What confuses me is what they mean by “corporate VPN data containing unencrypted login details.” Unless the VPN server connects to the backend servers with unencrypted traffic through these satellites (which definitely should not happen) then this should not be possible.
From, the paper: https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf
Geosynchronous (GEO) satellite links provide IP backhaul to remote critical infrastructure for utilities, telecom, government, military, and commercial users […]
There are thousands of GEO network links in operation today, carried by 590 GEO satellites orbiting Earth. Each satellite may carry traffic for dozens of independent networks through an array of on-board transponders, each covering a diameter of thousands of kilometers (at most a third of Earth’s surface). GEO IP links are established by leasing time on a transponder and aiming dishes for Earth-based terminals and hubs at that transponder. The ecosystem of equipment to support IP-based GEO links is mature and heterogeneous: at least 10 different vendors sell terminal and hub systems that each use their own proprietary protocol stacks to provide GEO networking.
These companies are leasing these satellite links for various purposes and then transmitting their network data over the links with no encryption. You can, for about $600 and some software (https://github.com/ucsdsysnet/dontlookup) read this data.
The researchers discovered data from US Military, Walmart-Mexico, AT&T, Government of Mexico, TelMex, Grupo Santander, Intelsat, Panasonic Avionics, WiBo, KPU. The researchers disclosed the vulnerability to all of these entities between 2024 and 2025.
Someone (I don’t know who but T-Mobile is the only cellular carrier in their list…) was transmitting call and text data, in plaintext:
When we unexpectedly discovered unencrypted voice and SMS communications in our data, we ceased collection on those transpon- ders, encrypted the relevant data, and consulted again with our lawyers, who helped facilitate disclosure with affected vendors.
Yah, I am sure there is a ton of unencrypted data of some form flowing, but anything end-to-end encrypted would be unreadable.
Is it even possible to configure something like wireguard so incorrectly that it’s unencrypted?
I guess lots of companies still use some ancient proprietary thing
I mean US hospitals still use fax machines and banks use OTP over SMS, so all things are possible I guess.
It reads like “definitely should not happen” was indeed happening!
I wonder if some techs got a basic unencrypted test working, then a pointy haired boss moved them on to another project and it got deployed into use with no-one setting up the encryption.
More likely “encryption in satellites is expensive, so let’s not do that. Pennies saved on my quarterly report, yay!”.
