A Belgian researcher has successfully mounted a fault injection attack on a user terminal for a satellite-based internet system, SpaceX. The recent development was disclosed at the Black Hat event.
A $25 modchip attack
The researcher, Lennert Wouters, has successfully compromised the SpaceX-operated Starlink satellite-based internet system by using a homemade circuit board that only cost him around $25.
To carry out the hack, a voltage fault injection attack was performed on a Starlink User Terminal (UT) or a satellite dish that people use to access the system.
He physically stripped down a satellite dish he purchased and created the custom board that was attached to the Starlink dish.
This allowed him to break into the dish and explore the Starlink network from there, he disclosed in a presentation, Glitched on Earth by Humans, at the annual ethical hacker conference.
About the modchip
The researcher created a tool using low-cost, off-the-shelf parts and used it to gain root access by glitching the Starlink UT security operations center bottom.
To develop the modchip, he scanned the Starlink dish and designed the chip to fit over the existing Starlink board.
He soldered the modchip, including flash storage, electronic switches, voltage regulator, and Raspberry Pi microcontroller, to the existing Starlink PCB and connected it using a few wires.
How does the attack work?
Once attached to the Starlink dish, the tool performs a fault injection attack to short the system temporarily to bypass security protections and break into locked parts of the system.
The attack runs the glitch against the first bootloader; the ROM bootloader burns onto the system and can’t be updated. Then, he deployed patched firmware on later bootloaders to control the dish.
This attack leaves an unfixable compromise of the Starlink UT and allows the execution of arbitrary code. The ability to get root access on the Starlink UT is required to explore the Starlink network freely.
Wouters said “Our attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code.” According to him, Starlink will remain vulnerable to attacks unless SpaceX develops a new model of the terminal’s main chip.
SpaceX has already responded to the researcher’s presentation with a six-page paper published online. Further, the increase in use and deployment of Starlink and other satellite constellations has attracted the attention of threat actors as well researchers in finding security holes to hack such systems.