A startling new study has revealed a massive cybersecurity failure in orbit: a significant portion of geostationary satellite signals are being transmitted without any encryption. Researchers from UC San Diego and the University of Maryland found that sensitive consumer, corporate, and military communications are openly broadcast, accessible to anyone with basic, off-the-shelf equipment. The findings suggest a widespread reliance on a flawed “security through obscurity” model for critical global infrastructure.

An $800 Window into Global Secrets

For three years, the research team used a simple satellite receiver system costing less than $800 to passively monitor signals from a university rooftop. By pointing their dish at various satellites, they intercepted a massive volume of unprotected data. The researchers dubbed their paper “Don’t Look Up,” highlighting their belief that the industry simply assumed no one would ever check for these vulnerabilities. This low barrier to entry means that not just intelligence agencies, but any determined snooper could replicate their work.

A Torrent of Exposed Secrets

The intercepted data included a shocking array of sensitive information. The team captured the contents of T-Mobile customer calls and texts sent over remote cellular backhaul links, in-flight Wi-Fi browsing data from ten different airlines, and communications to and from critical infrastructure like power grids and offshore oil platforms. They also uncovered unencrypted US and Mexican military communications, revealing asset locations and sensitive intelligence. While some companies, including T-Mobile, moved quickly to encrypt their links after being notified, the researchers noted that other vulnerable systems, including some in US critical infrastructure, remain unprotected. The study only examined about 15% of global satellites, suggesting the full scope of this vulnerability is far greater.