Researchers have discovered that geosynchronous satellites—which deliver internet and phone data to areas beyond the reach of traditional cables—are transmitting sensitive information that can be intercepted with roughly $600 of equipment.
A team of six academics from the University of Maryland and the University of California reported in a paper on Monday that a “shockingly large amount of sensitive traffic” is being sent unencrypted across these satellite networks.
The exposed data includes cellular encryption keys, citizens’ SMS messages, and even communications for military systems and critical infrastructure.
The team uncovered this by installing a consumer-grade satellite dish on the roof of a university building in San Diego and monitoring 39 geosynchronous satellites.
“This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware,” the researchers said.
“There are thousands of geostationary satellite transponders globally, and data from a single transponder may be visible from an area as large as 40% of the surface of the earth.”
How to Shield Yourself from Prying Eyes
Since there’s no guarantee that satellite providers are encrypting data traffic, researchers advise users to take extra precautions. Using VPNs, which hide IP addresses and encrypt online activity, is one effective measure.
For messaging and voice calls, it’s best to rely on end-to-end encrypted apps like Signal or Telegram, which automatically safeguard user privacy. Satellite communication providers can also offer encryption as an optional layer of security.
“Encryption should be applied at every level as a defense-in-depth strategy. It should be treated as mandatory, not optional,” the researchers emphasized.
Some Providers Have Already Addressed the Issue
During the study, the researchers notified several major satellite providers about the vulnerability, and those companies reported taking steps to fix it.
“There is no single stakeholder responsible for encrypting GEO satellite communications,” the researchers noted.
“Each time we discovered sensitive information in our data, we went through considerable effort to determine the responsible party, establish contact, and disclose the vulnerability.”
After re-examining the networks of T-Mobile, Walmart, and KPU, the researchers confirmed that a fix had been implemented. However, they cautioned that details about other affected systems are being withheld, as disclosures are still in progress.
Encryption Often Comes with High Costs
One major reason much satellite data isn’t encrypted is the overhead involved. According to the researchers, some remote, off-grid receivers simply cannot afford the necessary hardware and licensing fees.
Encryption can also complicate network troubleshooting and potentially reduce the reliability of emergency services. In some cases, providers are simply unaware of the risks or underestimate how easily the data can be intercepted.
“While there has been significant academic and activist focus on ensuring near-universal encryption for modern web browsers, satellite network communications have received far less attention,” the researchers noted.
The study specifically examined geosynchronous equatorial orbit (GEO) satellite systems, which remain fixed over a point on Earth. Low-Earth orbit systems, like Elon Musk’s Starlink, were not included due to the more complex hardware required to monitor them.
“Our understanding is those links are encrypted, but we have not independently verified this.”
