Some of the stuff that was extracted from the unencrypted traffic in the link:
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
This is insane!
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Good reminder not take our eyes off the basics.
As with anything in life, when it's what you know and do on the regular, that simple thing can look like magic to others. I met an old timer in the satellite business that came out to help install our receiver for a new TV channel the company I was at was getting off the ground. He found out what bird we were using and what its slot was. Based on that, he knew how many satellites over from the satellite he knew and used as his base. It was a long time running TV channel that he could find very quickly. Once that bird was located, he just manually (literally pushed the dish with his hand) counting the number of satellites that came in/out of view until he landed on "our" bird. Once there, connected our receiver and baddaboom baddabing, there it was. Once the satellite was pointed at the proper angle to the south, it took less than five minutes from him connecting his receiver to verify his base signal to packing up and heading off the roof.
His base satellite signal was unencrypted and a main reason he used it for this purpose. Our channel was scrambled, and only verifiable after our receiver with the decoder was connected. It was impressive seeing someone that good at their job make it look so easy, but after he explained the layman's version of orbital slots it became less magical. This is why magicians are meant to not tell you how the trick is done.
Eh I kind of feel like you can't say that. If something is magical before you learn how it's done, it should be magical after. The magical part isn't "it's actually impossible", but "it's so far from what I could come up on my own", which still holds after you know the secret.
Had a vendor offer a customer of mine a huge discount if they purchased radios without the encryption license in the year of our lord 2024.
Not even WPA or WEP. Just clear across the sky. And this is terrestrial.
My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default. But its still incredible to see them pretend like space is impossible to get to, ultimate obscurity.
> My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default.
Why would it? The data originates from earth, and should be encrypted during the uplink leg too, so the crypto should all happen in the ground segment (or even well before it reached anything that could be considered part of the satellite setup, honestly).
The landing page has a Q&A. This is the relevant part of the response to the question, "Why aren't all GEO satellite links encrypted?"
>Encryption imposes additional overhead to an already limited bandwidth, decryption hardware may exceed the power budget of remote, off-grid receivers, and satellite terminal vendors can charge additional license fees for enabling link-layer encryption. In addition, encryption makes it harder to troubleshoot network issues and can degrade the reliability of emergency services.
So, the only suggestion that there would be greater heat/energy if they did encryption by default is the part about decryption (receiver) hardware having limited power budgets in some cases. There's more than what I copy-and-pasted above, but the overall message is that lots of organizations haven't wanted to pay the direct costs of enabling encryption... although they should.
Likely no consequences to the decision-makers for data exfiltration or other shenanigans happening, so there's nothing motivating a behavior change.
The reason security is so bad everywhere is that nobody gets fired when there's a breach. It's just blamed on the hackers and everyone just goes on with life singing "We take security very seriously--this happened because of someone else!"
Who do you imagine will get fired? The CISO who's been recommending various security imporvements and been trying to get them implemented, but been unable to do so due to a lack of C level interest in IT. Or the C level's who lack interest in IT security until it bites them in the investor?
At least here in the EU we're moving toward personal responsibility for C level's who don't take IT and OT security serious in critical sectors, but in my anecdotal experience that is the first time anything regarding security has actually made decision makers take it serious. A lot of it is still just bureaucracy though. We have a DORA and NIS2 compliant piece of OT that is technically completely insecure but is compliant because we've written a detailed plan on how to make it secure.
this must mean the consequences of such a breach has either not produced any visible damage, or the entity being damaged is uncaring (or have no power to care).
>this must mean the consequences of such a breach has either not produced any visible damage
Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.
The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.
Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.
No one gets fired until after the worst case long term damage, and even then probably not.
In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.
The legal system already has sufficient cop-out: for anything that you should have been aware of, or would have been informed about.
Eg. doctors do get sued and fired for malpractice, if they did something no other skilled doctor would reasonably do ("let's just use the instruments from the previous surgery").
End user license agreements are a huge part of the problem. Ideally users could sue if our data is leaked - and the threat of being sued would put pressure on companies to take security more seriously. Ie, it would become a business concern.
Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.
On the other hand you can't sue a company for losing your data in many EU companies. You can report them to whatever data protection agency your country has, and after an investigation they can fine, and/or, in more serious cases turn the matter over to the police for a criminal investigation.
The disadvantage of this is that the local data protection agencies haven't been handing out very big fines. Sometimes that's due to company law. In my country you'd fine the owning company, which in many cases will be a holding company. Since fine sizes are linked to revenue and a holding company typically has no revenue, this means fines are often ridicilously small.
Or the damage is diffuse whereas the costs of preventing the breach would be concentrated. Or the connection between the damage and the breach is difficult to prove.
