The long, solder-heavy way to gain root access to a Starlink terminal

No one said it would be easy to gain root access to space.
enlarge / No one said it would be easy to gain root access to space.

Gaining root access in one of Starlink’s dishes requires a few things that are hard to come by: a deep understanding of the PCB circuitry, eMMC dump hardware and skills, understanding of the bootloader software, and a custom PCB. But researchers have proven that it can.

In their talk “Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal,” researchers from KU Leuven in Belgium explained earlier this year at Black Hat 2022 how they could execute arbitrary code on a Starlink user terminal. user Terminal (i.e. a dish board) using a custom modchip through voltage error injection. The conversation took place in August, but the researchers’ slides and repository have been doing the rounds recently.

There is no immediate threat and the vulnerability is both public and contained. While bypassing signature verification allowed the researchers to “further explore the Starlink user terminal and the network side of the system,” the Black Hat talk note slides that Starlink is “a well-designed product (from a security standpoint).” It was challenging to get a root peel and this did not lead to any obvious lateral movement or escalation. But updating firmware and reusing Starlink dishes for other purposes? Perhaps.

Yet satellite security is far from purely theoretical. Satellite provider Viasat saw thousands of modems taken offline by AcidRain malware, pushed by what most believe are Russian state actors. And while the KU Leuven researchers note how unwieldy and awkward it would be to attach their custom modchip to a Starlink terminal in the wild, many Starlink terminals are placed in the most remote locations. That gives you a little more time to disassemble a unit and make the 20+ fine solder joints described in slide pictures.

It’s not easy to summarize the numerous techniques and disciplines used in the researchers’ hardware hack, but here’s an attempt. After some high-level board analysis, the researchers found test points for reading the board’s eMMC store. Dumping the firmware for analysis, they found a place where introducing erroneous voltage into the core system on a chip (SoC) could change an important variable during boot: “develop login enabled: yes.” It’s slow, it only works intermittently, and tampering with the voltage can cause many other errors, but it worked.

The modchip used by the researchers is centered around a RaspberryPi RP2040 microcontroller. Apparently, unlike most Raspberry Pi hardware, you can still order and receive the main Pi chip should you embark on such a journey. You can read more about the firmware dumping process in the researchers’ blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *