Belgian security researcher [Lennert Wouters] has gotten his own code running on the Starlink “Dishy McFlatface” satellite terminals, and you can too! The hack in question is a “modchip” with an RP2040 and a MOSFET that crowbars the power rails, browning out the main CPU exactly when it’s verifying the firmware’s validity and bypassing that protection entirely. [Lennert] had previously figured out how to dump the Starlink firmware straight from the eMMC, and with the ability to upload it back, the circle of pwnership is closed. This was a talk at DEFCON, and you can check out the slides here. (PDF)
The mod chip itself was a sweet piece of work, being tailored to fit into the Starlink’s motherboard just so, and taking good advantage of the RP2040’s PIOs, which are probably the microcontroller’s superpower.
[Lennert] says he submitted his glitch attack to Starlink and they took some precautions to make the glitching harder. In particular, [Lennert] was triggering his timing off of the USART port coming up on the Starlink unit, so Starlink just shut that down. But it’s not like he couldn’t trigger on some other timing-relevant digital signal, so he chose the eMMC’s D0 data line: they’re not going to be able to boot up without it, so this hack is probably final. No shade against Starlink here. It’s almost impossible to shield a device against an attacker who has it on their bench, and [Lennert] concludes that he found no low-hanging fruit and was impressed that he had to work so hard to get root.
What can you do with this? Not much, yet. But in principle, it could be used to explore the security of the rest of the Starlink network. As reported in Wired, Starlink says that they’ve got a defence-in-depth system and that just getting into the network doesn’t really get you very far. We’ll see!
Thanks [jef] for the tip!
Glitched on Earth by Humans 🤣
I expect Starlink to revise their hardware to make this trick more difficult. They currently updated the firmware which makes it less likely to work but it will take a chip revision to eliminate this hack. Considering the supply chain is backed up with orders, they are going to stick with the chips they have and modify the stuff they can.
Sanded chips and epoxy blobs ahoy… though defense in depth implies other counter-sploit technologies such as..
Elongated Muskrat: “Phone the cryostorage, have them defrost the lawyers, I want enhanced yield
DMCA sueballs exploding round their ears by noon tomorrow.”
They have a bug bounty programme: https://bugcrowd.com/spacex
Shoudnt the title be “Ground Terminal Hacked”? The ground station really implies the equipment that maintains the satellite network.
Congrats on taking a bait, as all of us.
If you have HW RNG available you can throw in some random delays between peripheral access and security checks. Since those delays are different on each boot it makes it harder to glitch reliably.
If the whole thing is designed right, hacking the ground station shouldn’t get you much ie even if they made it an open hardware/firmware the system (designed right) should be secure…
I assume it’s kinda like hacking a cable modem, they’ll blacklist your MAC real quick, then you have to try cloning valid MACs and playing cat and mouse in that layer.
On the other side: DSL Modems can sometimes be flashed with OpenWRT or otherwise hacked and nobody gives a shit, because there are no secrets hidden in them. No holy mac address that identifies you in the network. Just a user provided Username&PW and you can use whatever hardware you like.
Well there usually is a binary firmware for the DSPs and similar. So you can’t make your modem send arbitrary waveforms to the network. But Cables security model was for a long time “the modem is not hacked”, while DSL always had proper authentification.
DOCSIS can be configured in several ways that don’t require a trusted modem. Many providers just didn’t, and some still don’t.
There are some providers that allow you to use a customer provided CPE, but many DOCSIS modems are a plain bridge anyway so you don’t get much extra.
Of course, cable being a shared medium makes all kinds of PHY layer DoS attacks possible, but you can do it much easier with a signal generator attached to the wire versus a modified modem…
Original MAC addresses are easy-peasy to spoof. Just be sure not to be detected rooting around in there ;-)
MAC addresses were never intended for security. Anyone relying on that checks a few base practice checkboxes: security by obscurity, false sense of security, lowering requirements on layers where it would matter.
Am I the only one who thinks: this could be one badass SAR! whenever I look at Dishy McFlatface’s phased array antenna?
But, but, doesn’t that void the warranty.
B^)
There is really no good way to secure hardware that someone has physical access to. All you could really expect is that the Starlink network eventually figure out if a device violates its protocols and shuts it down. All satellite systems rely on the transmitting devices to be good citizens because someone transmitting at the wrong time or at the wrong power can compromise the entire network. Doing that would lead to big penalties and problems from the FCC and possibly other agencies.
I would assume that the Starlink network just has the ability to stop talking to any device it thinks is compromised. If it does not respond the way they expect, they just will not give it timeslots on the network. You might be able to stop the local processor from doing its integrity checks but you cannot ignore challenges and commands coming on from the network without getting dumped.
In fact there is a lot of ways to secure hardware you have physical access to.
But none are simple, fast or cheap.
Or even what anyone would want anyway. Security can’t be in some secret device, it has to come from the architecture of the communication protocol itself.