A research team from UC San Diego and the University of Maryland intercepted unencrypted satellite communications, exposing critical vulnerabilities in T-Mobile’s backhaul systems. Over a nine-hour session, they accessed **phone numbers, call logs, and text messages of over 2,700 users** via T-Mobile’s satellite links. While the interception was one-sided (only incoming data to users was exposed, not outgoing), the breach revealed systemic failures in encryption protocols. The researchers used **off-the-shelf equipment costing under $600** to exploit this flaw, demonstrating how easily malicious actors could replicate the attack. T-Mobile was notified and later implemented encryption, but the incident highlights the risks of unsecured satellite-based cellular infrastructure, where **location data, communication metadata, and potentially sensitive user interactions** were left exposed to passive eavesdropping. The breach underscores the broader industry neglect of satellite security, with implications for both consumer privacy and national security, given that military and law enforcement communications were similarly vulnerable in the study.
TPRM report: https://www.rankiteo.com/company/t-mobile
"id": "t-m5362753101525",
"linkid": "t-mobile",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '2,700+ (metadata exposure)',
'industry': 'Telecommunications',
'location': 'USA',
'name': 'T-Mobile',
'size': 'Large (Fortune 500)',
'type': 'Telecommunications Provider'},
{'industry': 'Energy/Utilities',
'location': ['USA', 'Global (via satellite)'],
'name': 'Unnamed Utility Companies (Oil Rigs, '
'Electricity Providers)',
'type': 'Critical Infrastructure'},
{'industry': 'Defense',
'location': 'Global',
'name': 'US Military (Sea Vessels)',
'type': 'Government/Defense'},
{'industry': 'Defense/Law Enforcement',
'location': 'Mexico',
'name': 'Mexican Military/Law Enforcement',
'type': 'Government/Defense'},
{'industry': 'Retail',
'location': 'USA',
'name': 'Walmart (mentioned as remediated)',
'size': 'Large (Fortune 1)',
'type': 'Retail'},
{'name': 'KPU (mentioned as remediated)'}],
'attack_vector': ['Passive Eavesdropping',
'Unencrypted Satellite Transmissions',
'Lack of Signal Encryption'],
'data_breach': {'data_encryption': 'None (unencrypted transmissions)',
'data_exfiltration': 'Passive interception (no active '
'exfiltration)',
'file_types_exposed': ['Voice call metadata',
'Text message metadata',
'Operational logs',
'Maintenance records',
'Location data'],
'number_of_records_exposed': ['2,700+ (T-Mobile users)',
'Unknown (military/utility '
'data)'],
'personally_identifiable_information': ['Phone numbers '
'(T-Mobile users)',
'Military/law '
'enforcement '
'personnel locations'],
'sensitivity_of_data': ['High (military/law enforcement)',
'Medium (utility infrastructure)',
'Low (T-Mobile metadata)'],
'type_of_data_compromised': ['Call/text metadata (phone '
'numbers, timestamps)',
'Military/law enforcement '
'operational data (locations, '
'mission details)',
'Utility infrastructure '
'communications',
'Vessel/asset maintenance '
'records']},
'description': 'A team of researchers from UC San Diego and the University of '
'Maryland intercepted unencrypted satellite communications '
'over three years using off-the-shelf equipment. The '
'intercepted data included T-Mobile cellular network '
'calls/texts, in-flight Wi-Fi, utility infrastructure '
'communications (oil rigs, electricity providers), and '
'sensitive military/law enforcement transmissions (locations, '
'mission details, asset tracking). The study revealed '
'widespread lack of encryption in satellite communications, '
'exposing critical infrastructure and personal data to passive '
'interception.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'satellite communication providers',
'Negative publicity for T-Mobile, '
'affected utilities, and military '
'agencies'],
'data_compromised': ['T-Mobile user call/text metadata (2,700+ '
'users)',
'In-flight Wi-Fi communications',
'Utility infrastructure comms (oil rigs, '
'electricity providers)',
'US military sea vessel names/locations',
'Mexican military/law enforcement '
