“Don’t Look Up”
The $800 Satellite Eavesdropping Crisis Hiding in Plain Sight
How Consumer-Grade Equipment Exposed Military Secrets, Phone Calls, Banking Data, and Critical Infrastructure Across Two Continents
Executive Summary
Half of all geostationary satellite links broadcast sensitive data — including phone calls, military movements, and banking traffic — completely unencrypted, receivable by anyone with consumer-grade equipment costing under $800.
That is the central finding of the most comprehensive public audit of satellite communication security ever conducted, published in October 2025 by researchers at UC San Diego and the University of Maryland. The study, titled “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites,” won the Distinguished Paper Award at ACM CCS 2025 in Taipei.
It exposed unencrypted cellular backhaul for T-Mobile and AT&T Mexico, real-time Mexican military helicopter and naval vessel tracking, U.S. military ship communications, airline passenger data for ten carriers, Walmart inventory systems, banking ATM traffic, and industrial control systems for critical infrastructure.
This research reveals a systemic, decades-old failure in satellite communications security that intelligence agencies worldwide have almost certainly been exploiting for years — and that now, with an open-source tool released on GitHub, anyone can replicate.
An $800 Rooftop Experiment That Exposed a Continent’s Secrets
The research team — Aaron Schulman, Nadia Heninger, and Keegan Ryan at UC San Diego, Dave Levin at the University of Maryland, with graduate students Wenyi “Morty” Zhang and Annie Dai — spent three years developing their methodology before conducting a systematic scan from a single satellite dish mounted on the roof of UCSD’s Computer Science building in La Jolla, California.
Equipment Used
Hardware Breakdown
| Component | Specification | Cost |
|---|---|---|
| Ku-band Satellite Dish | 110cm diameter | $180 |
| Low-Noise Block Downconverter | Universal Ku-band | $15 |
| DiSEqC 1.2 Dish Motor | Roof mount | $195 |
| TBS-5927 DVB-S/S2 USB Tuner | PCIe card | $230 |
| Cables & Miscellaneous | Standard | $30 |
| TOTAL | ~$650–$800 | |
From this single vantage point, the team scanned 39 geostationary satellites across 25 orbital longitudes, locking onto 411 Ku-band transponders and capturing 3.7 terabytes of raw data over a seven-month period beginning in August 2024. This covered only 14.3% of the world’s 273 Ku-band GEO satellites — meaning the actual scale of exposed data globally is vastly larger than what they observed.
How GEO Satellites Work
GEO satellites operate as “bent-pipe” repeaters: they receive signals from ground stations, amplify them, frequency-shift them, and rebroadcast them over a footprint covering up to 40% of Earth’s surface. Anyone within that footprint with an appropriate receiver can capture the downlink signal. The reception is entirely passive and completely undetectable.
The technical innovation lay not just in the scanning but in the parsing. Prior tools like GSExtract could extract IP packets from only 52 transponders (15% of the dataset). The researchers’ custom Python-based parser handled seven distinct protocol stack paths, five of them never previously documented, recovering packets from 238 captures (69%), totaling 192,624 packets — a 600% improvement over existing tools.
Encryption Status of Scanned Traffic
What the Satellites Revealed
The scope of exposed sensitive data spans telecommunications, military operations, critical infrastructure, finance, retail, and aviation across multiple countries.
Cellular Backhaul: Reading Your Phone Calls From Space
In remote areas where cell towers cannot connect to the core network via fiber or microwave, carriers use satellite links — and these links were broadcasting subscriber data in the clear.
Cellular Exposure
| Carrier | Exposure | Data Captured | Duration |
|---|---|---|---|
| T-Mobile (US) | 2,711 phone numbers | SMS, voice calls (RTP), browsing history | 9 hours |
| AT&T Mexico | 710 phone numbers | IMSI, session keys (KeNB), IP traffic | 30 minutes |
| Telmex | 142 voice calls | Both parties’ numbers, SIP, RTP audio | 2 minutes |
T-Mobile’s traffic included an IPsec layer, but it was configured with a NULL cipher — the cryptographic equivalent of an unlocked door labeled “security.”