> Panasonic told us that enabling encryption
could incur a 20–30% capacity loss. In addition, when using IPsec,
ESP and IP headers can introduce 20–30 bytes of overhead, which
is nontrivial for small-packet applications like VoIP and video calls
Space-faring electronics aren't exactly cost-sensitive - the cost of a cluster of crypto-accelerated CPUs or rad-hardened FPGAs is peanuts compared to the human and launch costs that go into these satellites.
I mean a bunch of those crypto systems turn out to be flawed though. So skipping the vendor implementation and using something in software instead could make sense.
I was working in space industry and ECSS security guidelines are missleading grant seeking startups to try to reinvent TLS on orbit. There are to mamy bureaucracy. ECSS guidelines for software teams were created by people who never written a Hello World in their life, just look at specs of ECSS Packet Utilisation Service, it's a joke, that's why I prefer to work for VC funded companies than grant funded.
Absolutely mind-boggling that this is a thing; not just that satellite links aren't per-user link-encrypted, but also that people are still using unencrypted protocols to exchange sensitive information on the public internet in 2025.
Am I offtrack in wondering if by reverse engineering the mentioned in-the-clear ATM communications you could (in theory) inject some malicious packets and in effect just dispense cash to yourself with a laptop and a dish? How very cyberpunk.
It's absolutely jaw-dropping. Either no-one at these companies was capable of understanding the problem, or no-one cared enough to do something about it.
From my time in similar companies, some people understand, and might care, but aren't empowered to do anything about it. They've got a job to do, and creatively auditing network security isn't it. Finding this kind of issue on the company clock won't get them promoted, on the contrary they'll look like they're slowing the team down with vulnerabilities to fix when they've got stuff to build and sell. Very poor security culture.
Is it correct to Assuming the amount of Mexican companies in this paper is because of their receiver being in the major city southwestmost corner of the country ?
Yeah that's correct. The study was conducted in San Diego which falls under the satellite beam footprint required for services in Mexico.
If you were in say, Alice Springs in Australia (wink wink) for example, you'd be able to see traffic for Indonesia, Philippines, most of South East Asia, and perhaps parts of China, South Korea and Japan if the beams are right.
Does anyone remember the days when you pointed a 60cm antenna at the Hispasat 30W and connected your DVB-S2 tuner in Windows, Using Crazycat's BDADataEx, you tuned an IP data transponder. Using a technique called Satfish (with a software I don't remember), some files were reconstructed, usually vsat data from oil platforms... and porn.
It’s quite common for a DOI to be assigned to a paper after it’s accepted during camera ready. However, the DOI won’t work until the conference or journal version is published on the official website (ACM in this case). The version you’re viewing now is simply a preprint directly from the authors.
I see no issue with the satellite backhaul itself being unencrypted; anyone using the satellite provider should assume they're hostile and encrypt+authenticate everything they send anyway. I don't trust my ISP's fiber to be snoop-resistant just because they nominally have some shitty ONT encryption.
Obviously the specific examples of end-users failing to encrypt are bad, but that's not really a problem with the satellites.
If someone is browsing the internet on in-flight wifi, and their DNS requests get leaked this way, I don't really think its the casual airline user's fault for not encrypting their DNS traffic. Modern cell phone data traffic (4G/5G) is all encrypted, so the same unencrypted DNS requests can't just be passively sniffed. Something similar should happen here.
I'd blame the airline or their ISP provider for sending unencrypted traffic through the air like this. Not the satellite, but its top level customer. There's a big difference, IMHO, between your ISP being able to sniff your fiber traffic, and your traffic being observable from ~30% of the globe.
I don't know if you've ever tried to actually use in flight wifi, but any traffic not subject to inspection is heavily throttled to the point of being unusable.
ESNI is also a technology in search of a problem. It does not provide any meaningful security benefits.
This. Bytes on every medium can be snooped. Internetworking means that your bytes go on mediums you don't know about and don't control. There's no such thing as a link where encryption is not needed, except localhost.
It was only successful because of Let's Encrypt removing any excuse for not having HTTPS on your website, HSTS becoming a thing, and Chrome moving from gentle inducements (that cute green padlock) to nasty looking warnings if you didn't use encryption.
No, that was after, and it made it easy, but before google many people said there was no point "because their site wasnt sensitive". Those people didn't care about let's encrypt or how easy it was, they just didn't find a reason to do it. Google gave them a monetary reason to do it.
What are you talking about? It was an absolute failure.
As soon as we got widespread TLS adoption, Cloudflare magically came along and wooed all the nerds into handing over all the plaintext traffic to a single company.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
This is insane!
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Good reminder not take our eyes off the basics.
Oops
Another round of OpSec training
Not as insane as it was in the early 2000s…
> while link-layer encryption has been standard practice in satellite TV for decades
Before Snowden, I would say 99% of ALL TCP traffic I saw on satellites was in unadulterated plain-text. Web and email mostly.
