black hat A security researcher has shown how, with at least physical access, one can completely take over a Starlink satellite terminal with a homemade modchip.
Lennert Wouters, a researcher at KU Leuven University in Belgium, went through his methodology during a presentation at Black Hat in Las Vegas this week.
Wouters said he will be posting the code and details of the components used via GitHub so other people can build their own modchips that, when built into the SpaceX hardware, will unlock the broadband satellite equipment. This allows them to check for additional vulnerabilities in the device and possibly the network, play with the configuration, and discover other features.
The link to the repo was not live as of Friday afternoon.
The development of the modchip took “a considerable amount of time” over almost a year, according to Wouters.
First, he compromised the black box system through voltage error injection while running the system-on-chip ROM bootloader, which allowed him to bypass firmware signature verification and run his own custom code on the terminal. This was all done in a lab setting, with various electronics to help, so don’t think this could be used against, say, court at the home of a stranger, Wouters said.
After successfully executing the side-channel attack in the university’s lab, Wouters told SpaceX’s product security team that he had been granted root-level access to the terminal and said that they had offered him an easier access: SSH access with a Yubikey for authentication.
“But I decided I was way too far down the rabbit hole and I didn’t accept it,” he said.
So he built a modchip, replaced the lab equipment with cheap off-the-shelf components, and used the homemade system to disrupt the bootloader and gain root access to the Starlink User Terminal (UT).
After gaining this superuser access, you can do pretty much anything with the UT, including deploying your own software or malware, fiddling with settings, and shutting down communications. In the case of Wouters, he used the vulnerability to send a tweet via the rooted Starlink user terminal (UT) announcing his black hat talk.
I’m happy to announce that our talk “Glitched on Earth by humans” will be presented at the @BlackHatEvents!I will cover how we disrupted the Starlink user terminal SoC bootrom with a modchip to get root. This could be the first tweet sent from a rooted Starlink UT! #BHUSA pic.twitter.com/0XMMIidEKk
— Lennert (@LennertWo) May 19, 2022
“From a safety perspective, this is a well-designed product,” said Wouters on stage. “There were no obvious low-hanging fruits, at least for me.”
Now that he’s documented his exploits and plans to make the plans for his modchip public, Wouters said he hopes others will build on his research.
“I hope that other people will start interfering with the Starlink user terminal and look at the network infrastructure,” he said, adding that tinkering with the digital beamformers and updating their firmware is another option.
“You could also try to repurpose user terminals, so maybe you could use two user terminals to implement point-to-point [communications] or something like that.”
The possibilities, like space itself, are endless. ®
https://www.theregister.com/2022/08/12/starlink_terminal_hack_black_hat/ Starlink satellite dish cracked on stage at Black Hat • The Register