Since 2018, Elon Musk’s Starlink satellite network has sent more than 3,000 small satellites into space to provide internet connections to remote locations around the world. Starlink is a critical supply of connectivity for Russia’s war in Ukraine, as it beams signals from space to remote locations on Earth. As the satellite industry grows, more and more companies are launching satellites. Now, hackers are targeting these satellites as a new technology.
Lennert Wouters, a security researcher at KU Leuven University in Belgium, will reveal one of the first vulnerabilities in Starlink’s user dishes, which are positioned on people’s homes and buildings. Wouters will demonstrate at the Black Hat security conference in Las Vegas how hackers can gain access to the Starlink system and customize its code by exploiting a variety of hardware vulnerabilities.
Lennert Wouters at Black Hat USA 2022
Black Hat has grown from a single annual conference to the world’s most esteemed information security event series. Established in 1997, and it provides the most pertinent and relevant information security research. The security community attends these multi-day events to receive the latest cutting-edge research, developments, and trends.
During the 2022 edition, Lennert Wouters, a PhD Researcher at KU Leuven, presented the first black-box hardware security evaluation of the SpaceX Starlink User Terminal. Crafting a special electronic device (a modchip”, or modification chip) to alter the behavior of the Starlink UT with a code released on Github for research purpose.
The attacks involved a physical access to the satellite dish, then quite complex electronic bypass allowing finally Lennert to establish a SSH connection to the device back-end software.
Tearingdown SpaceX User Terminal
The Starlink system consists of three distinct parts:
- The satellites: at 340 miles above the earth’s surface, they send internet connections to earth.
- The gateways stations: ground stations that links the satellites in space and the internet data centers on Earth.
- The Dishy McFlatface: end user satellite dishes on earth that send and receive internet connections from satellites.
Wouters focuses his research on these user dishes. Since Starlink started selling them, there have been numerous teardowns of their terminals. Engineers on YouTube have opened them up and exposed the components and how they work. Technical specs are also provided on Reddit. The researcher, who previously created a Tesla-unlocking hardware device in 90 seconds, looked at the security of the terminal and its chips. “The user terminal was undoubtedly created by capable individuals,” he says.
Lennert’s goal was to hack the satellite receiver so that he could create a circuit board that would disrupt signals. Without destroying the equipment. He counted on bypassing security checks to ensure the equipment was functioning properly and had not been tampered with. Wouter began testing Starlink in May 2021 to determine whether it could deliver the speeds he desired. He was able to access the device’s internal components using a lot of time, a heat gun, prying tools, and isopropyl alcohol.
There’s no public documentation on the quad-core ARM Cortex-A53 system-on-chip’s architecture in the 59-cm-wide hood. It is then more difficult to hack the radio frequency equipment, power over ethernet systems, and a GPS receiver. But he still manages to identify how the dish booted up and received its firmware after opening it up. Wouters reverse-engineered the Dishy McFlatface and made a modchip design to fit onto the existing Starlink printed circuit board (PCB). His modchip consists of a Raspberry Pi microcontroller, flash storage, electronic switches, and a voltage regulator.
The researcher was then able to bypass the security protections on the dish by using voltage fault injection to gain access to the device’s software. When you turn on the Starlink device, it goes through several bootloader stages. The first bootloader is the ROM bootloader, which is permanently burned onto the system-on-chip and can’t be updated. Wouters uses patched firmware to control the device after the ROM bootloader.
SpaceX ackowledgement
SpaceX congratulated Wouters on this achievement. It also emphasized that this kind of hack has a low impact on the network and its users. Starlink issued a firmware update to make this kind of attack harder, but not impossible. To make this type of intrusion, someone would have to put a lot of time and effort into it. The attack is not as devastating as being able to disable satellite networks or connectivity. But someone may use it to gain a better understanding of the Starlink network.
After Lennert presentation at Black Hat USA 2022, SpaceX released on call to all security researcher to “bring on the bugs“. They already have an opened Bug Bounty program that allow to responsibly disclose security bugs to the manufacturer.
It is notoriously difficult to protect a device to which a hacker has constant unmonitored physical access. And they are only starting with the rise of smart vehicule, industry 4.0, and the rise of Internet of Things (IOT).
Satellite Cybersecurity and future challenges
Satellite hijacking and hacking is not a new story. The website SpaceSecurity goes back to a data communication hijacking in 1977. More recently, an hour before Russian troops invaded Ukraine, the American satellite company Viasat was reportedly hacked. Official from the US, the EU and the UK pointed at Russian government hackers.
It’s harder to defend satellites against intrusion because there are numerous points of entry, not just one. As their primary purpose is to communicate, a lots of doors have to be open to other satellites from the fleet or to ground stations. Hacking the computer network of a ground station would open up a whole world of malicious possibilities.
Satellites are also vulnerable to a wide range of disruptive events. From software hacking to signal jamming or hijacking, defending satellite from cyberattacks is way more complicated that regular space threats (such as collision) because of the variety of threat actors. Cybercriminals easily access open telecom networks to establish communication.
Collaboration between governments, satellite manufacturers, operators, software developers, and service users is necessary in order to address the issues raised by satellite cybersecurity. Each domain should share its lessons and experiences in order to properly address the issues raised here. Terrestrial and space systems become increasingly interconnected. An informed and collaborative exchange is required between what has traditionally been regarded as separate areas of cyber threat management.
