Satellites Have Exposed Sensitive Data From T-Mobile and Others, Research Reveals

A research paper presented this week at the annual Computer Security Applications Conference reveals that satellite Internet services, including those from T-Mobile, used unencrypted transmissions that could be intercepted with hardware worth about $800.

Don’t miss any of our unbiased technical content and lab reviews. Add CNET as your preferred Google source.

As first reported in Wired, research by scientists at the University of Maryland and the University of California San Diego found that users’ calls and text messages, as well as potentially sensitive data from military and corporate transmissions, were accessible. (The full PDF research paper, titled “Don’t Look Up: There Are Sensitive Clear Internal Links on GEO Satellites,” can be viewed online.)

According to the Wired report and research paper, some providers, including T-Mobile, have made changes to address the vulnerability. Other anonymous providers have not yet resolved the issue. The researchers declined to name them and said in the paper that they had spent the last year warning satellite operators about the dangers of transmitting unencrypted data.

In a summary of the research paper, the scientists said they pointed a commercial satellite dish toward the sky and conducted “the most comprehensive public study of geostationary satellite communications to date.”

The scientists pointed out that “an incredibly large amount of sensitive traffic is broadcast in the clear, including critical infrastructure, internal corporate and government communications, voice calls and text messages from private citizens, and consumer Internet traffic from in-flight Wi-Fi and mobile networks.”

In an email to CNET, a T-Mobile spokesperson said only about 50 cell sites from one carrier were subject to this vulnerability out of about 82,715 sites on its network. The spokesperson said a technical misconfiguration identified by the research affected “remote and sparsely populated areas” and was not a network-side issue.

The spokesperson also said: “We have implemented nationwide Session Initiation Protocol (SIP) encryption for all customers to further protect signaling traffic as it flows between mobile handsets and the core network, including call establishment, dialed numbers and text message content.

How to Stay Safe Using Satellite Networks

Some customers might believe they expect encryption or some basic privacy when using satellite networks for phone calls, text messages, or even seemingly innocuous activities like GPS tracking while hiking. But it is wise to assume otherwise.

“For consumers, caution is essential when using satellite-delivered connectivity,” said Mahdi Eslamimehr, who follows the satellite industry as executive vice president of Quandary Peak Research. “Satellite links should be treated as open Wi-Fi hotspots.”

People using these technologies, he said, can follow researchers’ recommendation to use their own VPN or stick to apps with built-in end-to-end encryption, such as Signal or WhatsApp, while relying on satellite internet.

He also recommends keeping the material up to date.

“Patches often include improved encryption protocols,” Eslamimehr said.

Why is security different on satellites?

Ensuring the security of satellite networks presents challenges. Satellites often rely on different security protocols, which can be problematic when combined with traditional networks to provide emergency coverage or cell tower backhaul coverage. Operators must determine where and how to encrypt data that may need to pass through multiple ground stations and satellites from different providers.

“Not all providers apply encryption consistently, leaving gaps that are very different from the well-known risks on conventional cellular networks,” Eslamimehr said.

According to the study, about half of the satellite signals tested with inexpensive equipment contained unencrypted data that included sensitive military information, but which could also reveal private information for those who use satellite Internet for non-commercial or non-military communications or tracking purposes.

Eslamimehr said people who might use these networks need to understand that satellite technology, particularly how it integrates with existing networks, is still relatively young.

“The technology holds tremendous promise for bridging the digital divide, but it requires a security maturity cycle,” he said.