Black Hat A security researcher hacked the final frontier live, on stage, in Las Vegas, using a homemade modchip.
Lennert Wouters, a researcher at the KU Leuven University in Belgium, demonstrated his successful attack against a SpaceX Starlink satellite dish during a talk at Black Hat this week.
Wouters also said he will make his cracking tool available via GitHub so other researchers can build their own modchips and poke around for additional Starlink security holes. But the link wasn’t live as of Friday afternoon.
It’s a pretty sophisticated attack that took the university researcher “a significant amount of time” over the better part of a year, according to Wouters.
First, he compromised the black-box system using voltage fault injection during the execution of the system-on-chip ROM bootloader, which allowed him to bypass the firmware signature verification. However, this was all done in a lab setting and still too bulky to pull off in a real-life attack scenario on the roof, Wouters said.
After successfully performing the side-channel attack in the university’s lab, Wouters notified the SpaceX product security team and said they offered him an easy out: SSH access through a Yubikey.
“But I decided that I was way too far down the rabbit hole and I didn’t accept it,” he said. “So I wanted to make a mobile setup.”
So he built a modchip, replacing the lab equipment with cheap off-the-shelf components, and used the homemade system to glitch the bootloader and obtain root access on the Starlink user terminal (UT).
After obtaining root-level access, an attacker could do pretty much anything to the satellite, including deploying malware and shutting down its communications. In Wouters’ case, however, he used the exploit to send a tweet through the rooted Starlink user terminal (UT) announcing his Black Hat talk.
I am excited to announce that our talk “Glitched on Earth by humans” will be presented at @BlackHatEvents!I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root.This might be the first tweet sent through a rooted Starlink UT! #BHUSA pic.twitter.com/0XMMIidEKk
— Lennert (@LennertWo) May 19, 2022
“From a security standpoint, this is a well designed product,” Wouters said on stage. “There was no obvious — at least to me — low-hanging fruit.”
Now that he’s documented his exploit, and plans to make public the plans for his modchip, Wouters said he hopes others will build on his research.
“I’m hoping that other people will start glitching the Starlink user terminal and will start looking at the network infrastructure,” he said, adding that tinkering with the digital beamformers and updating their firmware is another possibility.
“You could also try to repurpose user terminals, so maybe you could use two user terminals to implement point-to-point [communications] or something like that.”
The possibilities, like space itself, are endless. ®