What did your study do?

We set up a consumer-grade satellite dish on the roof of a university building in San Diego, California with a positioning motor and a consumer-grade TV tuner card to capture raw bytes. We then scanned for all transponders (position and frequency) visible from our fixed location, and wrote custom protocol-parsing code to reconstruct network packets from the quirky custom protocol stacks we reverse-engineered from different vendors. We observed 411 transponders across 39 GEO satellites, and our single fixed-location dish could receive IP traffic from 14% of all global Ku-band satellites.

Why aren't all GEO satellite links encrypted?

There are direct costs to enabling encryption. Encryption imposes additional overhead to an already limited bandwidth, decryption hardware may exceed the power budget of remote, off-grid receivers, and satellite terminal vendors can charge additional license fees for enabling link-layer encryption. In addition, encryption makes it harder to troubleshoot network issues and can degrade the reliability of emergency services. Some users may forgo encryption intentionally; others may be unaware these links are unencrypted or underestimate the risk and ease of eavesdropping attacks. While significant academic and activist attention has been put into ensuring nearly universal use of encryption for modern web browsers, there has been much less visiblity and attention paid to satellite network communications.

Several vendors told us they were in the process of transitioning to encrypted links.

What about Starlink/LEO?

Our study focused on GEO satellite systems, which remain in a fixed point relative to the surface of the earth. These systems remain in wide use for critical infrastructure because of their reliability and backwards compatibility. We did not study LEO (Low Earth Orbit) systems (e.g., Starlink), which offer higher bandwidth and greater coverage but require more complicated receiving hardware. Our understanding is those links are encrypted, but we have not independently verified this.

What about the uplink?

The downlink signal from a satellite typically broadcasts to a wide geographic area, but the returning uplink is more focused. This means that from our single vantage point in San Diego, California, we were only able to observe one half of a given network connection.

Did you have to hack or interfere with any satellites?

Our study was fully passive; we simply set up a consumer-grade satellite dish on Earth and observed traffic without transmitting ourselves.

Can you tell if someone is listening to traffic?

Since this unencrypted data can be observed fully passively, there is no way to know if someone has set up a dish to listen.

Can you audit our network?

If you would like our assistance in determining whether your network traffic has been exposed, please get in touch.

Is this legal/ethical?

We consulted with the University of California legal counsel on the design of our study and worked closely with them during disclosure. We have gone through considerable effort to attempt to disclose the vulnerabilities we found to affected parties.