Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data

Satellites beam data down to nan Earth each astir us, each nan time. So you mightiness expect that those space-based power communications would beryllium encrypted to forestall immoderate snoop pinch a satellite dish from accessing nan torrent of concealed information perpetually raining from nan sky. You would, to a astonishing and troubling degree, beryllium wrong.

Roughly half of geostationary outer signals, galore carrying delicate consumer, corporate, and authorities communications, person been near wholly susceptible to eavesdropping, a squad of researchers astatine UC San Diego and nan University of Maryland revealed coming successful a study that will apt resonate crossed nan cybersecurity industry, telecom firms, and wrong subject and intelligence agencies worldwide.

For 3 years, nan UCSD and UMD researchers developed and utilized an off-the-shelf, $800 outer receiver strategy connected nan tile of a assemblage building successful nan La Jolla seaside vicinity of San Diego to prime up nan communications of geosynchronous satellites successful nan mini set of abstraction visible from their Southern California vantage point. By simply pointing their crockery astatine different satellites and spending months interpreting nan obscure—but unprotected—signals they received from them, nan researchers assembled an alarming postulation of backstage data: They obtained samples of nan contents of Americans’ calls and matter messages connected T-Mobile’s cellular network, information from hose passengers’ in-flight Wi-Fi browsing, communications to and from captious infrastructure specified arsenic electrical utilities and offshore lipid and state platforms, and moreover US and Mexican subject and rule enforcement communications that revealed nan locations of personnel, equipment, and facilities.

“It conscionable wholly shocked us. There are immoderate really captious pieces of our infrastructure relying connected this outer ecosystem, and our suspicion was that it would each beryllium encrypted,” says Aaron Schulman, a UCSD professor who co-led nan research. “And conscionable clip and clip again, each clip we recovered thing new, it wasn't.”

The group’s paper, which they’re presenting this week astatine an Association for Computing Machinery convention successful Taiwan, is titled “Don’t Look Up”—a reference to nan 2021 movie of that title but besides a building nan researchers opportunity describes nan evident cybersecurity strategy of nan world outer communications system. “They assumed that nary 1 was ever going to cheque and scan each these satellites and spot what was retired there. That was their method of security,” Schulman says. “They conscionable really didn't deliberation anyone would look up.”

The researchers opportunity that they’ve spent astir nan past twelvemonth informing companies and agencies whose delicate information they recovered exposed successful outer communications. Most of them, including T-Mobile, moved quickly to encrypt those communications and protect nan data. Others, including immoderate owners of susceptible US captious infrastructure whom nan researchers alerted much recently—and declined to sanction to WIRED—have yet to adhd encryption to their satellite-based systems. Researchers person pointed to nan surveillance dangers of unencrypted outer connections before, but nan standard and scope of nan caller disclosures look unrivaled.

The researchers’ activity looked astatine only a mini fraction of geostationary satellites whose signals they could prime up from San Diego—roughly 15 percent of those successful operation, by nan researchers’ estimate. This suggests immense amounts of information are apt still being exposed complete outer communications, says Matt Green, a machine subject professor astatine Johns Hopkins University who focuses connected cybersecurity and reviewed nan study. Large swaths of outer information will apt beryllium susceptible for years to come, too, arsenic companies and governments grapple pinch whether and really to unafraid outdated systems, Green says.

“It's crazy. The truth that this overmuch information is going complete satellites that anyone tin prime up pinch an antenna is conscionable incredible,” Green says. “This insubstantial will hole a very mini portion of nan problem, but I deliberation a batch of it is not going to change.”

“I would beryllium shocked,” Green adds, “if this is thing that intelligence agencies of immoderate size are not already exploiting.”

Half Conversations, Broadcast From Space

The telephone calls and matter messages nan researchers obtained, successful particular, were exposed owed to telecoms’ often overlooked usage of outer communications for offering cellular sum to normal telephone users who link to compartment towers successful distant locations. Some towers successful godforsaken aliases mountainous regions of nan US, for instance, link to a outer that relays their signals to and from nan remainder of a telecom’s halfway cellular network, nan soul communications of nan web known arsenic “backhaul” traffic.

