Welcome back, aspiring cyberwarriors!
For many years, satellites in geostationary orbit, usually called GEO satellites, have been one of the most important ways to provide high-speed communication to remote locations. They support television, internet access, in-flight Wi-Fi on aircraft, maritime communication, industrial infrastructure, and even cellular backhaul for GSM towers in areas where fiber or microwave links are unavailable. Because these systems sit so high above Earth and cover enormous footprints, many people assume the traffic moving through them must be heavily protected. This assumption sounds reasonable. After all, a GEO downlink can be received across thousands of kilometers, sometimes covering close to a third of the Earth’s surface. If any medium should be encrypted, it should be this one.
Yet recent academic research showed something deeply concerning. A surprisingly large amount of GEO satellite traffic is still transmitted completely unencrypted. Even more striking, the researchers demonstrated that this traffic can be intercepted with relatively affordable commercial hardware.
The receiving setup itself was simple from an RF engineering perspective. A consumer satellite dish, a roof mount, a positioning motor, and a tuner card were enough to build a functional passive interception station. The total cost was roughly $800, which is remarkably low considering the sensitivity of the data being received.
GEO Satellites
Today, there are hundreds of active GEO satellites supporting thousands of communication channels. The recent study references approximately 590 satellites in geostationary orbit actively supporting a vast system of transponders and backhaul links. Each satellite can serve many independent networks through onboard transponders, effectively acting as a relay station in space. Each signal transmitted from a GEO satellite covers an enormous geographical area.
From the ground, any properly pointed dish within that footprint can receive the downlink. The same property that allows remote oil platforms, aircraft, and rural GSM towers to stay connected also makes passive interception surprisingly practical. The communication channel itself is typically established by leasing transponder time and precisely aligning both ground terminals and hub stations toward the selected satellite. This approach is straightforward and stable, which is why GEO remains attractive despite the rise of newer LEO systems. The infrastructure behind satellite IP communication is technically mature, but it is also highly fragmented. Different vendors use their own proprietary protocols, modulation schemes, framing logic, and encapsulation layers.
Consumer satellite dishes are widely available, passive receivers are easy to buy, online communities openly share satellite positions and transponder databases, and years of satellite television popularity have led to excellent open software for blind scanning and signal decoding. Tools such as Easy BlindScan Pro have made the discovery phase significantly easier.
In other words, building your own passive GEO interception station is no longer something limited to intelligence agencies. It is now accessible to technically curious RF enthusiasts with moderate budgets. Because this has been known for decades, one would naturally expect strong encryption to be the norm. Interestingly, encryption has indeed been widely used for years to protect paid satellite television from piracy. Yet for many non-broadcast data channels, especially internal IP backhaul links, encryption has historically been neglected. The new research demonstrates just how widespread that neglect really is.
Results
The most eye-opening part of the study came from its scale. Researchers from the University of California San Diego and the University of Maryland spent three years scanning traffic from 39 GEO satellites visible from California. Their analysis showed that roughly half of the observed signals carried cleartext IP traffic. The recovered traffic covered an extraordinary range of sectors. They observed voice calls, SMS messages, in-flight passenger Wi-Fi traffic, utility infrastructure communications, oil and gas platform data, corporate internal messages, retail inventory records, ATM networking data, and even military and law-enforcement communications.
One especially striking example involved remote GSM backhaul. In isolated regions, cellular base stations often connect to the core telecom network through GEO satellite links. While the handset-to-cell-tower segment is normally protected with robust cellular encryption, the backhaul segment was in some cases transmitted in the clear. The researchers reported that in just nine hours, they collected phone numbers belonging to more than 2,700 T-Mobile users, along with call metadata and some text content. They also observed traffic associated with AT&T Mexico and Telmex systems.
The study also found unencrypted traffic from vessels, including military maritime systems and law-enforcement operations. In some cases, the metadata alone was enough to infer sensitive operational details.
The paper itself, titled “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites” was presented at the 2025 ACM SIGSAC Conference on Computer and Communications Security in Taipei, where it received a Distinguished Paper Award. Many operators simply relied on the assumption that nobody would ever bother pointing a dish at the sky and decoding their transponders. Their “security model” was essentially obscurity.
Summary
Internet security has benefited from decades of research, standardization, and industry-wide adoption of secure defaults such as HTTPS and TLS. Satellite internal networking, by contrast, has received far less public scrutiny. There are also engineering trade-offs. Adding encryption reduces effective throughput and increases power consumption. This matters greatly for remote terminals running on constrained resources, such as solar-powered infrastructure in isolated locations. For latency-sensitive applications like VoIP and video communication, the additional packet overhead from IPsec or similar encapsulation can be significant, especially when packets are already small. Key management also becomes operationally expensive when large fleets of remote terminals and hub stations must maintain valid certificates and synchronized trust chains. From a systems engineering perspective, this helps explain the historical resistance, though it certainly does not justify it.
It is also worth noting an important scope boundary in the study. Modern low-earth-orbit systems such as SpaceX Starlink were not part of this research and are known to use much stronger cryptographic protections. The paper specifically focused on traditional GEO satellite links.
For readers who want to go further, we have our training on Satellite Hacking. The course introduces the fundamentals of satellite signal interception, common security weaknesses, and real‑world attack surfaces in space‑based technologies.
Source: HackersArise
Source Link: https://hackers-arise.com/satellite-hacking-listening-to-unencrypted-geo-satellite-traffic/