The long, weld-heavy way to root access to a Starlink station

Zoom / No one said root access to space would be easy.

Rooting inside a Starlink dish requires some hard-to-get things: a deep understanding of board circuits, eMMC dump skills and skills, an understanding of the bootloader software, and a custom PCB. But researchers have proven that it can be done.

In their talk “A bug on Earth by humans: a black box security assessment for a SpaceX Starlink user station,” researchers at KU Leuven in Belgium demonstrated at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink user. Terminal (eg, dish board) using custom modchip through voltage error injection. The talk took place in August, but the researchers’ slides and repository touched on recently.

Lennert Wouters of KU Leuven presents the group’s Starlink results at DEF CON 30.

There is no immediate threat, and the vulnerability is exposed and limited. While bypassing signature verification allowed researchers to “explore the Starlink user terminal and the network side of the system further,” slides from a Black Hat discussion note that Starlink is a “well-designed product (from a security standpoint)”. Getting the root peel was difficult, and doing so did not open up an obvious lateral movement or escalation. But is the firmware updated and Starlink dishes reused for other purposes? Probably.

However, satellite security is far from theoretical. Satellite provider Viasat has seen thousands of modems disabled by AcidRain malware, driven by what it believes are Russian state actors. And while KU Leuven researchers have noted how difficult and difficult it is to attach their custom modchip to a Starlink terminal in the wild, many Starlink terminals are placed in the most remote locations. This gives you more time to disassemble the unit and make the 20+ precision solder joints detailed in the slide photos.

It’s not easy to summarize the many techniques and disciplines used in hardware hacking for researchers, but here’s a try. After performing some high-level analyzes of the plate, the researchers identified test points to read the plate’s eMMC storage. Throwing the firmware for analysis, they found a place where entering a wrong platform voltage on a chip (SoC) could modify an important variable during bootup: “Enable development login: Yes”. It’s slow, only works occasionally, and messing with the voltage can cause a lot of other bugs, but it worked.

The chip used by researchers is centered around the RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pis, you can still apparently order and pick up the primary Pi chip, should you embark on such a journey. You can read more about the firmware unpacking process in the researchers’ blog post.

#long #weldheavy #root #access #Starlink #station

Leave a Comment

Your email address will not be published. Required fields are marked *