Geosynchronous satellites, which send internet and phone data to places where regular cables can’t reach, are broadcasting sensitive data that anyone with about $600 worth of equipment can intercept, a team of researchers has found.
A team of six academics from the University of Maryland and the University of California stated in a paper published on Monday that a “shockingly large amount of sensitive traffic” is being broadcast unencrypted across the satellite network in plaintext.
This includes cellular communication encryption keys, citizens’ SMS and even traffic for military systems and critical infrastructure.
The researchers said they found all this by setting up a consumer-grade satellite dish on the roof of a university building in San Diego and observing 39 geosynchronous satellites.
“This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware,” the researchers said.
“There are thousands of geostationary satellite transponders globally, and data from a single transponder may be visible from an area as large as 40% of the surface of the earth.”
How to protect yourself from prying eyes
Because there is no way to know if providers are encrypting data traffic, the researchers recommend that users take precautions by using services like VPNs, which hide IP addresses and encrypt data.
While messaging and voice communications should be conducted through end-to-end encrypted apps like Signal or Telegram, which automatically protect user privacy, satellite communication providers can also offer encryption as an added feature to their services.
“Encryption should be used at every layer as defense-in-depth protection against individual failures. Treat encryption as mandatory, not an add‑on,” the researchers said.
Some providers have already fixed the issue
During the study, the researchers informed several of the larger providers about the issue, which claimed to have taken steps to address the problem.
“There is no single stakeholder responsible for encrypting GEO satellite communications,” they said.
“Each time we discovered sensitive information in our data, we went through considerable effort to determine the responsible party, establish contact, and disclose the vulnerability.”
After rescanning networks used by T-Mobile, Walmart, and KPU, the researchers said they verified a fix had been deployed, but also warned that they are withholding information about other affected systems because disclosures are still ongoing.
Encryption is often too costly
A key reason the data traffic isn’t encrypted is due to the overhead costs associated with it, with some remote, off-grid receivers unable to afford the hardware and license fees, according to the researchers.
At the same time, encryption can make it difficult to troubleshoot network issues and degrade the reliability of emergency services. Others are just unaware of the risk or underestimate the risk and ease of intercepting the data.
Related: Telegram’s Durov: We’re ‘running out of time to save the free internet’
“While significant academic and activist attention has been put into ensuring nearly universal use of encryption for modern web browsers, there has been much less visibility and attention paid to satellite network communications,” the researchers said.
The study focused on geosynchronous equatorial orbit (GEO) satellite systems, which remain in fixed positions. It did not investigate low-Earth orbit systems, such as Elon Musk’s Starlink, because that would have required more complicated receiving hardware.
“Our understanding is those links are encrypted, but we have not independently verified this.”
Magazine: Worldcoin’s less ‘dystopian,’ more cypherpunk rival: Billions Network