‘Shockingly large’ amount of sensitive satellite communications are unencrypted and vulnerable to interception, researchers find

Cybersecurity researchers have intercepted vast quantities of private voice calls and text messages, including potentially sensitive communications of government and military officials, transmitted over completely unprotected satellite communication links.

When the researchers decided to put satellite communications under scrutiny, they thought they would find some flaws. What they discovered was much worse than their wildest dreams. Using a commercial off-the-shelf satellite dish mounted on the roof of a university campus in San Diego, they scanned internet traffic routed via 39 geostationary satellites visible from southern California.

They soon realized that sensitive messages including those involving critical infrastructure and internal corporate and government communications were broadcast via those satellites completely unprotected. The experiment could be easily replicated by hackers using commercially available equipment, the researchers warn, saying the results were “as bad as one could hope.”

“A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks,” the researchers wrote in a statement. “This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware.”

It turns out that many of these satellites are using outdated equipment, the researchers say. “Geostationary satellites are a somewhat older technology so our expectation was that they will be using some older, outdated cryptography,” Dave Levin, an associate professor in computer science at the University of Maryland who led the research, told Space.com. “So, we thought we would try to listen and then see whether we could break this cryptography. It turned out we didn’t have to because the cryptography wasn’t used at all in large part.”

Geostationary satellites orbit Earth at a distance of 22,000 miles (36,000 kilometers). At this distance, the orbital velocity of a satellite matches the speed of Earth’s rotation. As a result, the satellite appears suspended above a fixed spot on the equator, having a stable view of a large portion of the globe.

Before the advent of low-Earth-orbit internet-beaming megaconstellations such as SpaceX’s Starlink, geostationary satellites were the dominant solution for satellite communications. They are still widely used today, including for military purposes. The satellites scrutinized in the new study make up only about 15 percent of the world’s entire geostationary fleet, Wenyi “Morty” Zhang, a PhD researcher at the University of California, San Diego, and co-author of the study, told Space.com. He thinks the scope of the problem is likely much worse.

Levin said that what the team found was “as bad as one could hope.” The researchers could listen to private phone calls, read text messages, but also see sensitive traffic transmitted by companies and government and military organizations. Data of passengers using in-flight WIFI provided onboard of commercial airliners were also easily visible.

“There were way more things in the clear than we had anticipated,” Levin added. “Moreover, there were also more sensitive things than we had anticipated.”

Zhang said the transmissions included messages sent by Mexican military and the police, and even some communications by the U.S. Government.

“It was quite shocking to us,” said Zhang, who built the eavesdropping antenna and led the technical side of the project. The entire set-up, he said, cost a few hundred dollars and consisted of commercially available equipment.

The complete absence of encryption of the satellite links was only one part of the problem, added Levin. Hundreds of companies, frequently unaware of the workings of satellite communications systems, were sending their data via those satellites without end-to-end encryption, which is a standard in today’s secure internet communication.

Data being transmitted by hundreds of companies including mobile telephone operator T-Mobile were thus in plain sight of the researchers. The team has not yet disclosed the names of all the affected companies. They are bound by responsible disclosure rules that require them to give the affected parties time to fix the problems before making their issues public, but they stated that millions of users have been made vulnerable through the complete lack of encryption.

The researchers spent mere days investigating each of the satellites. Still, the amount of intercepted communications was mind-boggling. A dedicated attacker could easily harvest even more data. And in addition to gathering sensitive information, attackers could find many ways to actively exploit those vulnerabilities.

“Just from being able to see people’s text messages, you might be able to get their two-factor authentication codes and then log into systems as them,” said Levin. “But an adversary could step up to another level and begin interjecting their own messages. They could, for example, try to interfere with critical infrastructure.”

Levin added that although the affected companies first didn’t want to believe they had a problem of such a scope at their hands, they all responded “positively” and in many cases were not even aware how much of their data was transmitted via satellites.

The research was presented in the Proceedings of the 32nd ACM Conference and is available online.