Security researchers at two US universities were able to intercept T-Mobile customer call and text data from completely unencrypted satellite communications.
Researchers were also able to eavesdrop on sensitive government communications, including US military and law enforcement agencies – and they did all of it using nothing more than an $800 off-the-shelf satellite receiver system …
Wired reports on the frankly incredible findings from a study jointly carried out by UC San Diego and the University of Maryland.
For three years, the UCSD and UMD researchers developed and used an off-the-shelf, $800 satellite receiver system on the roof of a university building in the La Jolla seaside neighborhood of San Diego to pick up the communications of geosynchronous satellites in the small band of space visible from their Southern California vantage point.
By simply pointing their dish at different satellites and spending months interpreting the obscure—but unprotected—signals they received from them, the researchers assembled an alarming collection of private data: They obtained samples of the contents of Americans’ calls and text messages on T-Mobile’s cellular network, data from airline passengers’ in-flight Wi-Fi browsing, communications to and from critical infrastructure such as electric utilities and offshore oil and gas platforms, and even US and Mexican military and law enforcement communications that revealed the locations of personnel, equipment, and facilities.
The research team said they fully expected to find that the data being transmitted through the satellite link was encrypted, but were shocked to discover that it wasn’t. Study co-lead Aaron Shulman said that the satellite security approach seemed to be nothing more than just hoping for the best.
“They assumed that no one was ever going to check and scan all these satellites and see what was out there. That was their method of security,” Schulman says. “They just really didn’t think anyone would look up.”
Researchers notified all of the companies and agencies whose data was exposed. T-Mobile responded by quickly encrypting its communications, but not all of the satellite system users have yet done the same.
T-Mobile customer data was exposed because in remote areas the cell towers rely on satellite links to relay the data.
“Last year, this research helped surface a vendor’s encryption issue found in a limited number of satellite backhaul transmissions from a very small number of cell sites, which was quickly fixed,” a T-Mobile spokesperson says, adding the issue was “not network-wide” and that the company has taken steps to “make sure this doesn’t happen again.”
Customer data was also obtained from AT&T Mexico and Telmex, with the former stating that it has also fixed the issue.
The data captured by researchers is just a small percentage of the total volume being broadcast given the narrow geographic coverage obtained from a single receiver, so the true global scale of the problem is likely to be very much greater.