Belgian researcher Lennert Wouters revealed at Black Hat how he mounted a successful fault injection attack on a user terminal for SpaceX’s satellite-based internet system
A Belgian security researcher has successfully hacked the SpaceX operated Starlink satellite-based internet system using a homemade circuit board that cost around $25 to develop, he revealed at Black Hat.
Lennert Wouters revealed a voltage fault injection attack on a Starlink User Terminal (UT)—or satellite dish people use to access the system – that allowed him to break into the dish and explore the Starlink network from there, he revealed in a presentation called “Glitched on Earth by Humans” at the annual ethical hacker conference this week.
Wouters physically stripped down a satellite dish he purchased and created the custom board, or modchip, that can be attached to the Starlink dish, according to a report on Wired about his presentation on Wednesday.
He developed the tool using low-cost, off-the-shelf parts and was able to use it to obtain root access by glitching the Starlink UT security operations center bootrom, according to a tweet previewing the presentation that he said was sent through a rooted Starlink UT.
To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. He soldered the modchip—comprised of a Raspberry Pi microcontroller, flash storage, electronic switches and a voltage regulator–to the existing Starlink PCB and connected it using a few wires, according to the report.
Once attached to the Starlink dish, the tool launched a fault injection attack to temporarily short the system, which allowed for bypass of Starlink’s security protections so Wouters could break into locked parts of the system.
Wouters’ attack runs the glitch against the first bootloader–the ROM bootloader that’s burned onto the system-on-chip and can’t be updated. He then deployed patched firmware on later bootloaders, which gave him control of the dish, according to the report.
Wouters first performed the attack in a lab before implementing the modchip on the dish itself, he revealed in a write-up about his presentation published on the conference’s website.
“Our attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code,” Wouters wrote. “The ability to obtain root access on the Starlink UT is a prerequisite to freely explore the Starlink network.”
Wouters was able to explore the Starlink network and its communication links once he gained access to the system, adding that other researchers can potentially build on the work to further explore the Starlink ecosystem.
Wouters revealed the vulnerability to SpaceX in a responsible way through its bug bounty program before publicly presenting on the issue.
Implications for Starlink
Starlink is SpaceX’s low Earth orbit satellite constellation, an ambitious project that aims to provide satellite internet coverage to the whole world. Some 3,000 small satellites launched since 2018 already are providing internet to places that can’t be reached by terrestrial networks. Other companies—including Boeing, Amazon and Telesat—also have launched their own satellite constellations to provide internet from space.
Starlink’s UT is one of three core components of the Starlink system; the other two are the satellites that move about 340 miles above the Earth’s surface to beam down internet connections, and gateways that transmit connections up to the satellites. The UTs also communicate with satellites to provide internet on Earth.
As is typically the case with any technology, the increase in use and deployment of Starlink and other satellite constellations also means that threat actors have a greater interest in finding their security holes to attack them.
Indeed, Russia saw an advantage in taking out a satellite providing internet communications across Europe by attacking its technology on the ground as Russian troops entered Ukraine on Feb. 24. The move successfully disrupted communications on the ground in Ukraine at a crucial time in the invasion, while also affecting other parts of Europe. It even had a ripple effect and jammed airplane navigation systems and other critical infrastructure.
Knowing the critical nature of its security, SpaceX already has responded to Wouters’ presentation with a six-page paper published online inviting security researchers to “bring on the bugs” to help the company better protect the Starlink system as well as offering a detailed explanation of how it protects Starlink.
The paper also congratulates Wouters’ research, calling it “technically impressive” before poking a series of holes in it and assuring that Starlink’s “defense-in-depth approach to security limits the overall impact of this issue to our network and users.”