'intelligence (narcotics tracking, asset '
'maintenance, mission details)',
'Military/law enforcement '
'personnel/equipment/facility locations'],
'identity_theft_risk': ['Low (metadata-only for T-Mobile users)',
'High for military/law enforcement '
'personnel (location/mission details '
'exposed)'],
'legal_liabilities': ['Potential wiretapping violations '
'(investigated but not prosecuted)',
'Regulatory scrutiny for affected entities'],
'operational_impact': ['Exposure of sensitive military/law '
'enforcement operations',
'Risk to critical infrastructure (oil rigs, '
'electricity grids)',
'Potential compromise of personnel safety'],
'systems_affected': ['T-Mobile satellite backhaul',
'In-flight Wi-Fi systems',
'Utility infrastructure satellite comms (oil '
'rigs, electricity providers)',
'US military sea vessel communications',
'Mexican military/law enforcement satellite '
'networks']},
'investigation_status': 'Completed (academic study); partial remediation by '
'notified entities',
'lessons_learned': ["Widespread assumption of 'security through obscurity' in "
'satellite communications is flawed.',
'Critical infrastructure and military systems rely on '
'unencrypted satellite links, creating systemic risk.',
'Low-cost equipment can intercept high-value data, '
'lowering the barrier for adversaries.',
'Passive interception of broadcast signals may not '
'violate laws, highlighting gaps in regulatory '
'frameworks.'],
'motivation': ['Academic Research',
'Security Awareness',
'Vulnerability Disclosure'],
'post_incident_analysis': {'corrective_actions': ['T-Mobile, Walmart, and KPU '
'implemented encryption '
'post-disclosure.',
'Public disclosure to '
'pressure other operators '
'into securing '
'transmissions.',
'Academic outreach to '
'satellite industry '
'stakeholders.'],
'root_causes': ['Lack of encryption in satellite '
'backhaul systems',
"Over-reliance on 'security "
"through obscurity' (assumption "
'that signals wouldn’t be '
'intercepted)',
'Absence of regulatory enforcement '
'for satellite security standards',
'Low awareness of interception '
'risks among satellite operators']},
'recommendations': ['Mandate encryption for all satellite communications, '
'especially for critical infrastructure and defense.',
'Implement signal authentication and access controls for '
'satellite transmissions.',
'Conduct regular audits of satellite security protocols '
'by third-party assessors.',
'Raise awareness among satellite operators about the '
'risks of unencrypted broadcasts.',
'Develop international standards for secure satellite '
'communications.'],
'references': [{'source': 'Wired Magazine'},
{'source': 'UC San Diego/University of Maryland Study (PDF)'}],
'regulatory_compliance': {'regulations_violated': ['Potential violations of '
'wiretapping laws '
'(investigated but not '
'prosecuted)',
'Sector-specific '
'encryption requirements '
'(e.g., defense, '
'telecommunications)'],
'regulatory_notifications': ['Informal '
'notifications by '
'researchers to '
'affected entities']},
'response': {'communication_strategy': ['Media interviews (Wired)',
'Academic paper publication'],
'containment_measures': ['Encryption implemented by T-Mobile, '
'Walmart, KPU post-disclosure'],
'incident_response_plan_activated': ['Partial (by some affected '
'entities '
'post-notification)'],
'remediation_measures': ['Notification to affected entities',
'Public disclosure to raise awareness'],
'third_party_assistance': ['Academic researchers (UC San Diego, '
'University of Maryland)']},
'stakeholder_advisories': ['Researchers notified affected companies/agencies; '
'some implemented encryption'],
'threat_actor': ['Academic Researchers (UC San Diego, University of Maryland)',
'Potential State-Sponsored Actors (hypothetical)',
'Potential Criminal Groups (hypothetical)'],
'title': 'Unencrypted Satellite Communications Interception by Academic '
'Researchers',
'type': ['Data Interception',
'Unauthorized Access',
'Privacy Violation',
'Infrastructure Vulnerability'],
'vulnerability_exploited': ['Unencrypted Satellite Backhaul',
'Lack of Signal Authentication',
'Over-the-Air Broadcast Without Protection']}