Black Hat A security researcher has shown how to fully take over a Starlink satellite terminal on stage in Las Vegas, using a homemade modchip.
Lennert Wouters, a researcher at the KU Leuven University in Belgium, walked through his methodology during a talk at Black Hat this week.
Wouters also said he will release the code and details of components used via GitHub so other researchers can build their own modchips to unlock their broadband satellite equipment and poke around for additional security holes and functionality. The link to the repo wasn’t live as of Friday afternoon.
It’s a pretty sophisticated rooting process that took the university researcher “a significant amount of time” over the better part of a year, according to Wouters.
First, he compromised the black-box system using voltage fault injection during the execution of the system-on-chip ROM bootloader, which allowed him to bypass the firmware signature verification and run his own custom code. This was all done in a lab setting, with various devices to help, so don’t think this could be used against, say, a dish on a stranger’s roof, Wouters said.
After successfully performing the side-channel attack in the university’s lab, Wouters notified the SpaceX product security team that he had achieved root-level access on the terminal, and said they offered him an easier way in: SSH access involving a Yubikey for authentication.
“But I decided that I was way too far down the rabbit hole and I didn’t accept it,” he said. “So I wanted to make a mobile setup.”
So he built a modchip, replacing the lab equipment with cheap off-the-shelf components, and used the homemade system to glitch the bootloader and obtain root access on the Starlink user terminal (UT).
After obtaining root-level access, an attacker could do pretty much anything to the UT, including deploying malware, fiddling with its radio settings, and shutting down its communications. In Wouters’ case, however, he used the exploit to send a tweet through the rooted Starlink user terminal (UT) announcing his Black Hat talk.
I am excited to announce that our talk “Glitched on Earth by humans” will be presented at @BlackHatEvents!I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root.This might be the first tweet sent through a rooted Starlink UT! #BHUSA pic.twitter.com/0XMMIidEKk
— Lennert (@LennertWo) May 19, 2022
“From a security standpoint, this is a well designed product,” Wouters said on stage. “There was no obvious — at least to me — low-hanging fruit.”
Now that he’s documented his exploit, and plans to make public the plans for his modchip, Wouters said he hopes others will build on his research.
“I’m hoping that other people will start glitching the Starlink user terminal and will start looking at the network infrastructure,” he said, adding that tinkering with the digital beamformers and updating their firmware is another possibility.
“You could also try to repurpose user terminals, so maybe you could use two user terminals to implement point-to-point [communications] or something like that.”
The possibilities, like space itself, are endless. ®