The long and cumbersome way to gain root access to a Starlink terminal

The long and cumbersome way to gain root access to a Starlink terminal

Nobody said it would be easy to get root access to space.
Enlarge / Nobody said it would be easy to get root access to space.

Gaining root access inside one of Starlink’s dishes requires a few hard-to-obtain items: a thorough understanding of the board’s circuitry, hardware and eMMC dumping skills, an understanding of bootable software, and a board Custom PCB. But researchers have proven that it can be done.

In their lecture “Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal”, researchers from KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink Terminal user (i.e. parabolic board) using a custom modular chip via voltage fault injection. The conference took place in August, but the researchers’ slides and repository have recently made the rounds.

There is no immediate threat and the vulnerability is both revealed and limited. While bypassing signature verification allowed researchers “to further explore the Starlink user terminal and the network side of the system”, the Black Hat conference slides note that Starlink is “a well-designed product (from the perspective of view of security). Getting a root shell was tough, and it didn’t open up any obvious lateral movement or climbing. But updating firmware and reusing Starlink dishes for other purposes? Maybe.

However, the security of satellites is far from being purely theoretical. Satellite provider Viasat has seen thousands of modems taken offline by AcidRain malware, pushed by what most consider Russian state actors. And while the KU Leuven researchers note how difficult and fiddly it would be to connect their custom chip to a Starlink terminal in the wild, many Starlink terminals are placed in the most remote locations. This gives you a bit more time to disassemble a unit and make the 20+ fine tip solder connections detailed in the slide images.

It is not easy to summarize the many techniques and disciplines used in the hardware hack of researchers, but here is an attempt. After a high-level analysis of the card, researchers located test points to read the card’s eMMC storage. By dumping the firmware for analysis, they found a place where introducing an errant voltage into the central system on a chip (SoC) could change an important variable during boot: “development connection enabled: yes”. It’s slow, it only works occasionally, and tampering with the voltage can cause many other errors, but it worked.

The modchip used by the researchers is centered around a RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi hardware, you can still seemingly order and receive the main Pi chip, if you embark on such a journey. You can read more about the firmware dump process in the researchers blog post.

#long #cumbersome #gain #root #access #Starlink #terminal

Leave a Comment

Your email address will not be published. Required fields are marked *