Starlink satellite dish cracked on stage at Black Hat
Once the modchip plans are live, you can, too
Black Hat A security researcher has shown how to, with physical access at least, fully take over a Starlink satellite terminal using a homemade modchip.
Lennert Wouters, a researcher at the KU Leuven University in Belgium, walked through his methodology during a talk at Black Hat in Las Vegas this week.
Wouters said he will release the code and details of components used via GitHub so other folks can build their own modchips that when fitted to the SpaceX hardware unlock the broadband satellite equipment. This will allow them to poke around for additional security holes in the device and possibly the network, play with the configuration, and discover any other functionality.
The link to the repo wasn't live as of Friday afternoon.
Developing the modchip took "a significant amount of time" over the better part of a year, according to Wouters.
First, he compromised the black-box system using voltage fault injection during the execution of the system-on-chip ROM bootloader, which allowed him to bypass the firmware signature verification and run his own custom code on the terminal. This was all done in a lab setting, with various electronics to help, so don't think this could be used against, say, a dish at a stranger's home, Wouters said.
- FCC rejects Starlink's bid for US rural internet access funds
- Intel, Amazon, and SpaceX asked to tuck into DARPA's Space-BACN
- Intel ups protection against physical chip attacks in Alder Lake
- FAANGs failing on keeping user data safe from bug hunters
After successfully performing the side-channel attack in the university's lab, Wouters notified the SpaceX product security team that he had achieved root-level access on the terminal, and said they offered him an easier way in: SSH access involving a Yubikey for authentication.
"But I decided that I was way too far down the rabbit hole and I didn't accept it," he said.
So he built a modchip, replacing the lab equipment with cheap off-the-shelf components, and used the homemade system to glitch the bootloader and obtain root access on the Starlink user terminal (UT).
After obtaining this superuser access, you can do pretty much anything to the UT, including deploying your own software or malware, fiddling with settings, and shutting down its communications. In Wouters' case, he used the security weakness to send a tweet through the rooted Starlink user terminal (UT) announcing his Black Hat talk.
I am excited to announce that our talk "Glitched on Earth by humans" will be presented at @BlackHatEvents!I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root.This might be the first tweet sent through a rooted Starlink UT! #BHUSA pic.twitter.com/0XMMIidEKk— Lennert (@LennertWo) May 19, 2022
"From a security standpoint, this is a well designed product," Wouters said on stage. "There was no obvious — at least to me — low-hanging fruit."
Now that he's documented his exploits, and plans to make public the plans for his modchip, Wouters said he hopes others will build on his research.
"I'm hoping that other people will start glitching the Starlink user terminal and will start looking at the network infrastructure," he said, adding that tinkering with the digital beamformers and updating their firmware is another possibility.
"You could also try to repurpose user terminals, so maybe you could use two user terminals to implement point-to-point [communications] or something like that."
The possibilities, like space itself, are endless. ®
Updated to add
The code has now been posted on GitHub.
Meanwhile, Starlink has asked developers to "bring on the bugs,' in a call [PDF] to developers. It is offering up to $25,000 for the worst of flaws, but this is very much in the style of Elon's Musketeers when it comes to bugs.
In 2015, after a presentation at DEF CON showing how Tesla Model S vehicles could be rooted and fiddled with, the car company's former CTO JB Straubel appeared on stage with the researchers, did a shot with them (as is traditional for stage newbies), gave them medals and announced the firm was upping its bug bounty program rewards.