A penetration tester found more than 20 vulnerabilities in a satellite receiver deployed by the U.S. Department of Defense (also referred to as the Department of War), the European Space Agency, and other critical infrastructure operators worldwide — and the device's manufacturer, International Data Casting Corporation (IDC), did not respond to a single disclosure attempt over several months.

The researcher, who published the findings on Thursday, discovered the flaws in IDC's SFX2100 satellite receiver during a routine penetration test of a critical infrastructure client. After exhausting the standard 90-day responsible disclosure window — including direct outreach to IDC's president on L...