Full Report
With just $800 in basic equipment, researchers found a stunning variety of data—including thousands of T-Mobile users’ calls and texts and even US military communications—sent by satellites unencrypted.
Analysis Summary
# Incident Report: Widespread Satellite Data Eavesdropping Due to Lack of Encryption
## Executive Summary
Researchers demonstrated that approximately half of geostationary satellite signals, carrying sensitive consumer, corporate, and military data, were being broadcast unencrypted and could be intercepted using basic, inexpensive equipment. This vulnerability led to the successful procurement of sensitive private communications, including T-Mobile user texts/calls and US military communications. The primary finding is a systemic failure in implementing encryption for satellite transmission paths.
## Incident Details
- Discovery Date: October 13, 2025 (Date of study publication/disclosure)
- Incident Date: Ongoing, as the vulnerability has existed for the duration of the study (three years leading up to publishing).
- Affected Organization: Various, including T-Mobile users, US military communications, and corporate entities relying on vulnerable satellite providers.
- Sector: Telecommunications, Military/Government, Satellite Communications.
- Geography: Global satellite communications observed from San Diego, Southern California.
## Timeline of Events
### Initial Access
- Date/Time: Over a three-year period leading up to October 2025.
- Vector: Passive eavesdropping on unencrypted satellite signals.
- Details: Researchers set up an $800 off-the-shelf satellite receiver system in La Jolla, San Diego, pointing dishes at geosynchronous satellites visible from their location.
### Lateral Movement
- Not applicable in the traditional sense; the attack was focused on signal interception/collection rather than internal network compromise.
### Data Exfiltration/Impact
- Data intercepted included samples of T-Mobile users' calls and text messages, as well as US military communications.
### Detection & Response
- Detection: Researchers at UC San Diego and the University of Maryland actively investigated and interpreted these unprotected signals over three years. The finding was publicly disclosed via a study published on October 13, 2025.
- Response actions taken: Not detailed in the provided text, beyond the proactive disclosure by the researchers to industry and government bodies.
## Attack Methodology
- Initial Access: Passive radio reception using specialized, yet affordable, hardware pointed at unencrypted geostationary satellite downlinks.
- Persistence: Not applicable (passive collection).
- Privilege Escalation: Not applicable.
- Defense Evasion: The signals inherently lacked encryption, making evasion unnecessary. The obscurity of the signals required specialized knowledge to interpret, which served as the only barrier.
- Credential Access: Not specified if direct credentials were stolen, but call/text content implies access to sensitive communications.
- Discovery: Researchers actively scanned and interpreted signals from known satellite orbital paths.
- Lateral Movement: Not applicable.
- Collection: Raw radio signals were captured and then decoded into usable voice/text data.
- Exfiltration: Data (calls, texts, military data) was collected locally by the researchers.
- Impact: Exposure of private and secret communications.
## Impact Assessment
- Financial: Not explicitly detailed, but potential costs to satellite operators and affected corporations/government entities are significant.
- Data Breach: Millions of communications, including T-Mobile customer calls/texts and sensitive US military data.
- Operational: Potential disruption and loss of trust in satellite communication infrastructure.
- Reputational: Significant damage to the reputation of satellite service providers who failed to enforce encryption.
## Indicators of Compromise
- Network indicators: (Defanged examples based on context) Satellite frequencies associated with commercial or military GEO satellites broadcasting without standard modern encryption protocols.
- File indicators: Raw, unencrypted digital stream captures of radio frequency data.
- Behavioral indicators: Passive reception and decoding of signals in the C-band or Ku-band frequencies characteristic of satellite downlinks not using digital encryption protocols.
## Response Actions
- Containment measures: N/A (This was a research disclosure, not an active intrusion response).
- Eradication steps: N/A.
- Recovery actions: Requires providers to implement mandatory encryption across all satellite links.
## Lessons Learned
- Key takeaways: A significant portion of satellite communications relies on outdated or non-existent encryption, leaving vast amounts of sensitive data vulnerable to interception by anyone with basic, accessible equipment.
- What could have been done better: Satellite operators and carriers failed to deploy end-to-end encryption for signals being downlinked to Earth.
## Recommendations
- Implement mandatory, robust encryption standards (e.g., AES-256) for all geostationary satellite transmissions carrying consumer, corporate, or government data.
- Conduct immediate audits of existing satellite infrastructure to identify and remediate any unencrypted downlinks.
- Require carriers like T-Mobile to ensure all traffic utilizing satellite backhaul is fully encrypted prior to transmission.