Security Researcher Hacks Starlink With Off-the-Shelf Equipment

Security researcher Lennert Wouters hacked the Starlink satellite constellation with $25 in off-the-shelf equipment. He presented his findings at a computer security conference in Las Vegas.

The security vulnerability involves the widespread deployment of Starlink’s terminals, which connect users to the constellation. SpaceX can manufacture 20,000 Starlink terminals a week and deployed terminals passed the 100,000 mark in August 2021.

Wouters operated a homemade circuit board, also commonly known as a modchip. He could attach it to any Starlink terminal to bypass secure boot protections by interfering with the normal electrical power rails during bootup.

The chip could enable an attacker to gain privileged access to a Starlink terminal, though only if the attacker has physical access to the terminal. The attack does not work remotely and will not affect any of the 2,700 Starlink satellites that are already in orbit. He made the modchip plans available on GitHub to supplement the presentation he made at the computer security conference.

The GitHub description of the circuit board indicates that he expects a recording of the talk to be up soon. It also warns to use the circuit board schematics at one’s own risk. It especially warned that use of the circuit board could do damage to the terminal and disassembling a Starlink terminal could void the warranty.

The plans and description did not include full details of the glitch that Wouters’ customized circuit board could exploit. SpaceX may already be working on a firmware update that fixes the glitch based on the information he provided to claim a bug bounty award. It did already issue a firmware update to disable UART output.

SpaceX operates a bug bounty that anyone who can find a flaw in Starlink’s Internet service may qualify for. In a rare official statement, it complimented Wouters on his findings.

Starlink documentation describes security measures that it already takes, including making each Starlink network device’s unique identification difficult to replicate and reserving the option to disable devices that are used for malicious activity. It also makes it difficult for one Starlink terminal to directly locate or take control of other terminals. The documentation includes the disclaimer that SpaceX can’t always control what terminal owners do with their Starlink terminals once SpaceX has shipped them to buyers.

SpaceX’s beefing up of Starlink security already included improving its ability to resist jamming in the wake of Russia’s invasion of Ukraine. SpaceX had sent as many as 13,000 Starlink terminals to Ukraine as part of the international response to the invasion. Since then, Russian officials spouted the usual rhetoric that included threats against the International Space Station partnership and even Elon Musk. However, the rhetoric seems to be all talk and no action, considering that NASA and Roscosmos recently finalized a deal to fly two cosmonauts on the SpaceX Crew Dragon.

The Starlink security enhancements have not covered someone attaching a customized circuit board to a terminal to gain access to the entire network. Wouters covered his discovery of the security flaw in a talk titled “Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal.”