Military and Government Communications
Mexican military satellite links exposed real-time asset tracking and telemetry data for Mi-17 and UH-60 Black Hawk helicopters, naval vessels, and armored vehicles, along with LIDAR/RADAR equipment status, maintenance logs, and deployment information including locations, mission roles, and regional assignments. Mexican law enforcement traffic revealed narcotics trafficking intelligence, incident reports, case tracking, evidence documentation, and surveillance data from remote command centers.
U.S. military sea vessels transmitted both encrypted and unencrypted traffic, with the unencrypted portion including DNS queries, SIP signaling (from which ship names could be identified), SNMP network management data, and ICMP packets.
Critical Infrastructure Exposure
Mexico’s Comisión Federal de Electricidad (CFE), serving nearly 50 million customers, transmitted customer service work orders with names, addresses, account numbers, and tariff types, plus communications about equipment failures and safety hazards at substations.
In the United States, unnamed critical infrastructure operators transmitted industrial control system (SCADA) data over unencrypted satellite links, including power grid repair tickets and oil and gas pipeline control traffic. Some infrastructure owners told the researchers they were concerned that a malicious actor could not only surveil but potentially disable or spoof control systems.
Corporate and Financial Data
| Entity | Exposed Data |
|---|---|
| Walmart Mexico | Inventory records, FTP transfers with UPC/SKU & pricing, plaintext telnet credentials, corporate email |
| Santander Mexico | ATM DNS and LDAP traffic, internal PKI certificates |
| Banjercito / Banorte | Extensive unencrypted traffic linked to internal banking infrastructure |
| 10 Airlines (Intelsat/Panasonic) | Passenger browsing metadata, unscrambled entertainment audio, partial RSA private keys from device memory leaks |
A 20-Year-Old Problem the Industry Chose to Ignore
The watchdog the satellite industry never hired.
The “Don’t Look Up” study is not the first warning about unencrypted satellite broadcasts — it is the loudest in a two-decade chorus that industry has systematically ignored.
2005
Researchers at Ruhr University Bochum published “Satellite Communication without Privacy — Attacker’s Paradise,” demonstrating that a consumer digital satellite dish and DVB card could intercept banking details, legal names, and email content from a single Astra satellite.
2019–2020
James Pavur, then an Oxford DPhil candidate, analyzed 4 TB of data from 18 GEO satellites over two years using equipment costing under €300. He intercepted engineer files from ships, COVID test results from airline passengers, and Chinese airline pilot electronic flight bags. He stressed that satellite companies “knew about this since 2019 and nothing changed.”
1966–Present: ECHELON
The NSA’s FROSTING program was specifically designed to intercept Intelsat satellite communications. By the early 1970s, GCHQ operated a secret station at Morwenstow, Cornwall, while NSA built its facility at Yakima, Washington — eventually expanding to 120 satellite interception antennae across seven sites worldwide.
2013: Snowden Revelations
Confirmed NSA’s UPSTREAM collection captured data “directly from private sector Internet infrastructure” including via satellites, while GCHQ’s SOUTHWINDS program specifically intercepted mobile phone activity from commercial aircraft using Inmarsat satellite links.
2015: Turla APT Group
Kaspersky documented this Russian espionage group hijacking unencrypted DVB-S satellite internet connections for command-and-control operations since at least 2007, exploiting satellite footprints across the Middle East and Africa.
2022: NSA Advisory + Viasat Attack
Russia’s AcidRain cyberattack bricked 40,000–45,000 satellite modems across Europe, knocked out monitoring for 5,800 German wind turbines, and disrupted Ukrainian communications at the moment of invasion. The NSA subsequently issued an advisory acknowledging “most VSAT links are unencrypted.”
