More On: Starlink
A researcher developed a method that enables unique code to run on satellite dishes for around $25 worth of materials.
Starlink, which is run by Elon Musk, has sent more than 3,000 small satellites into space since 2018. This satellite network beams internet connections to places on Earth that are hard to get to. During Russia's war in Ukraine, this has been an important way to stay connected. As the business grows, there are plans to launch thousands more satellites. Now, these satellite parts are being hacked, just like any new technology.
Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will show how one of Starlink's user terminals, the satellite dishes on people's homes and buildings (nicknamed "Dishy McFlatface"), has one of the first security holes. Wouters will talk about how a series of hardware flaws make it possible for attackers to get into the Starlink system and run their own code on the devices at the Black Hat security conference in Las Vegas.
To get into the software of the satellite dish, Wouters took apart a dish he bought and made a hacking tool that can be attached to the Starlink dish. The hacking tool is a custom circuit board called a "modchip." It is made up of parts that can be bought off the shelf and cost around $25. Once the homemade printed circuit board (PCB) is attached to the Starlink dish, it can launch a fault injection attack, which temporarily shorts out the system to get around Starlink's security measures. This "glitch" lets Wouters get into parts of the Starlink system that were locked before.
Wouters is now putting his hacking tool and some of the information needed to use it to launch an attack on GitHub. This is called "open source." "As an attacker, let's say you wanted to attack the satellite itself," Wouters says. "You could try to build your own system that lets you talk to the satellite, but that's not easy. So, if you want to attack the satellites, you should go through the user terminal because it will probably be easier for you.
Last year, the researcher told Starlink about the flaws, and the company paid Wouters through its bug bounty program for finding them. Wouters says that even though SpaceX put out an update to make the attack harder, which is why he changed the modchip, the real problem can't be fixed until the company makes a new version of the main chip. Wouters says that all user terminals that are already in use are vulnerable.
Starlink says it will release a "public update" after Wouters's talk at Black Hat this afternoon, but they wouldn't tell WIRED anything about it before it was published.
The internet system on Starlink has three main parts. First, there are the satellites that move in low Earth orbit, about 340 miles above the surface, and beam connections to the surface. The satellites talk to two systems on Earth: gateways that send internet connections up to the satellites and the Dishy McFlatface dishes that people can buy. Wouters's research is mostly about these user terminals, which used to be round but are now square.
Since the company started selling them, Starlink's user terminals have been taken apart more than once. On YouTube, engineers have opened up their terminals to show their parts and how they work. On Reddit, people talk about the technical details. But Wouters, who has made hardware that can open a Tesla in 90 seconds, looked at how safe the terminal and its chips were. "The user terminal was made by smart people for sure," says Wouters.
Wouters started testing the Starlink system in May 2021. On the roof of his university building, he got download speeds of 268 Mbps and upload speeds of 49 Mbps. The device had to be opened up next. Using a "heat gun, prying tools, isopropyl alcohol, and a lot of patience," he was able to take off the dish's large metal cover and get to the parts inside. Under the 59-cm-wide hood is a large PCB that holds a system-on-chip with a custom quad-core ARM Cortex-A53 processor. The architecture of this processor isn't public, which makes it harder to hack. Radio frequency equipment, power over ethernet systems, and a GPS receiver are also on the board. When Wouters opened the dish, he could see how it starts up and download its firmware.
Wouters scanned the Starlink dish to make the modchip, which was made to fit over the existing Starlink board. For the modchip to work, it needs to be soldered to the Starlink PCB and connected with a few wires. A Raspberry Pi microcontroller, flash storage, electronic switches, and a voltage regulator make up the modchip itself. When Starlink engineers made the board for the user terminal, they wrote "Made on Earth by humans" across it. "Glitched on Earth by humans" is written on Wouters' chip.
Wouters used the voltage fault injection attack on his custom system to get around security measures and get into the software of the dish. When the Starlink dish turns on, it goes through a series of stages called bootloader. Wouters' attack uses the glitch against the ROM bootloader, which is burned into the system-on-chip and can't be changed. The attack then puts patched firmware on later bootloaders, which lets him take control of the dish.
Wouters first tried to glitch the chip at the end of its boot cycle, when the Linux operating system was fully loaded. However, he found that it was easier to glitch the chip at the beginning of its boot cycle. Wouters says that this way was safer. He says that to get the glitch to work, he had to stop the decoupling capacitors from working. These are used to smooth out the power supply. The attack basically turns off the decoupling capacitors, runs the glitch to get around the security measures, and then turns on the decoupling capacitors again.
This lets the researcher run a patched version of Starlink's firmware during the boot process, which gives them access to the system's inner workings. Wouters says that Starlink gave him researcher-level access to the device's software in response to his research, but he turned it down because he was too far into the work and wanted to build the modchip. During testing, he hung the modified dish out the window of this research lab and used a plastic bag to keep it dry.
Wouters says that Starlink also sent out a firmware update that makes it harder, but not impossible, to carry out the attack. If someone wanted to break into the dish this way, it would take a lot of time and work. Even though the attack isn't as bad as being able to shut down satellite systems or connections, Wouters says it can be used to learn more about how the Starlink network works.
"What I'm working on now is talking to the servers in the back," Wouters says. Even though the details of the modchip can be downloaded from Github, Wouters has no plans to sell finished modchips. He also has no plans to share patched user terminal firmware or the exact glitch he used.
As more satellites are put into space—Amazon, OneWeb, Boeing, Telesat, and SpaceX are all building their own constellations—their security will be looked at more closely. The systems can connect homes to the internet, but they can also connect ships to the internet and help with critical infrastructure. Bad hackers have already shown that satellite internet systems are a target. As Russian troops moved into Ukraine, hackers thought to be from the Russian military attacked the Via-Sat satellite system. They used something called "wiper malware" to brick people's routers and take them offline. There were problems with about 30,000 internet connections in Europe, including more than 5,000 wind turbines.
"Because these systems are so important, I think it's important to look at how secure they are," Wouters says. "I don't think it's too strange that some people might try to do this kind of attack, since it's not hard to get a dish like this."
Update 5 pm ET August 10, 2022: After Wouters's talk at the conference, Starlink put out a six-page PDF that explained how it keeps its systems safe. The paper says, "The attack is technically impressive and is the first one of its kind we know of in our system." "We expect that attackers with invasive physical access will be able to use the identity of a single Starlink kit to do bad things on its behalf, so we use the design principle of "least privilege" to limit the effects on the larger system."
Starlink says again that the attack needs physical access to a user terminal and stresses that the glitching process only affected that one device's secure boot system. Less important parts of the Starlink system as a whole are not affected. Starlink says that normal Starlink users don't need to worry about this attack or do anything to stop it.