Jump to content
  • The long, solder-heavy way to get root access to a Starlink terminal


    Karlston

    • 595 views
    • 3 minutes
     Share


    • 595 views
    • 3 minutes

    Zapping the satellite board at just the right time can grant deeper access.

    installed_modchip-800x726.jpg

    Nobody said getting root access to space was going to be easy.
    KU Leuven

     

    Getting root access inside one of Starlink's dishes requires a few things that are hard to come by: a deep understanding of board circuitry, eMMC dumping hardware and skills, bootloader software understanding, and a custom PCB board. But researchers have proven it can be done.

     

    In their talk "Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal," researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink User Terminal (i.e., a dish board) using a custom-built modchip through a voltage fault injection. The talk took place in August, but the researchers' slides and repository have recently made the rounds.

     

    There's no immediate threat, and the vulnerability is both disclosed and limited. While bypassing signature verification allowed the researchers to "further explore the Starlink User Terminal and networking side of the system," slides from the Black Hat talk note that Starlink is "a well-designed product (from a security standpoint)." Getting a root shell was challenging, and doing so didn't open up obvious lateral movement or escalation. But updating firmware and repurposing Starlink dishes for other purposes? Perhaps.

     

     
    Still, satellite security is far from merely theoretical. Satellite provider Viasat saw thousands of modems knocked offline by AcidRain malware, pushed by what most assess to be Russian state actors. And while the KU Leuven researchers note how unwieldy and tricky it would be to attach their custom modchip to a Starlink terminal in the wild, many Starlink terminals are placed in the most remote locations. That gives you a bit more time to disassemble a unit and make the more than 20 fine-point soldering connections detailed in slide images.

     

    Screenshot-2022-11-14-at-12.18.35-PM-144

    Reading from eMMC test points to extract and patch Starlink's firmware.

     

    modchip.jpg

    The basic design of the Starlink intruder modchip, with a Pi-designed processor at its core

     

    installed_modchip-1440x1306.jpg

    Nobody said getting root access to space was going to be easy.

     

    Screenshot-2022-11-14-at-12.46.16-PM-144

    How to test your satellite security proof-of-concept when you work inside a university.

     

    It's not easy to summarize the numerous techniques and disciplines used in the researchers' hardware hack, but here is an attempt. After some high-level board analysis, the researchers located test points for reading the board's eMMC storage. Dumping the firmware for analysis, they found a place where introducing errant voltage into the core system on a chip (SoC) could modify an important variable during bootup: "development login enabled: yes." It's slow, it only works occasionally, and the voltage tampering can cause lots of other errors, but it worked.

     

    The modchip used by the researchers is centered around a RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi hardware, you can still seemingly order and receive the core Pi chip, should you embark on such a journey. You can read more about the firmware dumping process in the researchers' blog post.

     

     

    The long, solder-heavy way to get root access to a Starlink terminal


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...