this researcher hacked a Starlink terminal (and it wasn’t easy)

A security researcher managed to get a “root shell” on a Starlink terminal. But this attack required many hours of work and the creation of a dedicated circuit board, to be connected to the equipment components.

When a new technology service is available, the first thing hackers do is obviously try to hack it. And that’s exactly what happened with Starlink, the low-orbit satellite internet connection service created by SpaceX. At the Black Hat 2022 conference, running in Las Vegas through August 11, security researcher Lennert Wouters of KU Leuven University demonstrated how to get a “root shell” on a Starlink terminal. Details of this attack will be available soon on GitHub.

A little “glitch” and the door opens

Let’s be clear: this hack is technically very complex and therefore difficult to reproduce for those who don’t know anything about physical attacks. If you’re lucky enough to have a Starlink terminal, don’t bother trying to do the same. To get this “root shell”, you must first remove the metal casing from the satellite dish, so you can access the terminal’s electronics. Then you have to connect through a driver circuit designed by Lennert Wouters.

Black Hat 2022 / Starlink Terminal PCB Circuit
starlink hack
Black Hat 2022 / The special circuit created by Lennert Wouters

When turning on the terminal, this circuit will inject small electrical disturbances (“glitching”) at the right time, which will have the effect of modifying the progress of the boot process (Secure Boot) and loading a modified version of the firmware. And finally, you get full access to the system with administrator privileges. The researcher took advantage of his presentation to demonstrate. It only took a few minutes to get this famous “root shell”.

starlink hack
Black Hat 2022 / Attack Demo

In his attack circuit, Lennert Wouters was careful to print the phrase “Fault on Earth by Humans”. It is a tribute to the SpaceX engineers who printed the Starlink terminal circuit with the phrase “Made on Earth by Humans”. A slogan that can also be found on the Tesla car that Elon Musk sent into space…

The review of the Starlink service is not yet complete. Thanks to this access to the system, Lennert Wouters will now try to exploit the Starlink network and – why not – gain access to satellites or base stations. It is a goal that is far from devoid of interest. The start of the war in Ukraine showed that satellite communications are a priority target in the event of conflict. And since Starlink terminals are used on the ground of this war, it is likely that Russian hackers are already working on possible network failures.

It’s a good quality device.

But hackers risk breaking their teeth. Despite having managed, after many hours of work, to find a way to access the terminal system, Lennert Wouters considers the security level of this product to be good. “There was nothing obvious to explore. Getting root access was difficult, unlike other equipment [de ce type]. And this access does not allow, in the immediate future, to carry out a larger-scale attack “explained the security researcher in Las Vegas.

For their part, SpaceX leaders say they are delighted. In a statement, they congratulated Lennert Wouters on his excellent work and technically impressive. This is the first time they have faced such an attack and they encourage all researchers to do the same, as part of a “bug bounty program”. They also take the opportunity to reassure users. All elements of the Starlink architecture would have been designed according to the principle of “least privilege” to limit the effects of a possible attack. Furthermore, it would not a priori be possible to attack other endpoints from a compromised endpoint. We’ll see.


Black Hat 2022

Leave a Comment