Black Hat A security researcher has shown how to, with physical access at least, fully take over a Starlink satellite terminal using a homemade modchip.
Lennert Wouters, a researcher at the KU Leuven University in Belgium, walked through his methodology during a talk at Black Hat in Las Vegas this week.
Wouters said he will release the code and details of components used via GitHub so other folks can build their own modchips that when fitted to the SpaceX hardware unlock the broadband satellite equipment. This will allow them to poke around for additional security holes in the device and possibly the network, play with the configuration, and discover any other functionality.
The link to the repo wasn’t live as of Friday afternoon.
Developing the modchip took “a significant amount of time” over the better part of a year, according to Wouters.
First, he compromised the black-box system using voltage fault injection during the execution of the system-on-chip ROM bootloader, which allowed him to bypass the firmware signature verification and run his own custom code on the terminal. This was all done in a lab setting, with various electronics to help, so don’t think this could be used against, say, a dish at a stranger’s home, Wouters said.
After successfully performing the side-channel attack in the university’s lab, Wouters notified the SpaceX product security team that he had achieved root-level access on the terminal, and said they offered him an easier way in: SSH access involving a Yubikey for authentication.
“But I decided that I was way too far down the rabbit hole and I didn’t accept it,” he said.
So he built a modchip, replacing the lab equipment with cheap off-the-shelf components, and used the homemade system to glitch the bootloader and obtain root access on the Starlink user terminal (UT).
After obtaining this superuser access, you can do pretty much anything to the UT, including deploying your own software or malware, fiddling with settings, and shutting down its communications. In Wouters’ case, he used the security weakness to send a tweet through the rooted Starlink user terminal (UT) announcing his Black Hat talk.
I am excited to announce that our talk “Glitched on Earth by humans” will be presented at @BlackHatEvents!I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root.This might be the first tweet sent through a rooted Starlink UT! #BHUSA pic.twitter.com/0XMMIidEKk
— Lennert (@LennertWo) May 19, 2022
“From a security standpoint, this is a well designed product,” Wouters said on stage. “There was no obvious — at least to me — low-hanging fruit.”
Now that he’s documented his exploits, and plans to make public the plans for his modchip, Wouters said he hopes others will build on his research.
“I’m hoping that other people will start glitching the Starlink user terminal and will start looking at the network infrastructure,” he said, adding that tinkering with the digital beamformers and updating their firmware is another possibility.
“You could also try to repurpose user terminals, so maybe you could use two user terminals to implement point-to-point [communications] or something like that.”
The possibilities, like space itself, are endless. ®