'They just really didn't think anyone would look up': Researchers snooped on unencrypted satellite data with basic equipment, finding private calls, text messages, and even military communications

Using a $180 satellite dish and roof mount, a $195 motor system, and a $230 tuner card, the team say they were able to pick up samples of the contents of US calls and text messages on the T-Mobile cellular network, along with data from in-flight Wi-Fi and utility infrastructure comms from oil rigs and electricity providers. Perhaps more troubling, however, was that military and law enforcement communications were also said to be easily accessible, revealing the locations of personnel, equipment, and facilities.

"They assumed that no one was ever going to check and scan all these satellites and see what was out there. That was their method of security," Schulman continues. "They just really didn't think anyone would look up."

What's also troubling is the relatively small scale of the researchers' efforts. Using their easily obtainable equipment from a San Diego location, they were only able to pick up signals from roughly 15% of satellites currently in operation, yet discovered numerous unencrypted communications—suggesting the problem may be more widespread than initially thought.

At one point, during a nine-hour recording session of T-Mobile's backhaul satellite communications, the researchers say they were able to view phone numbers, calls, and text messages from over 2,700 users. There is a small glimmer of hope, however, in that the team was only able to pick up data from one side, meaning that the data the users were receiving was open to access, not data being sent from their devices. Essentially, a one-sided conversation—but a leaked one, nonetheless.

The team seem keen to point out that they didn't actively intercept any of these communications, instead passively listening to what the receiver picked up.

"When we saw all this, my first question was, did we just commit a felony? Did we just wiretap?" says co-leader of the study Professor Dave Levin.

However, it appears that all that was needed to receive the unencrypted data was a small set of equipment, and the knowledge of how to use it. "These signals are just being broadcast to over 40 percent of the Earth at any point in time," said Levin.

The team say they were also able to receive unencrypted internet communications from US military sea vessels, and were able to discern the vessel's names as a result. However, data from Mexican military and law enforcement authorities seems far more detailed. The team say they were able to pick up the unprotected transmission of intelligence information on narcotics tracking, as well as military asset tracking and maintenance records for helicopters, sea vessels, and armoured vehicles, along with locations and mission details.

The team has since notified the companies and agencies affected by the unencrypted information, with varying results. According to the researchers, T-Mobile, Walmart, and KPU have been re-scanned since being informed of the data breach and are now using some form of encryption, although other unnamed parties still appear to be broadcasting without a fix.

It's truly astonishing how much data the team was able to intercept with a relatively budget set of equipment, and it does make you wonder how easy it would be for less scrupulous entities to do the same. The researchers acknowledge that their work may enable others to begin tracking satellite communications, and that intelligence agencies with far superior equipment are likely to have been analysing the same unencrypted data.

However, they argue that the study may force more satellite communications providers to tighten up their security protocols. Schulman says: "As long as we're on the side of finding things that are insecure and securing them, we feel very good about it."