Back to news

Half of Scanned GEO Satellite Links Were Unencrypted, Study Finds

Share:
Half of Scanned GEO Satellite Links Were Unencrypted, Study Finds

A team of researchers pointed a consumer satellite dish at the sky over San Diego and found that about half the geostationary satellite links they could see were carrying data with no encryption at all. The equipment cost roughly $750. Over three years the group, from the University of California, San Diego and the University of Maryland, scanned 411 transponders across 39 geostationary satellites and pulled cleartext calls, text messages, military asset tracking, and utility control traffic out of the air. Their paper, “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites,” was presented at the ACM Conference on Computer and Communications Security in Taipei in October 2025.

What a $750 dish pulled out of the sky

The rig was deliberately ordinary: a fixed dish, a motorized actuator to steer it, and an off-the-shelf TV tuner card. From that single rooftop the team received IP traffic from roughly 14 percent of the world’s Ku-band satellite transponders, helped by the fact that one geostationary transponder can blanket as much as 40 percent of the Earth’s surface. Earlier academic work had examined only a handful of satellites and specific use cases; this was the first broad scan of its kind, covering 411 transponders across 25 orbital longitudes. Poor signal quality had defeated similar efforts before, so the group built its own parser to reconstruct network packets from the tangle of proprietary protocols the different satellite vendors were using.

The data that was in the clear

Half of the IP links the team examined carried cleartext, and the traffic was not obscure machine telemetry. Cellular backhaul from T-Mobile and AT&T Mexico moved across these satellites in the open, exposing call audio, SMS contents, subscriber identifiers, and even the keys used to encrypt traffic elsewhere in the network; in one nine-hour capture the researchers logged roughly 2,700 T-Mobile phone numbers along with fragments of calls and texts. Several VoIP providers sent call setup and audio without encryption. Passenger internet from in-flight Wi-Fi was visible, as were internal corporate systems such as Walmart México inventory logins, corporate email, and banking traffic tied to institutions including Banorte and Grupo Santander. On the government side, the researchers documented unencrypted US military ship communications and real-time geolocation and telemetry for Mexican military assets, plus law enforcement records. Utilities were among the most exposed, with SCADA links and repair work orders for power grids and pipelines carried alongside customer names, addresses, and account numbers.

Why the links were open

None of this required defeating encryption, because there was none to defeat; the team only listened to signals already broadcast across a continent. The causes were mundane. Link-layer encryption has been standard in satellite television for decades, yet the IP backhaul links these organizations ran over the same satellites often had no protection at either the link or the network layer. Encryption eats into tight satellite bandwidth, decryption hardware can exceed the power budget of remote off-grid terminals, and some vendors charge extra to switch it on. Beneath the cost math sat a simpler assumption, that a link 36,000 kilometers overhead was effectively private. The study’s lead author, Aaron Schulman, told KPBS the operators “just really didn’t think anyone would look up.” There was also no single party responsible for closing the gap: each time the team found sensitive data, it had to work out who owned the link and persuade them to act.

A threat model that no longer needs a state

The finding overturns a working assumption in satellite security, that surveying traffic at this scale demanded state-grade equipment and budgets. A fixed dish and a TV tuner did it instead. The reach is easy to underestimate. This was one stationary antenna in one city, receiving about 14 percent of the world’s Ku-band transponders; a dish elsewhere sees a different slice, and each geostationary transponder’s footprint can span close to 40 percent of the planet. The team also confined itself to geostationary satellites and did not examine low-Earth-orbit systems such as Starlink, which use different, harder-to-receive hardware, so the survey reads as a floor rather than a ceiling on what sits in the clear.

What operators should take from it

The response was uneven. The team disclosed to the US military in December 2024, to Walmart México in January 2025, to AT&T in February, and to Mexican authorities through CERT-MX that April. Some organizations, T-Mobile among them, moved quickly to add encryption; others, including certain US critical infrastructure operators, had still not closed the gap when the paper went public. The narrow remedy is old: treat a satellite link as untrusted transport and encrypt it at the network layer, which is what the NSA’s 2022 guidance for VSAT networks already recommends. The harder problem is that the exposure has existed for years, sitting in plain view of anyone who bothered to point a dish at the right arc of sky, and the price of admission has fallen to a few hundred dollars.

News first reported by WIRED and the research team at UC San Diego and the University of Maryland.