The long, soldering-intensive way to gain root access to a Starlink terminal

The long, soldering-intensive way to gain root access to a Starlink terminal

Nobody said that getting root access to space would be easy.
Enlarge / Nobody said that getting root access to space would be easy.

Getting root access to any of Starlink’s dishes requires some hard-to-get things: a deep understanding of board circuitry, eMMC dumping hardware and skills, understanding of bootloader software, and a custom circuit board. But researchers have proven it can be done.

In their presentation, “Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal,” researchers at KU Leuven in Belgium explained earlier this year at Black Hat 2022 how they could run arbitrary code on a Starlink user Terminal (i.e. a dish board) with a custom built modchip through a voltage error injection. The talk was held in August, but the researchers’ slides and archive have been circulating recently.

There is no immediate threat and the vulnerability is both disclosed and contained. While bypassing signature verification allowed researchers to “further explore the Starlink user terminal and network side of the system,” slides from the Black Hat presentation note that Starlink is “a well-designed product (from a security standpoint).” Obtaining a root tray was challenging and this did not result in any apparent lateral movement or escalation. But upgrading firmware and repurposing Starlink dishes for other uses? Maybe.

Still, satellite security is far from just theoretical. Satellite provider Viasat saw thousands of modems taken offline by AcidRain malware, seen by most as Russian state actors. And while KU Leuven researchers are realizing how unwieldy and difficult it would be to attach their custom modchip to a Starlink terminal in the wild, many Starlink terminals are found in the most remote of locations. This gives you a little more time to disassemble a unit and make the 20+ fine point solder connections detailed in the slide images.

It’s not easy to summarize the numerous techniques and disciplines used in the researchers’ hardware hack, but here’s an attempt. After some high-level board analysis, the researchers located test points for reading the board’s eMMC storage. When they filed the firmware for analysis, they found a spot where introducing a faulty voltage into the core system on a chip (SoC) could change a key variable during boot: “Development Login Enabled: Yes”. It’s slow, it only works occasionally, and manipulating the voltage can cause many other bugs, but it worked.

The modchip used by the researchers is based on a RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi hardware, you can apparently still order and receive the core Pi chip should you embark on such a journey. You can read more about the firmware dumping process in the researchers’ blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *