Two computer scientists at UC San Diego pointed an $800 satellite dish at the sky and started listening. What they heard should worry anyone who’s made a phone call from a remote area or checked email on a plane.
Text messages. Voice calls. Military communications. Corporate emails. All floating down from space with no encryption. Anyone with the right equipment can grab them.
Aaron Schulman and Nadia Heninger ran the research. For seven months, their team listened to geosynchronous satellites, the ones that stay fixed above the equator and beam signals across entire continents.
They captured data from 39 satellites. That’s about 15 percent of the GEO satellites visible from California. What they found was startling: nearly half the communications had zero encryption.
This isn’t exactly news to satellite hobbyists. They’ve known for years that you can intercept this stuff. Online communities even publish databases with satellite coordinates and frequencies. But the amount of sensitive data flowing unprotected? That’s the real shock.
The researchers found T-Mobile cellular traffic in plain text—actual phone calls and texts you could read and hear. Unencrypted internal emails from Walmart Mexico. Personnel records from Mexican law enforcement. Repair schedules for military vessels. Browsing history from airline passengers using in-flight Wi-Fi.
Some organizations fixed things fast once they found out. T-Mobile turned on encryption after the researchers contacted them. So did Walmart and a few others. But the basic problem remains. Many organizations assume satellite traffic is somehow protected just because it goes through space instead of cables.
The problem has multiple causes. Satellite TV has used encryption for decades—to stop piracy, naturally. But only about 10 percent of the non-TV satellite channels the researchers scanned had encryption turned on. For IP traffic, only 6 percent used IPsec encryption. The pattern was clear: if there’s no money in it, most organizations don’t bother encrypting.
Money reinforces bad habits here. Turning on encryption sometimes costs extra—satellite equipment vendors charge to activate the crypto features. There’s also a bandwidth hit. Panasonic, which runs in-flight entertainment systems, told the researchers that encryption could mean losing 20 to 30 percent of their capacity. For emergency services or groups focused on reliability, that might seem like a fair trade-off. But that math changes when you realize anyone can listen in with cheap equipment.
The technical work here was impressive. Earlier researchers had trouble with signal quality and could only decode a few types of protocols. Schulman’s team built new techniques that let them reliably capture data from hundreds of channels using one motorized dish. They also created the first general-purpose parser that could handle the different, often proprietary protocols that various vendors use. Without this broader view, nobody knew how bad things really were.
The most troubling part? Many of these security holes came from simple mistakes. Organizations thought they’d turned on encryption but hadn’t. Or a software update quietly disabled it. The network kept working fine. No alarms. No warnings.
The team saw especially bad problems with Mexican telecom and government systems—probably because many satellites visible from California serve Mexico. Two Mexican phone companies, TelMex and WiBo, were broadcasting calls in the clear. Multiple government agencies were sending sensitive data unprotected. Similar problems likely exist elsewhere. There’s no reason to think this is just a Mexico issue.
Here’s the disconnect: everyone worries about government surveillance of internet traffic through fiber optic taps. There’s been a huge push to encrypt web traffic. Yet that carefully encrypted data often gets broadcast unprotected across a satellite footprint the size of a continent. Our security thinking hasn’t caught up with the technology.
The team has put their scanning software on GitHub. They plan to expand to other satellite bands and locations across North America. Makes you wonder how many more secrets are floating through the sky, waiting for someone to look up and listen.
ScienceBlog.com has no paywalls, no sponsored content, and no agenda beyond getting the science right. Every story here is written to inform, not to impress an advertiser or push a point of view.
Good science journalism takes time — reading the papers, checking the claims, finding researchers who can put findings in context. We do that work because we think it matters.
If you find this site useful, consider supporting it with a donation. Even a few dollars a month helps keep the coverage independent and free for everyone.