The sky isn’t falling but your most private conversations might be. A landmark security study published Monday at the Association for Computing Machinery conference in Taiwan reveals that approximately 50% of global satellite communications lack encryption, exposing billions of phone calls, military secrets, and corporate data to interception using equipment costing as little as $600. Researchers from UC San Diego and the University of Maryland spent three years monitoring 39 geostationary satellites, uncovering what they characterize as the most comprehensive security breach in satellite communications history. The uncomfortable truth: anyone with a satellite dish and basic technical knowledge can eavesdrop on communications that organizations assumed were invisible simply because they were transmitted through space.
The Scope: What Was Exposed
The research team’s findings read like a cybersecurity nightmare spanning multiple threat vectors.
During a nine-hour recording session, researchers intercepted thousands of T-Mobile users’ phone calls and text messages, revealing communications from over 2,700 individual users. These weren’t obscure edge cases they represented routine consumer telecommunications routed through satellite backhaul networks that carriers presumed were secure by obscurity.
Military communications proved equally vulnerable. The team captured unencrypted internet traffic from US military vessels along with detailed Mexican military and law enforcement tracking data for helicopters, naval vessels, and armored vehicles. Real-time location coordinates, operational status updates, and tactical communications all broadcast in cleartext for anyone monitoring the appropriate satellite transponders.
Corporate and infrastructure vulnerabilities extended the exposure beyond telecommunications. Researchers intercepted:
- Inventory management data from Walmart
- Banking transactions from Mexican financial institutions
- Operational communications from electric utilities
- Data transmissions from oil platforms
The diversity of affected sectors underscores a systemic failure in satellite communication security practices rather than isolated incidents affecting specific industries or regions.
The “Don’t Look Up” Methodology
The study’s title “Don’t Look Up” captures the security-through-obscurity mentality that enabled these vulnerabilities to persist unchallenged for decades.
Researchers examined 39 geostationary satellites across 25 distinct longitudes using entirely consumer-grade equipment: a standard satellite dish, motor system for repositioning, and tuner card. Total cost: $800 essentially the same setup suburban homeowners use for satellite television.
“It completely astonished us,” said Aaron Schulman, UC San Diego professor who co-led the research. “There are some really critical pieces of our infrastructure relying on this satellite ecosystem, and our suspicion was that it would all be encrypted. And just time and time again, every time we found something new, it wasn’t.”
Critically, the team’s Southern California location allowed monitoring of only approximately 15% of operational satellite transponders suggesting the global scope of unprotected communications vastly exceeds what the three-year study documented. Geostationary satellites positioned over other regions carry additional traffic the researchers couldn’t observe, implying the true scale of exposure affects far more than the billions of communications already identified.
Why Organizations Skip Satellite Encryption
The persistent absence of encryption despite decades of available technology raises an obvious question: Why would organizations transmit sensitive data without basic protection?
The research reveals structural disincentives that discourage satellite encryption deployment:
Additional licensing costs: Encryption implementations often require separate licensing agreements with satellite operators, adding expense to already-costly satellite bandwidth contracts.
Bandwidth concerns: Encryption adds computational overhead and potential data expansion, consuming precious satellite capacity. In bandwidth-constrained environments where every megabit costs money, operators face pressure to maximize payload efficiency.
Troubleshooting complications: Encrypted traffic obscures network diagnostics. When connectivity issues arise, engineers prefer visibility into packet contents for rapid problem resolution a legitimate operational concern that conflicts with security best practices.
Historical assumptions: “They assumed that no one was ever going to check and scan all these satellites and see what was out there,” Schulman explained. “That was their method of security. They just really didn’t think anyone would look up.”
This security-by-obscurity approach worked until it spectacularly didn’t. The researchers demonstrated that motivated actors with minimal resources can systematically survey satellite communications, destroying the assumption that space-based transmission provides inherent protection.
The Satellite TV Paradox
Perhaps the study’s most ironic finding: satellite television has employed robust encryption for decades to prevent piracy and protect premium content revenue, while IP network traffic including sensitive corporate and military communications often lacks similar protection.
Entertainment content receives stronger security than national defense communications.
This paradox reflects economic incentives: media companies lose direct revenue when pirates decrypt satellite TV signals, creating immediate financial motivation for encryption investment. By contrast, the consequences of intercepted corporate or military communications while potentially catastrophic don’t generate the same quarterly earnings impact that drives security spending decisions.
The technical capability clearly exists; satellite operators already deploy encryption at scale for consumer entertainment. Extending similar protections to IP traffic is an implementation choice, not a technological limitation.
Who’s Already Exploiting This?
The UC San Diego research used consumer equipment and published methodology. Adversaries with state-level resources possess far more sophisticated capabilities.
Matthew Green, a Johns Hopkins cryptography professor who reviewed the study, offered a sobering assessment: “I would be surprised if this isn’t something intelligence agencies of any size are already taking advantage of.”
Foreign intelligence services operate dedicated satellite monitoring stations with equipment orders of magnitude more capable than the $800 consumer setup researchers employed. These facilities can:
- Monitor multiple satellites simultaneously across wider frequency ranges
- Employ advanced signal processing to extract weaker signals
- Conduct long-term systematic collection rather than spot sampling
- Correlate intercepted communications with other intelligence sources for targeting
The researchers’ findings don’t reveal a new attack vector they expose vulnerabilities that sophisticated adversaries have likely exploited for years while organizations remained oblivious.
Industry Response: Too Little, Too Late?
Following responsible disclosure to affected organizations, some companies moved quickly to remediate vulnerabilities.
T-Mobile implemented encryption after notification in December 2024. Walmart and KPU (an electric utility) have also secured their systems according to researcher reports. These rapid responses demonstrate that encryption deployment is technically feasible when organizations prioritize it.
However, some critical infrastructure operators have yet to implement protection despite being informed of the vulnerabilities. The researchers declined to name organizations that remain unprotected, but the admission confirms that exposure continues for some systems even after public disclosure.
The glacial pace of remediation across some sectors suggests cultural and organizational barriers beyond technical constraints. Encryption requires cross-functional coordination among IT security, operations teams, satellite service providers, and executive leadership willing to authorize spending on problems that haven’t yet caused visible harm.
What This Means for Communications Security
The satellite vulnerability study forces uncomfortable questions about foundational assumptions underlying modern communications infrastructure.
If half of satellite traffic transmits unencrypted, what other “secure” communications channels rely on obscurity rather than cryptography? How many other infrastructure sectors assume adversaries lack capability or motivation to monitor supposedly invisible data flows?
For enterprises and government agencies, the implications are clear:
- Audit satellite communications: Verify encryption status for all satellite-relayed data
- Eliminate assumption-based security: Replace “nobody’s looking” with “assume everything is monitored”
- Mandate encryption requirements in satellite service contracts
- Implement end-to-end encryption at application layers, independent of transport security
For consumers whose phone calls traversed these networks, the revelation is unsettling: private conversations may have been inadvertently broadcast to anyone monitoring the sky. While individual targeting seems unlikely given the data volume, metadata alone who called whom, when, and for how long provides valuable intelligence.
The sky has always been transparent. Organizations simply chose not to look up or assumed nobody else would either. That comfortable delusion just shattered.