Anyone who sets up their ain outer receiver successful nan aforesaid wide region arsenic 1 of those distant compartment towers—often arsenic acold arsenic thousands of miles away—can prime up nan aforesaid signals meant for that tower. Doing truthful allowed nan investigation squad to get astatine slightest immoderate magnitude of unencrypted backhaul information from nan carriers T-Mobile, AT&T Mexico, and Telmex.

The T-Mobile information was peculiarly significant: In conscionable 9 hours of signaling T-Mobile backhaul outer communications from their azygous dish, nan researchers collected nan telephone numbers of much than 2,700 users arsenic good arsenic each nan telephone calls and matter messages nan researchers received during that time. They could, however, only publication aliases perceive 1 broadside of those conversations: nan contented of nan messages and calls sent to T-Mobile’s distant towers, not sent from them to nan halfway compartment network, which would person required different outer crockery adjacent nan 1 T-Mobile intended to person nan awesome connected nan different end.

“When we saw each this, my first mobility was, did we conscionable perpetrate a felony? Did we conscionable wiretap?” says Dave Levin, a University of Maryland machine subject professor who co-led nan study. In fact, he says, nan squad didn’t actively intercept immoderate communications, only passively listened to what was being sent to their receiver dish. “These signals are conscionable being broadcast to complete 40 percent of nan Earth astatine immoderate constituent successful time,” Levin says.

Mexican telecom Telmex besides transmitted unencrypted sound calls, nan researchers found. The researchers further discovered that AT&T Mexico transmitted earthy information complete satellites that included users’ net traffic—most of which was encrypted pinch HTTPS by nan apps aliases browsers they used—but besides immoderate calling and texting metadata. They besides recovered decryption keys that nan researchers judge could apt person been utilized to decipher different delicate accusation nan AT&T Mexico web transmitted—though they didn’t effort this.

Starting successful December 2024, nan researchers began contacting nan affected telecoms. T-Mobile responded by encrypting its outer transmissions wrong weeks, but responses from different compartment carriers were mixed.

“Last year, this investigation helped aboveground a vendor's encryption rumor recovered successful a constricted number of outer backhaul transmissions from a very mini number of compartment sites, which was quickly fixed,” a T-Mobile spokesperson says, adding nan rumor was “not network-wide” and that nan institution has taken steps to “make judge this doesn't hap again.” In different connection aft this communicative was published, T-Mobile noted that it has besides added Session Initiation Protocol (SIP) encryption for each customers crossed nan US “to further protect signaling postulation arsenic it travels betwixt mobile handsets and nan web core, including telephone group up, numbers dialed and matter connection content.”

A spokesperson for AT&T says nan institution “promptly” fixed nan issue. "A outer vendor misconfigured a mini number of compartment towers successful a distant region of Mexico,” they say. Telmex did not respond to WIRED’s petition for comment.

Whether different cellular carriers astir nan US and world—outside nan visibility of nan researchers’ outer dish—have encrypted their satellite-based web backhaul information remains an unfastened question. The researchers opportunity they didn’t spot immoderate unencrypted Verizon aliases AT&T US postulation from their dish.

The AT&T spokesperson says that its US and Mexico networks are separate, and it is “rare” to usage satellites for cellular backhaul. "We typically way postulation connected our closed, unafraid backhaul network,” nan spokesperson says. “On those uncommon instances wherever information must beryllium transmitted extracurricular our closed network, it is our argumentation to encrypt it." Verizon did not respond to WIRED’s petition for comment.

Beyond conscionable compartment towers successful distant locations, it’s imaginable that a deficiency of encryption for cellular backhaul information could make anyone connected nan aforesaid web vulnerable, points retired Johns Hopkins’ Green. Hackers mightiness beryllium capable to execute a alleged relay attack pinch a spoofed compartment tower—using nan surveillance hardware sometimes called a stingray aliases IMSI catcher—and way immoderate victim’s information to a compartment building that connects to a outer uplink. “The implications of this aren't conscionable that immoderate mediocre feline successful nan godforsaken is utilizing his compartment telephone building pinch an unencrypted backhaul,” says Green. “You could perchance move this into an onslaught connected anybody, anyplace successful nan country.”

