Researchers have demonstrated that sensitive data, including personal communications and operational details, can be intercepted from U.S. military and commercial organizations by passively scanning unencrypted satellite transmissions. The study, conducted by scientists from the University of Maryland and the University of California, San Diego, utilized approximately $600 worth of commercially available satellite equipment.
The team focused on geostationary (GEO) satellites, which provide essential communication services like internet and television to remote areas and backhaul for private networks. Their seven-month investigation revealed widespread vulnerabilities in how organizations secure data transmitted via these satellites, indicating that network-layer encryption is often not implemented.
Low-Cost Satellite Interception Capabilities
The research highlights a significant gap in current satellite communication security. By scanning 39 different satellites across various longitudinal points, the scientists aimed to prove that intercepting sensitive data does not require the resources of a nation-state intelligence agency. The findings suggest that organizations may be treating satellite links as simply another component within their internal networks without adequate security measures.
Authors Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger, and Aaron Schulman stated in their report that their study provides “concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks.” This lack of encryption is particularly concerning given the critical nature of the data being transmitted.
Vulnerabilities in Data Transmission
The researchers observed unencrypted data transmissions from various entities, including telecommunications companies, major businesses, and U.S. military assets. For example, the study detected unencrypted SMS messages, voice call contents, internet traffic, and cellular network signaling protocols from T-Mobile users. During one nine-hour observation period, over 2,700 individuals’ phone numbers and metadata were collected.
Similar data leakages were identified from Mexican telecommunications firms TelMex and WiBo, as well as Alaskan telecom KPU Telecommunications. Additionally, the study noted unencrypted traffic from U.S. military sea vessels, which included vessel names and details about internal applications and systems used for logistics and management.
The study’s authors indicated that they reached out to many of the organizations whose data was compromised to notify them of the vulnerabilities. However, they reported that these organizations declined to engage in bug bounty programs that included non-disclosure agreements. Discussions with the U.S. military, T-Mobile, AT&T, IntelSat, and others reportedly took place between December 2024 and July 2025.
Implications for Critical Infrastructure
The research raises concerns about the security of satellite communications, especially for critical infrastructure. While previous studies have suggested that such interception capabilities were largely limited to well-resourced actors, this new research indicates a significantly lower barrier to entry.
The findings underscore the reliance of governments and businesses on satellite communications for data transfer and the comparatively low level of security attention these systems receive. The U.S. government designates certain sectors as critical infrastructure, but communications via space are not explicitly included, despite ongoing policy discussions about enhancing their security.
The researchers stated that their threat model, which focuses on using low-cost consumer-grade equipment for surveying GEO satellite usage, has not been previously explored in academic literature. This methodology offers a new perspective on the accessibility and scope of potential satellite eavesdropping. The implications of this research are expected to spur further examination of satellite security protocols and encourage wider adoption of encryption across the industry.
The next steps are likely to involve industry responses to these findings, potentially leading to updated security standards or recommendations for satellite communication providers and their clients. The extent to which organizations will prioritize upgrading their security measures remains a key point to watch, especially given the described low cost and technical expertise required for such interceptions.