Intelligence Implications: SIGINT for Anyone
“It’s crazy. The fact that this much data is going over satellites that anyone can pick up with an antenna is just incredible. I would be shocked if this is something that intelligence agencies of any size are not already exploiting.”— Matt Green, Johns Hopkins University
Matt Blaze, computer scientist and cryptographer at Georgetown University, underscored the accessibility: “This was not NSA-level resources. This was DirecTV-user-level resources. The barrier to entry for this type of attack is remarkably low.” He warned that within weeks of publication, hundreds or thousands of people would replicate the work — many without disclosing their findings.
“The threat model that everybody had in mind was that we need to be encrypting everything, because there are governments that are tapping undersea fiber optic cables. And now what we’re seeing is, this same kind of data is just being broadcast to a large fraction of the planet.”— Nadia Heninger, UC San Diego
Snowden vs. Satellite: Structural Comparison
| Dimension | GCHQ TEMPORA (2013) | Satellite Eaves. (2025) |
|---|---|---|
| Access Required | State-level fiber tap + secret legal cooperation | $800 dish + rooftop |
| Detectability | Potentially detectable at tap point | Completely undetectable |
| Coverage | Specific cable routes | 40% of Earth per satellite |
| Who Can Do It | Nation-states only | Anyone with basic equipment |
| Data Types | Internet backbone traffic | Calls, texts, military, SCADA, banking |
A RAND Corporation report titled “SIGINT for Anyone” had already identified this trend, noting that capabilities “that used to be available only to nation-state peer adversaries are now available to any adversary who wants to use them.” The report specifically cited Iraqi insurgents who eavesdropped on unencrypted Predator drone video feeds transmitted via commercial satellites.
A Regulatory Vacuum Where Nobody Is Responsible
“There is no single stakeholder responsible for encrypting GEO satellite communications.”— Don’t Look Up, ACM CCS 2025
This fragmented responsibility — distributed across satellite operators, ground equipment providers, ISPs, and end customers, each assuming someone else handles encryption — mirrors a regulatory landscape that is strikingly vacant.
U.S. vs. EU Regulatory Comparison
| Framework | Status | Enforcement |
|---|---|---|
| FCC Part 25 (US) | No cybersecurity requirements | N/A |
| SPD-5 (US, 2020) | Voluntary principles | Non-binding |
| Satellite Cybersecurity Act | Introduced 3x (2022–2025) | Never enacted |
| NIST Guidelines | 4 guidance documents | No statutory authority |
| EU NIS2 Directive | Effective Oct 2024 | Mandatory + penalties |
| EU Space Act (proposed) | Pen testing pre-launch | 12hr incident reporting |
The comparison to SS7 — the signaling protocol underlying global telephony since the 1980s — is instructive. Known to be deeply insecure since at least 2014, exploited for banking fraud, location tracking, and even the pursuit of Sheikha Latifa of Dubai, no mandatory encryption requirements have ever been imposed. The satellite sector follows this same pattern of regulatory paralysis in the face of known, documented, and exploited vulnerabilities.
Why Encrypting Everything Is Harder Than It Sounds
Encryption can be applied at multiple layers: link-layer (DVB-CSA or BISS scrambling), network-layer (IPsec), or application-layer (TLS/QUIC). Each has trade-offs in the satellite environment.
Link-layer encryption is available in most modern satellite modems but is typically an optional, separately licensed feature that operators must pay to enable — creating a perverse economic incentive against security.
IPsec adds 20–30 bytes of overhead per packet, and GEO satellite links’ 600ms round-trip latency degrades VPN and IPsec performance substantially. Panasonic Avionics stated that enabling encryption imposes a 20–30% loss in transponder bandwidth capacity.
Legacy systems present the most stubborn challenge. GEO satellites have 15–30 year operational lifespans, and many currently operating were designed before modern cryptographic standards existed. They function as “dumb bent-pipes” with no onboard processing capability. Ground terminals in remote locations often run off-grid on solar power, where cryptographic processing can exceed available energy budgets. Historical U.S. export controls led to encryption being developed as an optional add-on, with some documentation still referencing 56-bit key strengths — broken decades ago.
