The Long, Hard Way to Root the Starlink Terminal
Getting root access to one of Starlink’s dishes requires a few things that are hard to get: a deep understanding of the board layout, eMMC dump hardware and skills, an understanding of the bootloader software, and a custom PCB. But researchers have proven that it is possible.
In their talk “Crashing on Earth by Humans: Assessing the Black Box Security of the SpaceX Starlink User Terminal,” researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink user. Terminal (for example, a dish) using a specially made modchip through a voltage input. The conversation took place in August, but the slides and the researchers’ repository are recent.
There is no immediate threat, and the vulnerability is disclosed and limited. While bypassing the signature verification allowed the researchers “to further examine the Starlink user terminal and the network side of the system,”the slides from the Black Hat note suggest that Starlink is “a well-designed product (from a security point of view).”It wasn’t easy to get the root shell, and it didn’t result in obvious lateral movement or escalation. But update the firmware and repurpose Starlink dishes for other purposes? Maybe.
It’s not easy to summarize the many methods and disciplines researchers use when hacking hardware, but here’s an attempt. After a thorough analysis of the board, the researchers found breakpoints for reading the board’s eMMC memory. After resetting the firmware for analysis, they found a place where introducing an erroneous voltage to the underlying system on a chip (SoC) could change an important variable during boot: “Development login enabled: yes.”It’s slow, only fires occasionally, and voltage manipulation can cause a lot of other bugs, but it worked.
The modchip used by the researchers is based on the RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi hardware, you can still order and receive the main Pi chip if you go on such a journey. You can read more about the firmware dump process on the researchers blog.
Leave a Reply