… the pipe was so fast, you could only pcap if you had a SCSI hard drive!
His base satellite signal was unencrypted and a main reason he used it for this purpose. Our channel was scrambled, and only verifiable after our receiver with the decoder was connected. It was impressive seeing someone that good at their job make it look so easy, but after he explained the layman's version of orbital slots it became less magical. This is why magicians are meant to not tell you how the trick is done.
Not even WPA or WEP. Just clear across the sky. And this is terrestrial.
My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default. But its still incredible to see them pretend like space is impossible to get to, ultimate obscurity.
Why would it? The data originates from earth, and should be encrypted during the uplink leg too, so the crypto should all happen in the ground segment (or even well before it reached anything that could be considered part of the satellite setup, honestly).
>Encryption imposes additional overhead to an already limited bandwidth, decryption hardware may exceed the power budget of remote, off-grid receivers, and satellite terminal vendors can charge additional license fees for enabling link-layer encryption. In addition, encryption makes it harder to troubleshoot network issues and can degrade the reliability of emergency services.
So, the only suggestion that there would be greater heat/energy if they did encryption by default is the part about decryption (receiver) hardware having limited power budgets in some cases. There's more than what I copy-and-pasted above, but the overall message is that lots of organizations haven't wanted to pay the direct costs of enabling encryption... although they should.
EDIT: Link to Q&A https://satcom.sysnet.ucsd.edu/#qanda
The reason security is so bad everywhere is that nobody gets fired when there's a breach. It's just blamed on the hackers and everyone just goes on with life singing "We take security very seriously--this happened because of someone else!"
At least here in the EU we're moving toward personal responsibility for C level's who don't take IT and OT security serious in critical sectors, but in my anecdotal experience that is the first time anything regarding security has actually made decision makers take it serious. A lot of it is still just bureaucracy though. We have a DORA and NIS2 compliant piece of OT that is technically completely insecure but is compliant because we've written a detailed plan on how to make it secure.
this must mean the consequences of such a breach has either not produced any visible damage, or the entity being damaged is uncaring (or have no power to care).
Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.
The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.
Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.
No one gets fired until after the worst case long term damage, and even then probably not.
In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.
Imagine jailing doctors for every patient that died you would be out of doctors quite soon.
Eg. doctors do get sued and fired for malpractice, if they did something no other skilled doctor would reasonably do ("let's just use the instruments from the previous surgery").
Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.
The disadvantage of this is that the local data protection agencies haven't been handing out very big fines. Sometimes that's due to company law. In my country you'd fine the owning company, which in many cases will be a holding company. Since fine sizes are linked to revenue and a holding company typically has no revenue, this means fines are often ridicilously small.
Now, management, control, etc? Yeah those you need to decode in orbit.
Wouldn't this still leak metadata for routing?
> Panasonic told us that enabling encryption could incur a 20–30% capacity loss. In addition, when using IPsec, ESP and IP headers can introduce 20–30 bytes of overhead, which is nontrivial for small-packet applications like VoIP and video calls
If you were in say, Alice Springs in Australia (wink wink) for example, you'd be able to see traffic for Indonesia, Philippines, most of South East Asia, and perhaps parts of China, South Korea and Japan if the beams are right.
location location location is an apt phrase for more than just real estate
Pine Gap is a large facility for collecting data coming down from our own satellites.
Foreign satellite collection in Australia happens at two other facilities: https://en.wikipedia.org/wiki/Shoal_Bay_Receiving_Station https://en.wikipedia.org/wiki/Australian_Defence_Satellite_C...
Wired: https://www.wired.com/story/satellites-are-leaking-the-world...
I'm going to dust off the TBS DVB-S2X card and try to find a data transponder to test the DontLookup app. https://github.com/ucsdsysnet/dontlookup
Where I live, it's almost impossible to find any interest in FTA or pirated SAT TV.
att: ham radio operator interested in satellite radio :D
https://doi.org/10.1145/3719027.3765198
>The DOI has not been activated yet.
Obviously the specific examples of end-users failing to encrypt are bad, but that's not really a problem with the satellites.
I'd blame the airline or their ISP provider for sending unencrypted traffic through the air like this. Not the satellite, but its top level customer. There's a big difference, IMHO, between your ISP being able to sniff your fiber traffic, and your traffic being observable from ~30% of the globe.
ESNI is also a technology in search of a problem. It does not provide any meaningful security benefits.
There was a surprising amount of resistance to the push to enable TLS everywhere on the public Internet. I'm glad it was ultimately successful.
What are you talking about? It was an absolute failure.
As soon as we got widespread TLS adoption, Cloudflare magically came along and wooed all the nerds into handing over all the plaintext traffic to a single company.