GEO vs. LEO Security Comparison
| Dimension | GEO (Legacy) | Starlink (LEO) |
|---|---|---|
| Altitude | 35,786 km | 500–550 km |
| Beam Coverage | 40% of Earth (wide) | Narrow, focused beams |
| Latency | ~600ms RTT | 25–35ms RTT |
| Encryption Default | Optional / off | AES-256, always on |
| Eavesdrop Difficulty | Trivial ($800) | Substantially harder |
Corporate Responses: From Swift Action to Silence
The researchers began responsible disclosure in December 2024 and conducted follow-up scans in February 2025 to verify remediation. The responses varied dramatically.
| Entity | Response | Action Taken | Grade |
|---|---|---|---|
| T-Mobile | Weeks to fix | Encrypted backhaul + nationwide SIP encryption | ✓ Swift |
| Walmart | In-depth talks | Encrypted; verified by re-scan | ✓ Fixed |
| AT&T | Blamed vendor | Fixed; claimed separate US/Mexico networks | ⚠ Deflected |
| SES / Intelsat | Compared to coffee shop WiFi | Deflected to customers | ✗ Deflected |
| Mexican Military | No response | Unknown | ✗ Silent |
| CERT-MX | No response | Unknown | ✗ Silent |
| NSA / DISA | Acknowledged, no substance | N/A | ✗ Silent |
Where Satellite Security Goes From Here
The “Don’t Look Up” study arrives at an inflection point for satellite communications security. The researchers’ release of their open-source tool on GitHub — which accumulated 439 stars and 73 forks by early 2026 — effectively ends the era of security through obscurity for satellite communications. Kaspersky compared the study’s potential impact to the 2015 Jeep hack, which “completely upended cybersecurity standards in the automotive industry.”
The broader satellite security landscape is evolving rapidly but unevenly. GPS spoofing incidents reached 1,500 flights per day by August 2024. The Viasat attack demonstrated that satellite systems are viable military targets. Over 84% of active satellites now operate in LEO, where newer systems tend to encrypt by default, but many SmallSats and CubeSats still lack adequate security controls.
The core lesson of this research is not that satellite communications are uniquely vulnerable — it is that the satellite industry’s assumption that nobody would look up was never a security strategy, merely a bet against curiosity. That bet has now been lost, publicly and irrevocably.
The question is whether the industry and its regulators will respond with the urgency the exposure demands, or whether this will become another entry in the long catalog of infrastructure vulnerabilities — like SS7, like unencrypted DNS, like default passwords on industrial control systems — that persist for decades after disclosure because no single entity bears responsibility and no regulation compels action.
“VSAT systems should be treated as unencrypted wireless networks.”— NSA Advisory, May 2022
The “Don’t Look Up” researchers proved, with $800 and a rooftop, just how literally true that warning was.
Key Sources & References
- Primary Paper: Zhang, Dai, Ryan, Schulman, Heninger, Levin. “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites.” ACM CCS 2025. Distinguished Paper Award.
- NSA Advisory: CSA: Protecting VSAT Communications (May 2022)
- RAND Corporation: SIGINT for Anyone: The Growing Availability of Signals Intelligence in the Open-Source Environment
- EU/ENISA: From Cyber to Outer Space: A Guide to Securing Commercial Satellite Operations (Feb 2025)
- Legislation: Satellite Cybersecurity Act (introduced 2022, 2023, 2025 — never enacted)
- Prior Work: Pavur & Martinovic (Oxford, 2019–2020), Lenders et al. (WiSec 2019), Turla APT (Kaspersky, 2015)
Open Source Intelligence • Cybersecurity Analysis • Geopolitical Research
February 2026 • Unclassified // For Public Release