
Eavesdropping on Internal Networks via Unencrypted Satellites
https://satcom.sysnet.ucsd.edu/
https://archive.ph/kpA93
We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks. This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware. There are thousands of geostationary satellite transponders globally, and data from a single transponder may be visible from an area as large as 40% of the surface of the earth.
A Surprising Amount of Satellite Traffic Is Unencrypted - Schneier on Security:
(Score: 3, Touché) by ikanreed on Wednesday October 22, @06:35PM (1 child)
Who's using http instead of https?
(Score: 2) by chucky on Wednesday October 22, @09:55PM
Those who BELIEVE they’re sending encrypted data thru unsecured channel, so it doesn’t matter. (Those who KNOW they’re sending encrypted data thru an unsecured channel are usually okay with it.)
(Score: 4, Informative) by Mojibake Tengu on Wednesday October 22, @07:31PM (4 children)
Classic (and old) sattelites are just transponders. They have no computational capacity, nor energy resource for mass encryption. No storage either.
They work like mirrors, shifting frequencies physically at most.
Blame the data haulers, it's them who should encrypt their own traffic properly.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 1, Informative) by Anonymous Coward on Wednesday October 22, @08:17PM
I believe the term is "bent pipe." You send data from the ground in one end of the pipe and it goes around the bend in the pipe and back down to the ground.
(Score: 4, Interesting) by JoeMerchant on Wednesday October 22, @10:04PM (2 children)
In the (late) 1990s I had a HAM receiver that could listen all across the band (yes, it had the silly resistor removal mod done on it...) and there were plenty of people driving around with analog cell phones at the time, some conversations you could only hear one side, some you could hear both sides, I seriously doubt anyone using those phones knew that for less than they paid for a month or two of service you could buy a radio that could eavesdrop on their conversations...
🌻🌻🌻 [google.com]
(Score: 4, Interesting) by Unixnut on Thursday October 23, @03:12PM (1 child)
Aaah yes, I remember the first time I discovered that with those home cordless phones (which started being a thing in the mid 80's), in the olden days before "DECT [wikipedia.org]" cordless phones came on the market. You didn't even need specifically fancy ham radio equipment. I think I managed it with a FM radio receiver electronics kit I had built, and originally because I made a mistake causing it to tune into frequencies outside of the allotted 88-108MHz FM band it was supposed to use. As a young kid it was one big surprise when I realised I was hearing the neighbours conversations.
And yes, nobody ever imagined it was easy to listen in to these conversations. Its harder now, but not by much I would expect. Its more something you have to actively try to do, rather than happen upon it by accident.
As for the satellites, it makes sense for them to be dumb relays. Its expensive to haul stuff into space, and power budgets are tight. Complexity increases chances of failure and getting a repair team out into orbit is effectively impossible. Also software and encryption standards move forward with time, and old ones become compromised.
You don't want your expensive sats to be rendered worthless because the encryption is out of date, or to have a complex section fail. So it makes sense to just make the sats simple dumb relays, and have all the complexity on Earth. That way you can upgrade things like the encryption used just by updating ground systems, while using the sat as before. As such if you send unencrypted data to the sat, its not the sats fault everyone else can listen in.
(Score: 3, Interesting) by VLM on Thursday October 23, @06:41PM
Its an analog world and satellite BW is sold as a rental of a slice of frequencies for an amount of power output by the sat. They don't care what you do as long as you don't cause interference to other paying customers or get into legal issues. Wider bw and more power costs more $$$.
You can interfere with other users of the transponder if you mess up your transmitter or transmit too much power. They can track you and have an excellent idea of who you probably are and everyone will be VERY mad if you mess up. Yes it sounds like anarchy, its kind of like how "Burning Man" festival worked pretty well when the only people there had IQs over 130 or so, but anarchy as a governmental model doesn't work so well with other less capable demographics. Satellite people are a small world. I've worked at three companies, I guess, with uplink transmitters. Crazy stuff. If you're in telco / EE stuff long enough you'll get involved in some interesting stuff. Most of that was half a lifetime ago but nothing changes fast because its limited to satellite launch rate of change at most.
So during alignment of your transmitter you probably squirt out an unmodulated carrier to peak up your exact aiming, make sure all connectors are tight and not lossy etc. Obviously not encrypted because its not even a modulated signal you just look at a spike on a spectrum analyzer. I wonder if some of the clickbait about this is relying on receiving test transmissions as breathtaking "hacking" LOL.
As for cost you're looking at six figures for something like renting an analog voice channel for a year last time I checked. On one hand this is very expensive for chatting unless you're military. On the other hand if you're broadcasting a radio show to 1000 stations in a network, then six figures is suddenly very cheap compared to purchasing 1000 leased lines from the telco (before the internet and streaming and VPNs) and renting station hours.
Consider that purchasing an hour on a AM radio transmitter for a radio program costs "about a hundred bucks". Like if you want to broadcast your church service on the AM radio, or start your own "verbally shitpost on the AM weekly radio program show", they're not doing that for free it'll be about $100. So a 1000 station radio network program is dropping about a hundred grand per night to broadcast, making a hundred grand per year for the satellite, pocket change in the grand scheme of things.
