Iridium Security Talk @ Navaja Negra Security Conference 2025

Iridium Security Talk @ Navaja Negra Security Conference 2025

The Iridium satellite constellation represents one of the world's most important satellite communication systems. Recognized for its truly global coverage and connectivity, this Low Earth Orbit (LEO) satellite network enables communications at virtually any point on the planet, including remote areas, oceans, and polar regions where other technologies simply cannot reach.

Through its networks, Iridium constantly transmits a large amount of data: GPS coordinates, short messages, emails, and even audio calls, being used by governments, businesses, emergency teams, and individuals who require reliable connectivity beyond the reach of terrestrial networks.

IRIDIUM SIGINT… FOR THE GOOD?

This constellation, whose operation dates back to the early 1990s, also raises important questions about the security of these satellite communications.

The talk presented a complete case study, from start to finish, demonstrating how an attacker with relatively accessible resources can receive and analyze these satellite communications to obtain sensitive information, detailing how an attacker can combine various seemingly unconnected elements to achieve their objective.

The process begins with gathering publicly available information in technical documents, Iridium protocol specifications, and data leaked on platforms like WikiLeaks, which have in the past revealed details about satellite communication infrastructures and their potential vulnerabilities.

Iridium basic setup

The next step involved setting up equipment with a basic antenna, an LNB, and an SDR (Software Defined Radio), a software-defined radio technology that allows receiving and decoding radio signals from various frequencies. SDRs, which years ago were prohibitively expensive, are now within reach of any enthusiast with budgets ranging from a few hundred to a few thousand dollars.

The presentation concluded by addressing how, through tests conducted over time and the application of artificial intelligence models and other open-source tools, it is possible to automate and optimize the capture process, as well as the analysis of these signals, identifying patterns and extracting valuable information more efficiently than with manual methods.

Analysis of captured data

During the talk, a detailed analysis was performed of the information that can be extracted from these captures. Several methods and open-source tools currently available in the information security and amateur radio community were presented for extracting and decoding data from these satellite signals.

These tools, although originally developed for legitimate research purposes, highlight the relative ease with which satellite communications can be monitored.

Automation and scalability: the real risk

Particularly relevant is the combination of multiple techniques to achieve a common objective. In this case, a supposed malicious actor could obtain information automatically and with minimal effort. The use of artificial intelligence models to process captures, analyze the content of communications, and generate an optimized workflow presents a considerably more complex and concerning scenario.

The problem is no longer limited solely to how potentially sensitive information can be intercepted due to security vulnerabilities in the Iridium network. The true threat lies in the capacity an attacker can develop to process large volumes of information with minimal resources and effort, transforming what previously required specialized teams and hours of manual work into an almost completely automated process.

One tool to rule them all

One of the most interesting aspects of this presentation is the demonstration of a work-in-progress project: a tool specifically designed to simplify the analysis of PCAP (Packet Capture) files obtained during the Iridium signal capture process.

This utility considerably simplifies the workflow by consolidating into a single tool what currently requires manually executing multiple commands scattered across different tools. Instead of having to chain scripts, manually filter data, and alternate between different applications and parameters, this tool centralizes the entire filtering and analysis process.

The objective is to have a tool that allows improving the study and understanding of how information is structured in Iridium communication, and thus be able to study better ways to protect it.

Mitigations and paths toward security in Iridium


Government users

During the talk, not only were security problems exposed, but also various mitigation strategies to protect these satellite communications.

Among the main recommendations presented, the application of FIPS-140-2 standards and, more recently, FIPS-140-3 (Federal Information Processing Standards) stands out, especially critical for organizations that require compliance with government and national security regulations. It's important to note that FIPS-140-3 officially replaced FIPS-140-2 as the current standard between 2019 and 2021.

Another essential measure mentioned was implementing additional end-to-end encryption as an extra layer. It's important not to rely solely on the native security of the satellite network, but to add an extra layer of protection that remains under the end user's control. This approach ensures that even if communications are intercepted at the satellite network level, the content remains inaccessible to unauthorized third parties.

