Unencrypted Satellites Leak Sensitive Data to Anyone Listening

A satellite orbits 36,000 kilometers above Earth, silently relaying phone calls, military orders, and utility data. Anyone with an $800 antenna can intercept that data with ease. That's the reality researchers from UC San Diego and the University of Maryland uncovered, revealing a massive security flaw in geostationary satellite communications. About half of these signals travel unencrypted, leaving sensitive information wide open to interception. In just nine hours, the team snagged phone calls and texts from over 2,700 T-Mobile users, alongside military and infrastructure data. The findings, shared at a computing conference in Taiwan in October 2025, expose a gap that affects everyone from rural cell phone users to soldiers in remote outposts.

The range of exposed data is staggering. T-Mobile customers' calls and texts were intercepted in hours, revealing personal conversations. Airline passengers using in-flight WiFi had their browsing habits and login details exposed. Electric utilities and offshore oil platforms sent operational data through unprotected channels, risking sabotage. Perhaps most alarming, US and Mexican military communications spilled details about personnel locations and equipment. This isn't limited to one sector; telecoms, aviation, energy, and defense all rely on satellites to relay critical data, often assuming no one's eavesdropping.

The ease of interception flips traditional security models upside down. Unlike hacking a server, which requires breaching digital defenses, satellite eavesdropping is passive. There's no trace left behind, no firewall to alert. A researcher with a rooftop dish in San Diego captured this data using off-the-shelf gear. If academics can do it, imagine what a foreign intelligence agency with deeper resources could pull off. The research only scratched 15% of global satellite traffic, suggesting the problem's scale is far larger than we know.

When the researchers alerted affected companies, responses varied sharply. T-Mobile acted swiftly, encrypting its satellite backhaul to protect customer data. This move shows that solutions are feasible when companies prioritize security. After years of transmitting unencrypted calls, the telecom giant closed the gap once notified, proving that technical fixes don't require reinventing the wheel. But not every organization followed suit. Some US critical infrastructure operators, like electric utilities, still haven't encrypted their satellite links, leaving systems vulnerable to disruption or espionage.

Comparing these cases reveals key lessons. T-Mobile faced clear customer trust and regulatory pressures, driving quick action. Infrastructure operators, however, often grapple with legacy equipment and tight budgets. Upgrading satellite terminals for encryption can cost millions, and some providers charge extra for security features, treating them like premium add-ons. The contrast highlights a broader issue: security is often a cost-benefit calculation, not a default. Until regulations mandate encryption, critical systems may remain exposed, risking public safety.

Encrypting satellite signals sounds simple, but it's a tangle of trade-offs. Adding encryption eats up bandwidth, sometimes by 30%, which translates to lost revenue for companies already stretched thin. Satellite bandwidth is pricier than terrestrial alternatives, so firms prioritize efficiency over security. Legacy equipment poses another hurdle; many terminals in use for decades can't handle modern encryption without costly replacements. Some providers even lock encryption behind licensing fees, making it a luxury rather than a standard.

On the flip side, the technology to secure satellite links exists. Advanced Encryption Standard (AES) algorithms, used widely in terrestrial networks, can protect satellite data effectively. The issue isn't technical capability but priorities. Companies assumed satellite links were safe because they're internal infrastructure, not public-facing. That mindset, rooted in the 1970s when satellite hacking was a government-only game, doesn't hold up in 2025, when a hobbyist with a dish can snoop on military chatter.

Closing this security gap demands a coordinated push. Industry collaboration could set universal encryption standards, ensuring all satellite links, from telecom to utilities, are protected by default. Partnerships between aerospace giants like Lockheed Martin and commercial operators could adapt military-grade encryption for broader use, cutting costs through scale. Governments have a role too; the FCC and CISA could mandate encryption for critical infrastructure, much like they regulate spectrum use. Without such rules, companies face little pressure to act unless customers or regulators demand it.

The stakes are high. Unencrypted satellite signals don't just risk privacy; they threaten national security and public safety. If researchers with $800 can expose military locations, foreign actors with bigger budgets are likely already listening. The aviation and energy sectors face similar risks, with passenger data and power grids exposed. The good news? Solutions are within reach. T-Mobile's response proves it's possible to act fast. The challenge now is getting everyone else to look up and secure the signals beaming down from the sky.