This researcher hacked a Starlink terminal (and it wasn’t easy)

A security researcher managed to get a “root shell” into a Starlink terminal. But this attack required many hours of work and the creation of a dedicated circuit board, which could be connected to the components of the equipment.

When a new technology service becomes available, the first thing hackers do is try to hack it. And that’s exactly what happened with Starlink, the low-orbit satellite internet connection service developed by SpaceX. At the Black Hat 2022 conference in Las Vegas until August 11, Lennart Waters, a security researcher at KU Leuven University, demonstrated how to get a “root shell” into a Starlink terminal. Details of this attack will soon be available on GitHub.

A small “glitch” and the door opens

Let’s be clear: this hack is technically very complex and therefore difficult to reproduce for someone who knows nothing about physical attacks. If you are lucky enough to have a Starlink terminal, don’t bother trying to do the same. To get to this “root shell”, you must first remove the metal shell of the satellite dish, to be able to access the terminal’s electronic components. Then you need to connect through a driver circuit designed by Lennert Wouters.

Black Hat 2022 / Starlink Terminal PCB Circuit
Starlink Hack
Special circuit created by Black Hat 2022 / Lennert Wouters

When the terminal is turned on, this circuit will inject small electrical disturbances (“glitching”) at the right time, which will have the effect of changing the progress of the boot process (Secure Boot) and loading a modified version of the firmware. And finally, one gets full access to the system with administrator privileges. The researcher took advantage of his presentation to give a demonstration. It only took a few minutes to get this famous “root shell”.

Starlink Hack
Black Hat 2022 / Attack Demonstration

In his attack circuit, Lennert Wouters took care to print the sentence “Confusion on Earth by Man”. This is a nod to the SpaceX engineers who printed the Starlink terminal circuit with the phrase “Made on Earth by Man”. A slogan that can also be found in the Tesla car that Elon Musk sent into space…

Analysis of Starlink services is not yet complete. Thanks to this access to the system, Lennert Wouters will now try to explore the Starlink network and – why not – gain access to satellites or base stations. This is a goal that is far from interest. The start of the war in Ukraine shows that satellite communications are a priority target in a conflict. And since Starlink terminals are used on this battlefield, it’s likely that Russian hackers are already working on potential flaws in the network.

It is a good quality tool

But hackers risk breaking their teeth. Although he managed to find a way to get into the terminal system after many hours of work, Lennart Waters considers the security level of this product to be good. “There was nothing obvious to exploit. Getting root access was difficult, unlike other gear [de ce type]. And this access does not allow a large-scale attack to be carried out in the immediate future.”Security researchers in Las Vegas explained.

For their part, SpaceX leaders said they were delighted. In a statement, they congratulated Lennart Wouters for his outstanding work and Technically impressive. This is the first time they have encountered such an attack and they are encouraging all researchers to do the same as part of a “bug bounty program”. They also take the opportunity to reassure users. All components of the Starlink architecture were designed according to the principle of “least privilege” to limit the impact of potential attacks. Also, attacking other terminals from a compromised terminal would not be a priority. We will see.


Black Hat 2022

Leave a Comment