A white-hacker demonstrated how he hacked SpaceX’s satellite-based internet system Starlink. The researcher could successfully compromise the target Starlink User Terminal using a $25 tool.
Starlink User Terminal Hacked Via Fault Injection Attack
Security researcher Lennert Wouters has shared details of his experimental hacking on Starlink terminals at the recent Black Hat USA 2022. Announcing about it in his tweet, the researcher stated,
I am excited to announce that our talk “Glitched on Earth by humans” will be presented at @BlackHatEvents!
I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root.
— Lennert (@LennertWo) May 19, 2022
According to a Wired report, the research costed Wouters $25, as he meddled with a Starlink user terminal (UT) – the satellite dishes in users’ homes that offer connectivity – attaching a custom modchip to the dish.
Explaining Starlink UT, the researcher mentioned in his presentation,
The UT uses a custom quad-core Cortex-A53 System-on-Chip (SoC) that implements verified boot based on the ARM trusted firmware (TF-A) project. The early stage TF-A bootloaders, and in particular the immutable ROM bootloader include custom fault injection countermeasures.
However, the modified dish hardware with the researcher’s modchip enabled him to bypass signature verification.
Basically, the custom modchip consisted of a flash storage, a Raspberry Pi microcontroller, electronic switches and a voltage regulator. Wouters then soldered the modchip to Starlink dish board. This hardware tweak enabled the researcher to perform the voltage fault injection attack short the system and bypass Starlink’s security.
After that, the researcher started the attack by first targeting the ROM bootloader, followed by the others. Eventually, he could gain access to the dish software and execute arbitrary code.
The researcher claimed that this attack strategy would cause “unfixable compromise” to the Starlink UT, further enabling the access to the Starlink network.
SpaceX Responds Assuring Security To “Normal Users”
After discovering the vulnerability the researcher reached out to Starlink via its bug bounty program on Bugcrowd last year.
The vendors acknowledged the researcher’s effort and started developing a fix, ultimately releasing it with a subsequent firmware update.
Following the public disclosure of the flaw, SpaceX Starlink issued a detailed paper, highlighting Starlink’s protection measures. They assured the users about thorough security, asking them not to worry about the attack. Also, they appreciated this research, terming it “technically impressive”.
However, the researcher believes evading the patch remains possible, though, it would be harder now.
For curious souls, Wouter has publicly released the modchip on GitHub. Nonetheless, he doesn’t plan to sell prepared modchips, nor is he willing to make the patched firmware public to avoid malicious exploitation.