Researchers from the University of California San Diego and the University of Maryland report that a significant portion of geostationary (GEO) satellite communications is still transmitted in the clear. Over a three‑year project dubbed “Don’t Look Up,” the team passively captured unencrypted traffic from corporations, government entities, and everyday users using affordable, commercially available radio equipment.
Why GEO satellite backhaul is at risk: wide footprints and “security through obscurity”
The core exposure involves satellite backhaul—traffic sent from remote cellular base stations and infrastructure sites to an operator’s core network via GEO satellites. A single GEO beam covers an enormous geographic footprint, meaning any suitably equipped receiver within that footprint can capture the downlink. Without link‑layer or application‑layer encryption, the content is trivially interceptable.
According to the researchers, many operators implicitly relied on security through obscurity, assuming few adversaries would monitor satellite downlinks. That assumption no longer holds: modern software‑defined radio (SDR) tools and commodity dishes have dramatically lowered the cost and complexity of monitoring satellite transponders.
What was exposed: mobile calls, inflight Wi‑Fi, corporate networks, and mission data
In just nine hours of observation, the team identified the phone numbers of more than 2,700 T‑Mobile subscribers along with the contents of calls and SMS messages carried over satellite backhaul from remote cell sites. After being notified, T‑Mobile reportedly enabled encryption and reduced the exposure window.
The team also observed unencrypted inflight Wi‑Fi traffic from ten airlines, including passenger web browsing histories and audio streams. In the enterprise segment, they captured corporate packets from Walmart’s Mexican operations and ATM communications, including banking traffic associated with institutions such as Santander Mexico.
Particularly concerning were instances of military and government communications sent without encryption. The researchers say they intercepted data from U.S. naval vessels (including ship names) and Mexican military systems, such as command‑center traffic, telemetry, and aircraft tracking (for example, Mi‑17 and UH‑60 Black Hawk), along with mission locations and tasking details.
Critical infrastructure was not spared. Mexico’s state utility, Comisión Federal de Electricidad—serving roughly 50 million customers—was observed transmitting internal messages in cleartext, from work orders and addresses to equipment failure notices. Similar issues surfaced on offshore oil and gas platforms.
Scope, legal posture, and prior warnings from regulators
The researchers estimate their receive setup covered only about 15% of global GEO traffic, primarily over the western United States and Mexico. The real global exposure is therefore likely larger. The study was strictly passive: the team did not initiate connections or interfere with links and captured only what was already being broadcast over wide areas.
Regulators have flagged these risks before. In 2022, U.S. agencies—including CISA, the FBI, and the NSA, with partners such as the UK NCSC—issued joint guidance urging SATCOM providers and customers to enable encryption by default and harden remote operations, citing the growing threat of satellite link interception.
Industry response and immediate priorities
The researchers began coordinated disclosures in December 2024. Some operators, including T‑Mobile, quickly enabled encryption. However, segments of critical infrastructure reportedly remain unprotected, leaving operational data and customer information exposed to low‑cost passive interception.
Practical defenses for SATCOM backhaul
Minimum protections include end‑to‑end encryption (TLS 1.3/QUIC or IPsec) over satellite links; activating link‑layer encryption available in many SATCOM modems; robust key management and rotation; network segmentation and least‑privilege access; anomaly detection and telemetry monitoring; configuration audits for terminals and antennas; and staff training on RF interception risks. For mobile and aviation services, strong E2E encryption that limits metadata leakage is essential.
The takeaway is clear: interception costs are falling while the satellite attack surface is expanding, and obscurity is no longer a control. Organizations using GEO satellite backhaul or remote SATCOM links should immediately inventory all paths, enable encryption by default at multiple layers, and verify its presence and correctness. Early, comprehensive cryptographic protection significantly reduces exposure to both cybercriminals and nation‑state collection.
