SINCE 2018, ELON Musk’s Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia’s war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked.
Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.
To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack—temporarily shorting the system—to help bypass Starlink’s security protections. This “glitch” allows Wouters to get into previously locked parts of the Starlink system.
Wouters is now making his hacking tool open source on GitHub, including some of the details needed to launch the attack. “As an attacker, let’s say you wanted to attack the satellite itself,” Wouters explains, “You could try to build your own system that allows you to talk to the satellite, but that’s quite difficult. So if you want to attack the satellites, you would like to go through the user terminal as that likely makes your life easier.”
The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can’t be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says.
Starlink says it plans to release a “public update” following Wouters’ presentation at Black Hat this afternoon, but declined to share any details about that update with WIRED prior to publication.
Starlink’s internet system is made up of three major parts. First, there are the satellites that move in low Earth orbit, around 340 miles above the surface, and beam down connections to the surface. The satellites communicate with two systems on Earth: gateways that send internet connections up to the satellites, and the Dishy McFlatface dishes people can buy. Wouters’ research focuses on these user terminals, which originally were round, but newer models are rectangular.
There have been multiple teardowns of Starlink’s user terminals since the company started selling them. Engineers on YouTube have opened up their terminals, exposing their components and how they work. Others discuss the technical specs on Reddit. However, Wouters, who previously created hardware that can unlock a Tesla in 90 seconds, looked at the security of the terminal and its chips. “The user terminal was definitely designed by capable people,” Wouters says.
His attacks against the user terminal involved multiple stages and technical measures before he finally created the now open source circuit board that can be used to glitch the dish. Broadly, the attack using the custom circuit board works by bypassing signature verification security checks, which look to prove that the system is launching correctly and hasn’t been tampered with. “We’re using this to accurately time when to inject the glitch,” Wouters says.
Starting in May 2021, Wouters began testing the Starlink system, getting 268-Mbps download speeds and 49-Mbps upload speeds on his university building’s roof. Then it was time to open the device up. Using a combination of a “heat gun, prying tools, isopropyl alcohol, and a lot of patience,” he was able to remove the large metal cover from the dish and access its internal components.
Under the 59-cm diameter hood is a large PCB that houses a system-on-chip, including a custom quad-core ARM Cortex-A53 processor, the architecture of which isn’t publicly documented, making it harder to hack. Among other items on the board are radio frequency equipment, power over ethernet systems, and a GPS receiver. Opening up the dish allowed Wouters to understand how it boots up and download its firmware.
To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. The modchip requires soldering to the existing Starlink PCB and connecting it using a few wires. The modchip itself is made up of a Raspberry Pi microcontroller, flash storage, electronic switches, and a voltage regulator. When creating the user terminal’s board, Starlink engineers printed “Made on Earth by humans” across it. Wouters’ modchip reads: “Glitched on Earth by humans.”
To get access to the dish’s software, Wouters used his custom system to bypass security protections by using the voltage fault injection attack. When the Starlink dish is turning on, it uses a series of different bootloader stages. Wouters’ attack runs the glitch against the first bootloader, known as the ROM bootloader, which is burned onto the system-on-chip and can’t be updated. The attack then deploys patched firmware on later bootloaders, which allows him to take control of the dish.
“From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification,” Wouters says. The glitch works against the signature verification process. “Normally you want to avoid shorts,” he says. “In this case we do it on purpose.”
Initially, Wouters attempted to glitch the chip at the end of its boot cycle—when the Linux operating system has fully loaded—but ultimately found it easier to cause the glitch at the start of the boot. This way was more reliable, Wouters says. To get the glitch to work, he says, he had to stop decoupling capacitors, which are used to smooth out the power supply, from operating. Essentially, the attack disables the decoupling capacitors, runs the glitch to bypass the security protections, and then enables the decoupling capacitors.
This process allows the researcher to run a patched version of Starlink’s firmware during the boot cycle and ultimately allows access to its underlying systems. In response to the research, Wouters says, Starlink offered him researcher-level access to the device’s software, although he says he declined as he had gone too deep with the work and wanted to build the modchip. (During testing, he hung the modified dish out of this research lab’s window and used a plastic bag as a makeshift waterproofing system.)
Starlink also issued a firmware update, Wouters says, that makes the attack harder, but not impossible, to execute. Anyone wanting to break into the dish in this way would have to put a lot of time and effort into doing so. While the attack isn’t as devastating as being able to take down satellite systems or connectivity, Wouters says it can be used to learn more about how the Starlink network operates.
“What I am working on now is communicating with the backend servers,” Wouters explains. Despite making the details of the modchip available for download on Github, Wouters does not have any plans to sell finished modchips, nor is he providing people with patched user terminal firmware or the exact details of the glitch he used.
As an increasing amount of satellites are launched—Amazon, OneWeb, Boeing, Telesat, and SpaceX are creating their own constellations—their security will come under greater scrutiny. In addition to providing homes with internet connections, the systems can also help to get ships online, and play a role in critical infrastructure. Malicious hackers have already shown that satellite internet systems are a target. As Russian troops invaded Ukraine, alleged Russian military hackers targeted the Via-Sat satellite system, deploying wiper malware that bricked people’s routers and knocked them offline. Around 30,000 internet connections in Europe were disrupted, including more than 5,000 wind turbines.
“I think it’s important to assess how secure these systems are because they are critical infrastructure,” Wouters says. “I don’t think it’s very far-fetched that certain people would try to do this type of attack because it is quite easy to get access to a dish like this.”
Update 5 pm ET August 10, 2022: After Wouters’ conference talk, Starlink published a six-page PDF explaining how it secures its systems. “We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system,” the paper says. “We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of ‘least privilege’ to constrain the effects in the broader system.”
Starlink reiterates that the attack needs physical access to a user terminal and emphasizes its secure boot system, which was compromised by the glitching process, is only impacted on that one device. Wider parts of the overall Starlink system are not impacted. “Normal Starlink users do not need to be worried about this attack affecting them, or take any action in response,” Starlink says.