Military Helicopters and Power Grids, Exposed

The researchers’ outer crockery besides pulled down a important postulation of unprotected subject and rule enforcement communications. They obtained, for instance, unencrypted net communications from US subject oversea vessels, arsenic good arsenic nan vessels’ names. (A spokesperson for nan US Defense Information Systems Agency acknowledged WIRED’s petition for remark but had not provided a consequence astatine nan clip of writing).

For Mexican subject and rule enforcement, nan exposures were acold worse: The researchers opportunity they recovered what appeared to beryllium unencrypted communications pinch distant bid centers, surveillance facilities, and units of nan Mexican subject and rule enforcement. In immoderate cases, they saw nan unprotected transmission of delicate intelligence accusation connected activities for illustration narcotics trafficking. In others, they recovered subject plus search and attraction records for craft for illustration Mil Mi-17 and UH-60 Black Hawk helicopters, oversea vessels, and armored vehicles, arsenic good arsenic their locations and ngo details. “When we started seeing subject helicopters, it wasn’t needfully nan sheer measurement of data, but nan utmost sensitivity of that information that concerned us,” says Schulman. The Mexican subject did not instantly respond to WIRED’s requests for comment.

Just arsenic sensitive, perhaps, were business systems communications from captious infrastructure for illustration powerfulness grids and offshore lipid and state platforms. In 1 case, they recovered that nan Comisión Federal de Electricidad (CFE), Mexico’s state-owned electrical inferior pinch astir 50 cardinal customers, was transmitting its soul communications successful nan clear—everything from activity orders that included customers’ names and addresses to communications astir instrumentality failures and information hazards. (A CFE spokesperson acknowledged WIRED’s petition for remark but didn't supply a consequence earlier publication.)

In different cases they person yet to publically detail, nan researchers opportunity they besides warned US infrastructure owners astir unencrypted outer communications for business power strategy software. In their telephone calls pinch those infrastructure owners, immoderate owners moreover expressed concerns that a malicious character mightiness person nan expertise to not only surveil nan power systems of their facilities, but also, pinch capable sophistication, perchance disable aliases spoof them to tamper pinch nan facility’s operation.

The researchers obtained a immense drawback container of different various firm and user data: They pulled down in-flight Wi-Fi information for Intelsat and Panasonic systems utilized by 10 different airlines. Within that data, they recovered unencrypted metadata astir users’ browsing activities and moreover nan unencrypted audio of nan news programs and sports games being broadcast to them. They besides obtained firm emails and inventory records of Walmart’s Mexican subsidiary, outer communications to ATMs managed by Santander Mexico, arsenic good arsenic nan Mexican banks Banjercito and Banorte.

A spokesperson for Panasonic Avionics Corporation said they “welcome nan findings” from nan researchers, but declare it “has recovered that respective statements attributed to america are either inaccurate aliases misrepresent our position.” When asked, nan spokesperson did not specify what nan institution considered was inaccurate. “Our outer communications systems are designed truthful that each personification information convention follows established information protocols,” nan spokesperson says.

“Generally, our users take nan encryption that they use to their communications to suit their circumstantial exertion aliases need,” says a spokesperson for SES, nan genitor institution of Intelsat. “For SES’s inflight customers, for example, SES provides a nationalist Wi-Fi basking spot relationship akin to nan nationalist net disposable astatine a java shop aliases hotel. On specified nationalist networks, personification postulation would beryllium encrypted erstwhile accessing a website via HTTPS/TLS aliases communicating utilizing a virtual backstage network.”

The researchers reported nan swaths of unencrypted outer communications from nan Mexican authorities and Mexican organizations to CERT-MX, nan country’s incident consequence team, which is portion of nan government’s National Guard, successful April this year, earlier separately contacting companies. CERT-MX did not respond to WIRED’s repeated requests for comment.

A spokesperson for Santander Mexico says that nary customer accusation aliases transactions were compromised, but confirmed that nan exposed postulation was linked to a “small group” of ATMs utilized successful distant areas of Mexico wherever utilizing outer connections is nan only action available. “Although this postulation does not airs a consequence to our customers, we took nan study arsenic an opportunity for improvement, implementing measures that reenforce nan confidentiality of method postulation circulating done these links,” nan spokesperson says.