It's important to highlight that a crucial distinction was established between different generations and configurations of Iridium. The legacy constellation from the 1990s operated without any type of encryption in its commercial communications. Voice and data transmissions traveled completely in plain text, making them vulnerable to interception.

On the other hand, the Iridium NEXT constellation, completed in 2019, represents a significant improvement in terms of satellite infrastructure and capabilities. However, robust FIPS-level encryption is not inherent to NEXT satellites but requires specific user-side configurations: access through the government EMSS (Enhanced Mobile Satellite Services) gateway with FIPS-140-2/3 standards implementation, or the use of additional security modules. In fact, many commercial Iridium devices still use the legacy protocol without encryption even when communicating on the NEXT constellation.

For scenarios requiring a higher level of security, specialized security modules such as General Dynamics' Sectéra ISM2 were mentioned. This device, which is NSA-certified and was updated in 2021 with Advanced Cryptographic Capabilities (ACC), provides Type 1 Top Secret-level encryption for voice and data communications. This ISM2 module is compact and inserts inside the Iridium 9575A satellite phone and is an official solution approved under the U.S. Space Force's EMSS/FOSH (Follow On Secure Handset) program. These modules provide government-level end-to-end encryption and are used by intelligence agencies, military forces, and organizations handling classified information.

Common users and commercial alternatives

It's fundamental to clarify that most of the solutions mentioned above are not available to civilian or commercial end users. Access to the EMSS gateway with FIPS-140-2/3 encryption is reserved exclusively for U.S. government and military clients under contract with the U.S. Space Force. Similarly, the Sectera ISM2 module is restricted to the EMSS/FOSH program and is not marketable to the general public. This distinction is critical: a civilian user who acquires a standard Iridium satellite phone is, by default, using completely unencrypted communications vulnerable to interception.

For commercial users and private organizations requiring secure communications, there are some alternatives on the market, though with limitations. Devices such as Black Saber Group's E-Clip and E-Dock (launched in 2024) offer AES-256 end-to-end encryption for voice calls on Iridium Extreme phones, being the first commercial devices of this type. Other solutions exist such as QinetiQ Bracer or Iridium Extreme PTT that provide commercial-level encryption for group communications.

Although Iridium replaced its first-generation fleet with the more secure NEXT constellation satellites between 2017 and 2019, according to analyst Christian von der Ropp, many Iridium devices in use today, including civilian satellite phones, still depend on Iridium's first-generation radio protocol that has no encryption. "Regular satellite phones they sell still operate under the old legacy protocol. If you buy a new civilian Iridium phone, it still operates using the 30-year-old radio protocol, and is subject to the same vulnerability. You can intercept everything. You can listen to voice calls, read SMS, absolutely everything. It's a totally insecure service out of the box."

The intention of this last section of the talk is to make clear that security in satellite communications cannot depend solely on the provider's infrastructure but requires multiple layers of protection implemented by the end user. This situation underscores the importance of users understanding the true security capabilities (or lack thereof) in their devices before transmitting sensitive information.

Final reflections

The talk simply raises fundamental questions about the security of satellite communications, especially Iridium. These profound security problems are not new, as they have been known for years, as exposed by Sac & Schneider in multiple talks in the past.

Although the title poses a provocative question—"for the good?"—the presentation emphasizes the need for users and satellite service providers to become aware of these vulnerabilities. In the collective unconscious persists the idea that satellite communications, such as those made through Iridium phones, offer intrinsic security due to their space-based nature, a false sense of protection where reality is considerably more complex.

It's fundamental to understand that knowledge of these techniques does not remain confined to research by ethical cybersecurity professionals. Malicious actors and groups with various interests also have access to this information and the necessary tools to exploit it.

This talk serves as a stark reminder that security through obscurity—trusting that protocols and closed systems are secure simply because they are little known or proprietary—no longer constitutes a viable strategy. Today, technical information, sooner or later, ends up being leaked or publicly revealed, and analysis tools are increasingly powerful, accessible, and, paradoxically, easier to use.

Full talk: