Researchers at UC San Diego and the University of Maryland have discovered that huge amounts of satellite communications — including calls, texts, and internet data from civilian, commercial, financial, and military users — are not encrypted. At all. They are simply being broadcast, in plain text, down to Earth. The researchers themselves used an off-the-shelf, unmodified satellite dish they bought for a couple hundred bucks and, to their complete surprise, they were able to listen in on sensitive communications about critical infrastructure operation, military surveillance, ATM networks, and actual phone call audio.
That is, in technical terms, very bad.
The team published the groundbreaking report in a white paper, which they summarized in a website that breaks out the highlights. The sheer scale of the problem is a little hard to wrap your head around. Basically, the team found that many geostationary (GEO) satellites (generally older ones that big telecoms and military operators use) just have no security measures, period. To put this in perspective, the team told Space.com that the actual goal of their study was to see if they could break through the encryption models of these satellites. The team never got the chance to try, because lots of them used no encryption at all.
As the team says, anybody with a simple dish, which costs less than a grand, can just listen in. GEO orbit is the farthest orbit you can park a satellite in, meaning that signals from there grow so broad that they cover 40% of the Earth’s surface. It’s just trivial for someone with a dish to snoop. Again, these signals might include your cell or VOIP call audio, or maybe the login for your bank. Sleep well tonight!
How did this happen?
Thus far, nothing catastrophic has happened because… nobody thought to try listening in. So far as we know, anyway; it seems unlikely that foreign intelligence services haven’t been sucking up all this data for a long time. It’s a good bet that space-based cybercrime will spike in the near future, though.
Why on Earth (or space) weren’t GEO signals encrypted in the first place? Like the earlier internet, the answer seems to be as simple as “Nobody thought to do it.” Over the last decade, a concerted effort for a safer internet has led most browsers to adopt Transport Layer Security (TLS) as a default; this is the “S” in “HTTPS.” It’s just that, apparently, nobody thought to implement that for satellites. They just didn’t think of it. That’s it.
And I do literally mean implement TLS: one solution to this problem is simply to start making GEO satellites communicate using this protocol! For reference, SpaceX’s Starlink (which operates in low-Earth orbit, not GEO) does use TLS. It should be mentioned that, since the report’s publication last month, the team has confirmed that T-Mobile, Walmart, and KPU have encrypted their systems. That’s way too fast for a hardware fix, so it’s almost certainly a software one, possibly a simple switch to TLS.
Feel free to share this article with your loved ones! I am sure that they and all the spies snooping on your email will enjoy it.
