Satellites Have Exposed Sensitive Data From T-Mobile and Others, Research Reveals

A research paper being presented this week at the Annual Computer Security Applications Conference reveals that satellite internet services, including T-Mobile's, used unencrypted transmissions that could be intercepted with about $800 worth of gear.

Don't miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

As first reported in Wired, research from scientists at the University of Maryland and the University of California, San Diego, found that users' calls and texts, as well as potentially sensitive data from military and corporate transmissions, could be accessed. (The full PDF research paper, titled "Don't Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites," can be found online.)

According to the Wired report and the research paper, some providers, including T-Mobile, made changes to address the vulnerability. Other unnamed providers have yet to fix the problem. The researchers declined to name them and said in the article that they've spent the past year warning satellite operators about the dangers of transmitting unencrypted data.

In a summary of the research paper, the scientists said they pointed a commercial-off-the-shelf satellite dish at the sky and conducted "the most comprehensive public study to date of geostationary satellite communication." 

The scientists underlined that "a shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens' voice calls and SMS, and consumer internet traffic from in-flight Wi-Fi and mobile networks."

In an email to CNET, a spokesperson for T-Mobile said that only about 50 cell sites from a vendor were subject to the vulnerability out of about 82,715 sites across its network. The spokesperson said a technical misconfiguration identified by the research affected "remote, low-population areas" and was not a network-side issue. 

The spokesperson also said, "We implemented nationwide Session Initiation Protocol (SIP) encryption for all customers to further protect signaling traffic as it travels between mobile handsets and the network core, including call setup, numbers dialed and text message content."

How to stay safe using satellite networks

Some customers might believe there's an expectation of encryption, or some basic privacy when using satellite networks for phone calls, texting or even seemingly innocuous activities like GPS tracking while hiking. But it's smart to assume the opposite.

"For consumers, caution is essential when using satellite‑provided connectivity," said Mahdi Eslamimehr, who follows the satellite industry as executive vice president at Quandary Peak Research. "Satellite links should be treated like open Wi‑Fi hotspots."

People using these technologies, he said, can follow the recommendation of the researchers to use their own VPNs or to stick to apps with built-in end-to-end encryption, such as Signal or WhatsApp, while relying on satellite internet. 

He also recommends keeping hardware updated. 

"Patches often include improved encryption protocols," Eslamimehr said.

Why is security different on satellites?

Keeping satellite networks secure presents challenges. Satellites often rely on different security protocols, which can be a problem when they're combined with traditional networks to provide emergency or cell-tower backhaul coverage. Carriers must figure out where and how to encrypt data that may need to go through multiple ground stations and satellites from various vendors. 

"Not all providers are applying encryption consistently, leaving gaps that are very different from the well‑understood risks on conventional cellular networks," Eslamimehr said.

According to the research, about half of the satellite signals tested with inexpensive equipment were found to carry unencrypted data that included sensitive military information, but that could also expose private information for those using satellite internet for noncommercial or nonmilitary communication or tracking. 

Eslamimehr said that people who may be using these networks need to understand that the satellite technology, especially the way it integrates with existing networks, is still relatively young. 

"The technology holds tremendous promise for bridging the digital divide, but it needs a security maturity cycle," he said.