Why Satellite Companies Haven’t Encrypted Most Communications?

Why Satellite Companies Haven’t Encrypted Most Communications?

A groundbreaking study, awarded the Distinguished Paper Award at ACM CCS 2025, has revealed that a significant portion of global satellite communications remains unencrypted, exposing sensitive data from governments, corporations, and individuals to hackers with relatively inexpensive equipment.

​Researchers Discover Critical Security Flaw: Satellite Companies Transmitting Sensitive Data Without Encryption

Distinguished paper reveals how hackers can intercept unencrypted communications from geostationary satellites

A groundbreaking study set to be presented at the ACM Conference on Computer and Communications Security (CCS) 2025 has exposed a significant vulnerability in modern satellite communications: many satellite operators are transmitting sensitive internal data without encryption, leaving it exposed to anyone with the right equipment.

The research, titled “Don’t Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites,” was conducted by teams from the University of California, San Diego and the University of Maryland.

The work has already earned recognition as a Distinguished Paper Award winner at the prestigious security conference.

The Current State of Satellite Encryption

The study reveals a troubling reality about geostationary (GEO) satellites—those that orbit Earth at approximately 22,000 miles above the equator, maintaining a fixed position relative to the ground.

While these satellites form the backbone of global telecommunications, broadcasting, and internet services, many operators fail to encrypt critical internal communications transmitted via these spacecraft.

According to the researchers, the problem centers on “feeder links”—the connections between ground stations and satellites that carry operational data, network traffic, and sometimes even customer information before it’s redistributed to end users.

While consumer-facing satellite services often employ encryption for the “last mile” to users’ homes or devices, the internal infrastructure frequently operates in the clear.

Why Satellite Companies Skip Encryption

Several factors contribute to why satellite operators have historically avoided encrypting their internal communications:

Legacy infrastructure:

Many satellite systems were designed decades ago when cybersecurity threats were less sophisticated and the computational overhead of encryption was more significant. Upgrading these systems requires substantial investment.

Performance concerns:

Encryption and decryption processes add latency and require additional processing power—both precious commodities in satellite communications where bandwidth is expensive and signal delay is already an issue due to the vast distances involved.

Cost considerations:

Implementing robust encryption across satellite networks requires hardware upgrades at ground stations, potential satellite replacements, and ongoing key management infrastructure—all representing significant capital expenditure.

False sense of security:

The research suggests that some operators may have assumed the technical difficulty of intercepting satellite signals provided sufficient protection, operating under “security through obscurity.”

What Hackers Can Intercept

The researchers’ findings paint a concerning picture of the type of information vulnerable to interception from unencrypted satellite links:

• Network topology and routing information: Details about how satellite networks are structured, which could help attackers identify high-value targets or plan more sophisticated attacks.
• Operational telemetry: Data about satellite health, positioning, and control commands that could potentially be exploited to interfere with satellite operations.
• Unencrypted user traffic: In some cases, actual customer data passing through the satellite infrastructure before final encryption is applied, including potentially sensitive communications.
• Internal corporate communications: Messages between ground stations and network operations centers that may contain proprietary business information or operational details.
• Authentication credentials and network management data: Information that could be used to gain unauthorized access to satellite control systems or connected ground infrastructure.

The study demonstrates that with commercially available equipment—including software-defined radios costing just a few hundred dollars—determined attackers can position themselves to receive these unencrypted transmissions.

The researchers emphasize they conducted their work ethically, without intercepting actual user data, but proved the vulnerability exists.

Implications and the Path Forward

The research arrives at a critical moment for the satellite industry. With companies like SpaceX’s Starlink, Amazon’s Project Kuiper, and OneWeb deploying massive constellations of new satellites, and with increasing reliance on satellite communications for everything from rural internet to military operations, security vulnerabilities carry heightened consequences.

The researchers advocate for several measures: mandatory encryption standards for all satellite communications, including internal feeder links; modernization of legacy satellite infrastructure; and greater transparency from satellite operators about their security practices.

“The attitude of ‘it’s too expensive to intercept’ or ‘nobody’s looking up’ no longer holds in an era of sophisticated cyber threats and accessible technology,” the research implies, calling for the satellite industry to prioritize encryption as a fundamental requirement rather than an optional add-on.

As satellite communications become increasingly integral to global connectivity, the study serves as a wake-up call: security cannot be an afterthought in the infrastructure that connects our world.