“While we cannot stock specifics, we tin corroborate that our communications lines person been evaluated and confirmed secure,” a spokesperson for Walmart says. (The researchers corroborate that they observed Walmart had encrypted its outer communications successful consequence to their warning.)

“The accusation of our customers and infrastructure is not exposed to immoderate vulnerability,” a spokesperson for Grupo Financiero Banorte says. Banjercito could not beryllium reached for comment.

“SIA and its members stay diligent successful monitoring nan threat scenery and proceed to participate successful various information efforts pinch authorities agencies, manufacture moving groups, and world standards bodies,” says Tom Stroup, nan president of nan Satellite Industry Association, adding that it does not remark connected circumstantial institution issues.

Time to Look Up

The magnitude of Mexico-related information successful nan researchers’ findings is, of course, nary coincidence. Although their outer crockery was technically capable to prime up transmissions from astir a 4th of nan sky, overmuch of that swath included nan Pacific Ocean, which has comparatively fewer satellites supra it, and only a mini fraction of nan transponders connected nan satellites it did spot were transmitting information successful nan guidance of its dish. The result, nan researchers estimate, was that they examined only 15 percent of world outer transponder communications, mostly successful nan occidental US and Mexico.

That suggests anyone could group up akin hardware location other successful nan world and apt get their ain postulation of delicate information. After all, nan researchers restricted their research to only off-the-shelf outer hardware: a $185 outer dish, a $140 tile equine pinch a $195 motor, and a $230 tuner card, totaling little than $800.

“This was not NSA-level resources. This was DirecTV-user-level resources. The obstruction to introduction for this benignant of onslaught is highly low,” says Matt Blaze, a machine intelligence and cryptographer astatine Georgetown University and rule professor astatine Georgetown Law. “By nan week aft next, we will person hundreds aliases possibly thousands of people, galore of whom won’t show america what they’re doing, replicating this activity and seeing what they tin find up location successful nan sky.”

One of nan only barriers to replicating their work, nan researchers say, would apt beryllium nan hundreds of hours they spent connected nan tile adjusting their satellite. As for nan in-depth, highly method study of obscure information protocols they obtained, that whitethorn now beryllium easier to replicate, too: The researchers are releasing their ain open-source package instrumentality for interpreting outer data, besides titled “Don’t Look Up,” connected Github.

The researchers’ activity may, they acknowledge, alteration others pinch little benevolent intentions to propulsion nan aforesaid highly delicate information from space. But they reason it will besides push much of nan owners of that outer communications information to encrypt that data, to protect themselves and their customers. “As agelong arsenic we’re connected nan broadside of uncovering things that are insecure and securing them, we consciousness very bully astir it,” says Schulman.

There’s small doubt, they say, that intelligence agencies pinch vastly superior outer receiver hardware person been analyzing nan aforesaid unencrypted information for years. In fact, they constituent retired that nan US National Security Agency warned successful a 2022 information advisory astir nan deficiency of encryption for outer communications. At nan aforesaid time, they presume that nan NSA—and each different intelligence agency from Russia to China—has group up outer dishes astir nan world to utilization that aforesaid deficiency of protection. (The NSA did not respond to WIRED’s petition for comment).

“If they aren't already doing this,” jokes UCSD cryptography professor Nadia Heninger, who co-led nan study, “then wherever are my taxation dollars going?”

Heninger compares their study’s revelation—the sheer standard of nan unprotected outer information disposable for nan taking—to immoderate of nan revelations of Edward Snowden that showed really nan NSA and Britain’s GCHQ were obtaining telecom and net information connected an tremendous scale, often by secretly tapping straight into communications infrastructure.

“The threat exemplary that everybody had successful mind was that we request to beryllium encrypting everything, because location are governments that are tapping undersea fibre optic cables aliases coercing telecom companies into letting them person entree to nan data,” Heninger says. “And now what we're seeing is, this aforesaid benignant of information is conscionable being broadcast to a ample fraction of nan planet.”

Updated 1pm ET, October 14, 2025: Added further accusation from T-Mobile astir nan encryption nan institution added to its compartment web pursuing nan researchers' discoveries.