Geostationary satellites, which transmit internet and phone data to places where regular cables can’t reach, are broadcasting sensitive data that can be intercepted by anyone with about $600 worth of equipment, researchers have found.
A team of six academics from the University of Maryland and the University of California said in a paper published Monday that “a shockingly large amount of sensitive traffic” is being broadcast unencrypted and in plain text over satellite networks.
This includes encryption keys for mobile communications, SMS for citizens, and even traffic for military systems and critical infrastructure.
The researchers said they discovered all this by observing 39 geostationary satellites using a civilian satellite dish installed on the roof of a university building in San Diego.
“This data can be passively observed by anyone with a few hundred dollars of consumer hardware,” the researchers said.
“There are thousands of geostationary satellite transponders around the world, and data from a single transponder can be visible from an area as large as 40% of the Earth’s surface.”
How to protect yourself from prying eyes
Since there’s no way to know if your provider is encrypting your data traffic, researchers recommend users take precautions by using services like VPNs that hide your IP address and encrypt your data.
Messaging and voice communications must be done through end-to-end encrypted apps like Signal and Telegram that automatically protect user privacy, but satellite communication providers can also offer encryption as an add-on feature of their services.
“Encryption should be used at all layers as a layered defense against individual failures; treat encryption as a requirement rather than an add-on,” the researchers said.
Some providers have already solved the problem
During the investigation, the researchers notified several major providers of the issue and claimed they had taken steps to address it.
“There is no single stakeholder responsible for encrypting GEO satellite communications,” they said.
“Each time we found sensitive information in our data, we went to great lengths to identify those responsible, establish contact, and disclose vulnerabilities.”
Researchers said they rescanned networks used by T-Mobile, Walmart and KPU and confirmed that the patch had been deployed, but cautioned that they would withhold information about other affected systems because disclosure is still in progress.
Encryption is often too expensive
Researchers say the main reason data traffic isn’t encrypted is because of the overhead costs associated with it, and some remote off-grid receivers can’t afford the hardware or license fees.
At the same time, encryption can make it difficult to troubleshoot network issues and reduce the reliability of emergency services. Some simply don’t realize the risks or underestimate the risks and the ease of data interception.
Related: Telegram’s Durov: “Time is running out to save free internet”
“While there has been significant academic and activist interest in ensuring near-universal use of encryption in modern web browsers, satellite network communications have received far less attention and visibility,” the researchers said.
This study focused on geostationary equatorial orbit (GEO) satellite systems that remain at a fixed location. Low Earth orbit systems, such as Elon Musk’s Starlink, were not investigated because they require more complex receiving hardware.
“While we understand that these links are encrypted, we have not independently verified this.”
magazine: Worldcoin’s less “dystopian” and more cypherpunk rival: Billions Network