A research team showed that an $800 off-the-shelf satellite was sufficient to intercept live T-Mobile calls, text messages, and related metadata going over space-based links. The experiment, which was carried out by academics at UC San Diego and the University of Maryland and first reported by investigative reporters at Wired, demonstrates how legacy satellite backhaul can be used to skirt the privacy protections that people presume their carriers have in place.
About half the geostationary satellite links they studied were unencrypted, the researchers said. Over the course of a several-year study, they pointed a consumer-grade dish at the sky from La Jolla, California (just north of San Diego), and managed to capture downlink traffic from 39 satellites. The data the team was able to intercept included not just mobile voice and SMS, but corporate and air traffic control data as well — even missed call notifications for a friend in Catalina who couldn’t summon help after being in an accident.
The $800 recipe for wiretapping from space
The rig was intentionally middlebrow: a small Ku-band dish, a low-noise block downconverter, an off-the-shelf tuner or software-defined radio, and open-source decoding software. By precisely positioning and scanning for spectrum, the team found proper transponders passing cellular backhaul and other IP traffic. No special qualifications were required; the issue was that many links employed no encryption whatsoever.
Anyone could access a chunk of the data, including call audio, SMS text messages, images, and phone numbers for more than 2,700 users, the researchers say. They also saw traffic linked to North American networks besides T-Mobile, such as AT&T Mexico and Telmex, in addition to internal data from major enterprises like Walmart Mexico and communications pertaining to the Mexican military.
T-Mobile was informed, and encryption was later turned on for impacted satellite backhaul links. The carrier said the exposure was limited to a small number of remote, low-population cell sites where fiber or microwave was not available and that used satellite for backhaul.
Why many satellite backhaul links remain unencrypted
A lot of that risk is due to a legacy mindset: satellite operators and enterprise users have historically operated on the assumption “no one is looking,” using obscurity as opposed to cryptography. Satellite modems and DVB-S/DVB-S2 equipment of earlier days usually provided encryption as an option, which could either be enabled or disabled by the operator to save bandwidth overhead and to avoid latency overhead over high-delay links.
Standards bodies and security agencies have long warned against doing this. Both ENISA and CISA have recommended to organizations that they encrypt satellite communications end to end, segment networks, and maintain an ongoing inventory of RF footprints. The repercussions of skipping these steps are well documented — more than a decade ago, it was discovered that inexpensive gear could intercept unencrypted drone video feeds. Cellular backhaul is no exception: once traffic leaves a tower en route to a satellite hop in the clear (that is, not protected cryptographically), anyone with line-of-sight access to that beam and rudimentary equipment can listen.
Perhaps most critically, if the backhaul leg is cleartext, encrypting the radio interface between a phone and tower doesn’t protect traffic. And that is how voice and SMS — along with DNS queries, authentication handshakes, and other metadata — emerged as plaintext from today’s network cores in the eyes of the researchers.
What T-Mobile did and what is still at risk
After disclosure, T-Mobile deployed encryption on the cited links and said the exposure didn’t pertain to most of its footprint. The speed of the response was heartening, but it is the wider finding of the study that has experts concerned: around half of all scanned satellite links across a range of sectors were found to be unencrypted, not just those linked to a single carrier.
Geostationary satellites cover huge swaths of the Earth: an individual looking to eavesdrop could park below the beam and pick up traffic. Perhaps more damaging than privacy harms is the kind of data that was seen: corporate credentials and operational specifics, just the kind of intelligence sought by cybercriminals and nation-state actors.
How carriers and users can narrow the gap
For operators, the remedies are obvious: mandate IPsec or comparable strong encryption for all satellite backhaul, turn on AES by default in satellite modems, and make no carve-outs for “temporary” sites with poor traffic. Also, vendors should ship hardened defaults, and carriers should commission periodic third-party RF sweeps to find unprotected transponders with their traffic.
At my company, we have tens of locations with satellite uplinks that depend on reliability for telemetry/POS/downtime remote access.
- TLS-pinned services.
- Separate management planes (i.e., the remote access only gets far enough to NAT into a network after authentication).
- Least-privilege principle toward access — see point above regarding limitation as to ability to affect terminal behavior.
Policymakers and regulators, such as the FCC and national cybersecurity agencies, can help by baking minimal cryptographic requirements into spectrum and service authorizations.
Consumers can reduce their exposure by favoring end-to-end encrypted messaging apps for sensitive conversations. That would not obscure metadata such as phone numbers or timing — still valuable to adversaries — but it makes the content of messages more resistant to interception in case a backhaul leg is breached.
The sobering headline lesson is simple: Encryption must be end to end. Ultimately, an $800 homebrew kit should never be sufficient to morph a satellite beam into a wiretap. This episode is a stark reminder of just how fast that can change when operators take space links as seriously as they do fiber connections.
