There are sensitive internal links in the clear on GEO satellites [pdf]
30 comments
·October 14, 2025dsab
I was working in space industry and ECSS security guidelines are missleading grant seeking startups to try to reinvent TLS on orbit. There are to mamy bureaucracy. ECSS guidelines for software teams were created by people who never written a Hello World in their life, just look at specs of ECSS Packet Utilisation Service, it's a joke, that's why I prefer to work for VC funded companies than grant funded.
protocolture
Had a vendor offer a customer of mine a huge discount if they purchased radios without the encryption license in the year of our lord 2024.
Not even WPA or WEP. Just clear across the sky. And this is terrestrial.
My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default. But its still incredible to see them pretend like space is impossible to get to, ultimate obscurity.
tgsovlerkhgsel
> My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default.
Why would it? The data originates from earth, and should be encrypted during the uplink leg too, so the crypto should all happen in the ground segment (or even well before it reached anything that could be considered part of the satellite setup, honestly).
ryandrake
Likely no consequences to the decision-makers for data exfiltration or other shenanigans happening, so there's nothing motivating a behavior change.
The reason security is so bad everywhere is that nobody gets fired when there's a breach. It's just blamed on the hackers and everyone just goes on with life singing "We take security very seriously--this happened because of someone else!"
chii
> nobody gets fired when there's a breach
this must mean the consequences of such a breach has either not produced any visible damage, or the entity being damaged is uncaring (or have no power to care).
protocolture
>this must mean the consequences of such a breach has either not produced any visible damage
Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.
The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.
Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.
No one gets fired until after the worst case long term damage, and even then probably not.
In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.
josephg
End user license agreements are a huge part of the problem. Ideally users could sue if our data is leaked - and the threat of being sued would put pressure on companies to take security more seriously. Ie, it would become a business concern.
Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.
lmm
Or the damage is diffuse whereas the costs of preventing the breach would be concentrated. Or the connection between the damage and the breach is difficult to prove.
ryandrake
Or, the entity being damaged is not the decision maker and has no power to hold the decision maker responsible.
mjevans
Why does Space need to decrypt a vast majority of the traffic? Flow can be just as brick not-smart as fiber optic cables under the sea.
Now, management, control, etc? Yeah those you need to decode in orbit.
astrange
Encryption is basically free as far as I know, but it is more complex and it must be hard to get software updates up there.
trenchpilgrim
It is almost free on modern CPUs that have hardware acceleration, yea
tgsovlerkhgsel
Wireguard uses ChaCha20, which to my knowledge neither has nor requires HW acceleration to be fast.
dooglius
The encryption of the payload doesn't need to take place on the satellites
protocolture
Thats very true.
lambdaone
Absolutely mind-boggling that this is a thing; not just that satellite links aren't per-user link-encrypted, but also that people are still using unencrypted protocols to exchange sensitive information on the public internet in 2025.
modeless
> remarkably, nearly all the end-user consumer Internet browsing and app traffic we observed used TLS or QUIC
There was a surprising amount of resistance to the push to enable TLS everywhere on the public Internet. I'm glad it was ultimately successful.
null
fennec-posix
Section 6.3.2 is an eye-opener... good lord... Gets even worse at 6.4.2-3
lambdaone
It's absolutely jaw-dropping. Either no-one at these companies was capable of understanding the problem, or no-one cared enough to do something about it.
throwing_away
Likely both.
ROBLOX_MOMENTS
Is it correct to Assuming the amount of Mexican companies in this paper is because of their receiver being in the major city southwestmost corner of the country ?
fennec-posix
Yeah that's correct. The study was conducted in San Diego which falls under the satellite beam footprint required for services in Mexico.
If you were in say, Alice Springs in Australia (wink wink) for example, you'd be able to see traffic for Indonesia, Philippines, most of South East Asia, and perhaps parts of China, South Korea and Japan if the beams are right.
dylan604
> wink wink
location location location is an apt phrase for more than just real estate
bediger4000
I'm not so good at hints. Are you gesturing at the NSA facility at Pine Gap?
jf
That’s my interpretation
wyager
I see no issue with the satellite backhaul itself being unencrypted; anyone using the satellite provider should assume they're hostile and encrypt+authenticate everything they send anyway. I don't trust my ISP's fiber to be snoop-resistant just because they nominally have some shitty ONT encryption.
Obviously the specific examples of end-users failing to encrypt are bad, but that's not really a problem with the satellites.
As with anything in life, when it's what you know and do on the regular, that simple thing can look like magic to others. I met an old timer in the satellite business that came out to help install our receiver for a new TV channel the company I was at was getting off the ground. He found out what bird we were using and what its slot was. Based on that, he knew how many satellites over from the satellite he knew and used as his base. It was a long time running TV channel that he could find very quickly. Once that bird was located, he just manually (literally pushed the dish with his hand) counting the number of satellites that came in/out of view until he landed on "our" bird. Once there, connected our receiver and baddaboom baddabing, there it was. Once the satellite was pointed at the proper angle to the south, it took less than five minutes from him connecting his receiver to verify his base signal to packing up and heading off the roof.
His base satellite signal was unencrypted and a main reason he used it for this purpose. Our channel was scrambled, and only verifiable after our receiver with the decoder was connected. It was impressive seeing someone that good at their job make it look so easy, but after he explained the layman's version of orbital slots it became less magical. This is why magicians are meant to not tell you how the trick is done.