The long and hard way to get root access on a Starlink terminal

Making root access inside one of the Starlink dishes it requires a few things that are hard to come by: a deep understanding of the board’s circuitry, eMMC hardware and dumping capabilities, an understanding of the bootloader software, and a custom PCB board. But researchers have proven that it can be done.

In their talk “Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal,” researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code in a Starlink user. Terminal (eg, a dish plate) using a custom modchip through a voltage fault injection. The talk took place in August, but the slides and the researcher’s repository happened more recently made the rounds.

There is no immediate threat, and the vulnerability is discovered and limited. While bypassing signature verification allowed the researchers to “further explore the Starlink User Terminal and the network side of the system.” slide from the Black Hat talk note that Starlink is “a well-designed product (from a security perspective).” Getting a root shell was challenging, and doing so didn’t open up noticeable lateral movement or scaling. But updating the firmware and repurposing the Starlink dishes for other purposes? Maybe.

However, satellite security is not just theoretical. Satellite provider Viasat saw thousands of modems locked offline by AcidRain malware, pushed by what most view as Russian state actors. And while the KU Leuven researchers note how difficult and complicated it would be to connect their custom modchip to a Starlink terminal in the wild, many Starlink terminals are placed in more remote locations. This gives you a little more time to disassemble a unit and make the more than 20 fine spot weld connections detailed in the slide images.

It’s not easy to summarize the many techniques and disciplines used in hacking researcher hardware, but here’s an attempt. After some high-level analysis of the board, the researchers found the test points for reading the board’s eMMC storage. Dumping the firmware for analysis, they found a place where introducing the wrong voltage to the core system-on-a-chip (SoC) could modify an important variable during bootup: “development identification enabled: yes”. It’s slow, only works occasionally, and voltage jitter can cause a lot of other errors, but it worked.

of modchip used by researchers is centered around a RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi devices, you can still order and receive the basic Pi chip if you embark on such a journey. You can read more about the firmware flashing process at researchers blog post.