Starlink satellite dish cracked on stage at Black Hat

Once the modchip plans are live, you can, too

Black Hat A security researcher has shown how to, with physical access at least, fully take over a Starlink satellite terminal using a homemade modchip.

Lennert Wouters, a researcher at the KU Leuven University in Belgium, walked through his methodology during a talk at Black Hat in Las Vegas this week. 

Wouters said he will release the code and details of components used via GitHub so other folks can build their own modchips that when fitted to the SpaceX hardware unlock the broadband satellite equipment. This will allow them to poke around for additional security holes in the device and possibly the network, play with the configuration, and discover any other functionality.

The link to the repo wasn't live as of Friday afternoon.

Developing the modchip took "a significant amount of time" over the better part of a year, according to Wouters. 

First, he compromised the black-box system using voltage fault injection during the execution of the system-on-chip ROM bootloader, which allowed him to bypass the firmware signature verification and run his own custom code on the terminal. This was all done in a lab setting, with various electronics to help, so don't think this could be used against, say, a dish at a stranger's home, Wouters said.  

After successfully performing the side-channel attack in the university's lab, Wouters notified the SpaceX product security team that he had achieved root-level access on the terminal, and said they offered him an easier way in: SSH access involving a Yubikey for authentication. 

"But I decided that I was way too far down the rabbit hole and I didn't accept it," he said.

So he built a modchip, replacing the lab equipment with cheap off-the-shelf components, and used the homemade system to glitch the bootloader and obtain root access on the Starlink user terminal (UT). 

After obtaining this superuser access, you can do pretty much anything to the UT, including deploying your own software or malware, fiddling with settings, and shutting down its communications. In Wouters' case, he used the security weakness to send a tweet through the rooted Starlink user terminal (UT) announcing his Black Hat talk.

"From a security standpoint, this is a well designed product," Wouters said on stage. "There was no obvious — at least to me — low-hanging fruit."

Now that he's documented his exploits, and plans to make public the plans for his modchip, Wouters said he hopes others will build on his research.

"I'm hoping that other people will start glitching the Starlink user terminal and will start looking at the network infrastructure," he said, adding that tinkering with the digital beamformers and updating their firmware is another possibility.

"You could also try to repurpose user terminals, so maybe you could use two user terminals to implement point-to-point [communications] or something like that."

The possibilities, like space itself, are endless. ®

Updated to add

The code has now been posted on GitHub.

Meanwhile, Starlink has asked developers to "bring on the bugs,' in a call [PDF] to developers. It is offering up to $25,000 for the worst of flaws, but this is very much in the style of Elon's Musketeers when it comes to bugs.

In 2015, after a presentation at DEF CON showing how Tesla Model S vehicles could be rooted and fiddled with, the car company's former CTO JB Straubel appeared on stage with the researchers, did a shot with them (as is traditional for stage newbies), gave them medals and announced the firm was upping its bug bounty program rewards.

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022