US Researchers Intercept Unencrypted Satellite Communication
US researchers have investigated satellite data traffic using commercial equipment. Much of it, including security-relevant data, was unencrypted.
Satellite in orbit
(Image: Andrey Armyagov/Shutterstock.com)
Satellite communication remains insecure: For a recent study, researchers from the USA intercepted data transmitted via geostationary satellites. A large portion of it is unencrypted, including security-relevant communication.
"A frighteningly large amount of data traffic is transmitted unencrypted," writes the team from the University of California, San Diego (UCSD) and the University of Maryland, College Park, on their website. This includes data from critical infrastructures, internal communication of companies and government agencies, as well as phone calls, SMS, or internet traffic from in-flight Wi-Fi and mobile networks.
For the study, the team led by Wenyi Morty Zhang installed a commercially available satellite dish on a UCSD building; the entire equipment cost around 800 US dollars. The researchers pointed the dish at one of the 39 geostationary satellites visible from their vantage point and analyzed the intercepted data. The project ran for three years.
Approximately half of the intercepted data was transmitted unencrypted, the team reports. This included phone calls, text messages, or regular internet traffic via mobile networks, including hardware data such as the IMSI. In-flight Wi-Fi on airplanes also runs via satellites, making it susceptible to eavesdropping. Many Voice-over-IP (VoIP) providers route their communication via satellites, allowing for eavesdropping.
Data from Banks, Energy Providers, and the Military
It is particularly concerning that security-relevant communication is also unencrypted. The researchers were able to intercept data from banks and other financial companies, including login credentials, emails, and ATM data. Data from energy providers or infrastructures like pipelines are also transmitted unencrypted via geostationary satellites. Official bodies were not exempt: the team was able to eavesdrop on the communication of the military and police from the USA and Mexico.
"We were completely shocked by this," says Aaron Schulman, a team member and professor at UCSD, to the US technology magazine Wired Wired. "Some really critical parts of our infrastructure rely on this satellite ecosystem, and we assumed everything was encrypted." Instead, they found more and more unencrypted data.
Videos by heise
When they identified a vulnerability, the researchers contacted the affected party and pointed it out. Some have since responded and taken action. At T-Mobile, Walmart, and KPU, the researchers were able to verify this after re-examining the communication with the consent of the three providers. Other entities are reportedly still in the process of securing their systems. The team will present the study, titled Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites, at the ACM Conference on Computer and Communications Security, currently taking place in Taipei.
This is not new: in 2020, a team led by James Pavur from the Systems Security Lab at Oxford University pointed out that a large portion of communication via geostationary satellites is handled unencrypted.
(wpl)