A shortwave broadcaster will transmit a voice for "meh $60/hr". About a buck a minute when all is said and done. Yes you'll see all these ads for WBCQ special rate only $25 but in practice its like $60 normally at most stations overall long term. If you ever wondered why the shortwave band is entirely full of streamers begging for donations, they only need to pull in $1/min to keep going... Not exactly onlyfans rates of pay LOL. If you want to make a small fortune, one way is to start with a large fortune then enter the broadcast radio industry LOL.
Trust me the satellite operator and probably 15 branches of three letter acronyms are recording every Hz of their transponder spectrum. Its not hard and its kind of their job. Famously the guy who pirated over HBO back in the 80s never got caught but that would NEVER happen today. HDD and SDD storage is too cheap along with computer power to triangulate or whatever crazy ass phased array antenna stuff they have on the satellite just to detect this stuff. The people who are "pirating" are not resulting in complaints but if there were a complaint it would be very easy to track down. Like people who laze a police or military helicopter and seem surprised when it hovers over them until the party vans arrive LOL. I would not advise pirating over a commercial satellite in 2025 LOL.
(Score: 3, Interesting) by VLM on Thursday October 23, @06:13PM (1 child)
How has no one posted a link to
https://uhf-satcom.com/satellite-reception/l-band [uhf-satcom.com]
I bought piles of junk at hamfests on various visits and now I have a decent L-band groundstation that works with unfortunately proprietary decoders for SafetyNet. That's NOT supposed to be encrypted its an infinite stream of maritime safety and weather bulletins intended for public reception. Stuff that used to be on HF a long time ago but now is a geosync sat. I don't think it should count as a "kool guy hacker" for me to receive something thats literally being broadcast intentionally for free to the general public, at least if you're a boater (more like yachter at those dedicated hardware prices LOL)
I have a patch antenna that unlike GPS antenna (around the same freqs) this is higher gain around the size of a dinner plate. Aiming is not overly difficult for Inmarsat. You'll need more than leaning against a pile of books and less than a real satellite mount. Like a pile of books and some blue painters tape to stabilize it. I bought that antenna for like $15 at a hamfest from a guy and it would cost like $30 online. Patch antennas are not exactly rocket surgery and I could have made one out of PCB material for less, probably. If you imagine a yagi / beam antenna, what if the elements were square plates? Yeah, thats a patch antenna. It aint rocket surgery as I mentioned although you probably need "millimeter" class metalworking skills. Which is not as hard as you'd think.
That feeds into a low noise L band preamp that I bought online from nooelec and it was like "twenty or thirty bucks" at the time. I'm sure its more now. If you're into SDR stuff you probably already know a guy/place/store already if you don't know nooelec. Their stuff is alright even to me, a guy who likes complaining.
You will get an interesting education in strange connectors unless you're using all pure hobbyist SMA gear which I was not LOL. I do ham radio stuff and had cables and adapters laying around. I also had the stereotypical SDR stick receiver you want one that goes up to 2 GHz or so. Slightly better than average but not by much. If you don't have one I imagine they can't cost more than $50 even now? I also had an old Pi laying around to run "openwebrx" on it and that works fine. So point your web browser to the pi running openwebrx on port 8073 or some nonsense and you have a SDR. Eventually you will be pointing the antenna and tuning in the satellite. I got good decodes indoors even shooting thru a wood roof with snow on it in the winter you'll get better results out a window or outside. Now you need to decode the digital broadcast after tuning in SafetyNet. IIRC you need a "virtual audio cable" on a PC and feed that into the very non-free decoder software and out comes a stream of maritime bulletins. Pretty interesting stuff.
With my junk box I was in for about fifty bucks. Someone starting from nothing, zero junk box, would be in about a hundred if they already have a laptop from the last ten years (the computational requirements are not zero but not much either) and a raspi. You could probably plug your laptop into the stick and use different SDR software.
I would imagine decoding the secret stuff would be harder. Other satellites would be similar although the required antenna might vary from "not much" to "pretty huge" if you want to do C band (1980s satellite TV before direct broadcast). Higher freqs than a SDR stick can handle would require a LNB I guess or a much fancier SDR.
My casual tuning around on L-band geosats would indicate there is not a heck of a lot of unencrypted traffic. Like trying to find an unsecured wifi. I'm sure it happens but must be more patient than the average fisherman.
If you complain about there not being anything unencrypted on the L-band geosats you'll hear a long circle jerk of everyone knows all the unencrypted stuff is actually on Ku band or coincidentally anywhere other than you happened to be looking, and everyone knows that everyone else reports that half the stuff is unencrypted although no one actually has a distinct detailed report its just something everyone knows kinda like we all know that bigfoot exists but nobody's personally seen him although we all know that guy who says he knows a guy who claims to have seen him once but there's no evidence. And ALL the clickbait journalist sites online have this same identical story at the same time. Yeah. Its one of those stories.
Honestly I think its a mix of clickbait and trying to sell hardware. Maybe trying to honeypot people out of the woodwork who've written "interesting" possibly semi-illegal decoders for gnuradio or similar.
I am not entirely clear why the only decoder I found for safetynet was one very expensive non-FOSS product. You'd think someone would have written a GNUradio flow for free back in the 2000s. Probably not many users.
Maritime satellite safety bulletins are interesting but not THAT interesting. Maybe I should have tried this during hurricane season. I am almost motivated to drag this junk out of my junkbox this weekend.
(Score: 0) by Anonymous Coward on Saturday October 25, @08:46AM
CSP [wikipedia.org]
CCSDS [ccsds.org]
PUS [pusopen.com]