For the past four years, Elon Musk’s Starlink has been launching over 3,000 small satellites into space. This satellite network provides internet connection to remote locations on Earth, especially since the Russian-Ukraine conflict. There are plans to launch more satellites, but the satellite components are being hacked.
Lennert Wouters, security expert and researcher at the Belgian University KU Leuven, explained the security breakdown of Starlink’s user terminals at the Black Hat Security conference in Las Vegas.
To get access to the software in the satellite dish, Wouters disassembled the dish, and developed a specialized hacking tool called a modchip, which costs around $25 to make. When attached to the dish, the modchip launches a fault injection attack which circumvents the security protections in Starlink. This ‘glitch’ allows access to locked parts of the Starlink system.
Wouters’ hacking tool is now open source on GitHub, including some details on how to launch the attack. ‘As an attacker, let’s say you wanted to attack the satellite itself. You could try to build your own system that allows you to talk to the satellite, but that’s quite difficult. So if you want to attack the satellites, you would like to go through the user terminal as that likely makes your life easier,’ Wouters explained.
Starlink was notified of the researcher’s findings of flaws in its system, and paid Wouters through its bug bounty scheme for the information. Wouters says that although SpaceX updated the dish to make it harder to attack, the main issue cannot be fixed unless a new version of the main chip is created.
There have been numerous takedowns of Starlink’s user terminals since it was released. YouTubers and Redditors have exposed their components and discussed their technical specifications. Wouters previously developed a hardware which is capable of unlocking a Tesla in 90 seconds. He however said, ‘The user terminal was definitely designed by capable people.’
His attack on the user terminal involved several stages and technical measures before he created the modchip to glitch the dish. ‘We’re using this to accurately time when to inject the glitch,’ said Wouters.
Wouters began testing the Starlink system in May 2021. He used a combination of a ‘heat gun, prying tools, isopropyl alcohol, and a lot of patience’ to access the internal components of the dish. To create the modchip, Wouters scanned the dish and developed the design to fit over the Starlink board. While the user terminal’s board reads ‘Made on Earth by humans’ on it, Wouters’ reads ‘Glitched on Earth by humans.’
‘From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification,’ said Wouters. The glitch works against the signature verification process. ‘Normally you want to avoid shorts. In this case, we do it on purpose.’
Wouters found it easier to cause the glitch at the beginning of the boot. To get it to work, he said he had to stop the decoupling capacitors—used to smooth out the power supply— from operating. The attack temporarily disables the decoupling capacitors for the glitch to bypass the security protections.
This process allows access to the underlying systems in the Starlink dish. Wouters said that Starlink offered him researcher-level access to the software in the device, but he declined, to continue to build the modchip.
The firmware update by Starlink only makes the effort to attack the dish harder, not impossible. Wouters says the attack can be used to obtain more information on the operation of the Starlink network.
‘What I am working on now is communicating with the backend servers,’ explained Wouters. Wouters said he currently doesn’t have any plans to sell finished modchips, or the exact details of the glitch he used.
‘I think it’s important to assess how secure these systems are because they are critical infrastructure. I don’t think it’s very far-fetched that certain people would try to do this type of attack because it is quite easy to get access to a dish like this,’ said Wouters.
In response to Wouters’ conference presentation, Starlink said, ‘We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system. We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of “least privilege” to constrain the effects in the broader system.’
By Marvellous Iwendi.