Using inexpensive equipment installed on a rooftop in San Diego, computer scientists from two universities in the United States were able to observe unencrypted satellite data belonging to the Mexican government and military and several Mexican companies.
The scientists from the University of California, San Diego (UCSD), and the University of Maryland (UMD), detailed the findings of their study of geostationary satellites in a paper published this week under the title “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites.”
“GEO satellites have been shown to be particularly susceptible to interception attacks,” the scientists wrote.
“… Given that any individual with a clear view of the sky and US $600 can set up their own GEO interception station from Earth, one would expect that GEO satellite links carrying sensitive commercial and government network traffic would use standardized link and/or network layer encryption to prevent eavesdroppers,” they wrote.
The six scientists from UCSD and UMD found that wasn’t the case in their “scan of IP traffic on 39 GEO satellites across 25 distinct longitudes with 411 transponders.”
In a summary of their work, they said that “a shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks.”
If you are an electricity customer in Mexico, there is a chance that your name, address and account number were observed by the UCSD and UMD computer scientists during their seven-month study in 2024 and early 2025.
While the study carried out by the U.S.-based scientists didn’t have malicious intent, their work shows that people who do have such intent could access sensitive government, company and personal data using affordable technology, provided they have the necessary technical know-how.
“In this work, we demonstrate the feasibility of an attacker whose goal is to observe satellite traffic visible from their position by passively scanning as many GEO transmissions from a single vantage point on Earth as possible,” the scientists wrote.
“This form of widescale interception has previously been assumed to only be feasible with state actor-grade equipment and software. More precisely, we demonstrate that a low-resource attacker, using COTS [commercial off-the-shelf], low-cost equipment can reliably intercept and decode hundreds of links from a single vantage point,” they said.
The computer scientists’ GEO interception station setup included a $180 satellite dish, a $195 dish motor, a $230 USB tuner card and other inexpensive “miscellaneous components.”
Mexican government and military data intercepted
The scientists used what they called “low-cost consumer-grade satellite equipment” to “comprehensively survey GEO satellite usage” from a UCSD building in La Jolla, an upper-income neighborhood in San Diego.
They said that they “observed unencrypted satellite traffic belonging to government and military for multiple countries,” including Mexico and the United States.
“We observed unencrypted satellite traffic from multiple organizations within the Mexican government, including military, law enforcement, and government agencies,” the scientists wrote.
“These unencrypted links appear to be used to connect remote command centers, surveillance outposts, and mobile units via commercial satellite backhaul.”
The scientists said they observed “large amounts of unencrypted HTTP traffic” belonging to the Mexican government, including:
- References to military terminals, regions, and zones.
- Law enforcement asset inventory, personnel records, and traffic monitoring.
- Incident reporting, case tracking, and evidence documentation by field personnel and administrative staff, including narcotics activity.
- Military asset tracking records for aircraft, sea vessels, armored vehicles, and LIDAR and RADAR, including data on locations, deployments, mission roles, and maintenance logs.
- Real-time military object telemetry with precise geolocation, identifiers, and live telemetry.
Data from CFE, Walmart México, Telmex, Banorte, Banjército and AT&T México also observed
In their paper, the UCSD and UMD scientists also said that they had observed data from a number of Mexican companies, including the state-owned Federal Electricity Commission (CFE) and the bank Banorte.
CFE
The scientists said they “observed one transponder carrying unencrypted CFE internal communications.”
The communications they saw included “responses for customer service and maintenance work orders with locations, urgency levels, and customer names, addresses, account numbers, and tariff types.”
Walmart México
The scientists said they identified “three satellite beams carrying unencrypted Walmart México internal system traffic that could be received across North America.”
Among the “notable internal network traffic” they observed were unencrypted logins to Walmart México’s inventory management system and unencrypted internal corporate emails.
Santander México, Banjército and Banorte
The scientists also intercepted and observed unencrypted data from these three financial institutions. Santander and Banorte are large commercial banks while Banjército is a bank affiliated with the Mexican military.
In the case of Santander, the scientists said they observed unencrypted traffic related to ATM infrastructure.
In the case of Banjército and Banorte, the scientists said they identified “extensive unencrypted satellite traffic linked to the internal infrastructure of both banks being transmitted.”
They didn’t specifically mention that they were able to see personal and account data of customers of the three banks.
AT&T México
The scientists said they observed “unencrypted cellular backhaul traffic” from AT&T México, including “protocol metadata and cellular network signaling protocols, and raw user Internet traffic.”
“… In a 30-minute recording, we observed 710 users’ phone numbers and related control and Internet traffic,” they said.
Telmex
The scientists said their analysis “identified three satellite beams carrying unencrypted Telmex VoIP traffic,” or Voice over Internet Protocol traffic.
They said they observed “unencrypted satellite backhaul traffic that included the plaintext contents of user voice calls, and protocol metadata and cellular signaling protocols.”
The scientists informed the Mexican government and companies of their vulnerabilities
The scientists said in their paper that they disclosed the vulnerabilities that affected the Mexican government, Telmex, Grupo Santander México, Banjército, and Banorte to CERT-MX on April 4, 2025.
CERT-MX is Mexico’s National Cybersecurity Incident Response Center, which is part of the National Guard.
The scientists said that they disclosed Walmart México’s vulnerabilities to that company in January and “had in-depth conversations with them.”
They also said that they separately contacted Santander and AT&T.
The scientists said they were “only publishing information about affected systems and naming relevant parties” after the identified issues had been remediated “or an industry-standard 90-day disclosure window” had elapsed “without response or justification for extending the embargo.”
In the paper’s “Discussion and Conclusions” section, they said that “there is a clear mismatch between how satellite customers expect data to be secured and how it is secured in practice.”
While “cell phone traffic is carefully encrypted at the radio layer between phone and tower to protect it against local eavesdroppers, it is shocking to discover that these private conversations were then broadcast to large portions of the continent, and that these security issues were not limited to isolated mistakes,” the scientists wrote.
They acknowledged that there are range of “impediments to encryption” on satellite data, including encryption’s impact on efficiency by “incurring additional bandwidth overhead costs.”
The scientists also said they had discovered that “no auditing tools exist that allow vendors to audit the security of their own satellite backhaul.”
“Our work has identified multiple unintentional misconfigurations among organizations who had intended to enable encryption,” they wrote.
Mexico News Daily
