No one said getting a root to space would be easy.
To enlarge / No one said getting a root to space would be easy.

Getting root access inside one of Starlink’s dishes requires a few hard-to-find things: a deep understanding of the board’s circuitry, eMMC dumping hardware and skills, an understanding of bootloader software, and a custom PCB board. But researchers have proven that it can be done.

Researchers at Belgium’s KU Leuven detailed how they were able to execute arbitrary code on the Starlink User earlier this year at Black Hat 2022 in their talk “Human Errors on Earth: A Black Box Security Evaluation of the SpaceX Starlink User Terminal.” The terminal (i.e. a receptacle board) uses a custom built modchip through a voltage fault injection. The conversation took place in August, but the researchers’ slides and repositories are more recent made rounds.

There is no immediate threat and the vulnerability is both disclosed and limited. Bypassing signature verification allowed the researchers to “further investigate the Starlink User Terminal and the network side of the system.” Slides from the Black Hat talk Note that Starlink is “a well-designed product (in terms of security).” Root sheathing was difficult to obtain, and doing so did not reveal clear lateral movement or escalation. What about updating firmware and repurposing Starlink dishes? Perhaps.

Still, satellite security is only theoretically far away. I saw the satellite provider Viasat thousands of modems have been taken offline by the AcidRain malware, pushed by what to evaluate to be the most Russian state actors. Many Starlink terminals are deployed in the most remote locations, while the KU Leuven researchers noted how difficult and difficult it would be to attach their custom modchip to a Starlink terminal in the wild. This gives you a little more time to disassemble the unit and make the 20+ fine spot soldering joints detailed in the slide images.

It’s not easy to summarize the many techniques and disciplines used by researchers in hardware hacking, but here’s an attempt. After some high-level board analysis, the researchers found the test points for reading the board’s eMMC memory. Dumping the software for analysis, they found a place where introducing the wrong voltage to the main system-on-a-chip (SoC) could change an important variable during boot: “development input enabled: yes.” It’s slow, only works sometimes, and changing the voltage can cause many other errors, but it worked.

The modchip used by researchers centered around a RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi hardware, you can still order and purchase the basic Pi chip if you take such a trip. You can read more about the firmware dumping process researchers blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *