In Space, No One Can Hear You Hack

In Space, No One Can Hear You Hack

Peter Lowe

One of the more interesting—and headline-grabbing*—briefings at Black Hat USA 2022 was by Lennert Wouters titled "Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal". It was a fascinating and thorough overview of the research done into a physical attack on the Starlink terminals, ultimately enabling exploration of the Starlink network from the inside.

Most headlines focused on the "$25 worth of parts" that were used, but this does Wouters a huge disservice: There was an amazing amount of work that went into developing this attack, by some very experienced researchers. The iterations of research that he and his colleagues went through was inspiring to watch, taking place over the course of a year (although Wouters says it's difficult to estimate the number of hours that went into it exactly).

How it Worked

This attack worked by introducing a deliberate glitch into the secure boot process (hence the name of the talk), known as a "voltage fault injection" in the boot loader. This enabled a signature verification to be skipped during booting in order to bypass the security checks. The research was done in an entirely black-box scenario—they had no documentation, SDKs, development hardware, or really any clue about anything when they started.

I don't know much about hardware hacking myself—my experience is limited to mucking around with a soldering iron years ago—so a lot of the hardware details went over my head. It made me wonder, is this how other people must feel when I start going on about DNS security? Although I was able to basically follow what was going on, the last time I used an oscilloscope for anything was a very long time ago indeed.

Even Good Security can be Vulnerable

Most of the headlines would imply that this was an easy hack. Your first impressions when reading one might be that Starlink is a terrible product that anybody with a screwdriver can take over. I mean, we all like hearing about terrible security products, right?

But Wouters had good things to say about Starlink's security in general, describing the system as "a well designed product" from a security standpoint, and that there were no low-hanging fruit to be exploited. And even when a root shell was achieved, it didn't immediately lead to something that scaled to more serious attacks.

SpaceX's Response

When Wouters informed them that he had an attack that fully worked against the Starlink terminals, SpaceX actually offered him a Yubikey that would allow him to SSH into the terminal. He declined—"Too far down the rabbit hole"—but that kind of approach from a company that's being hacked, to a security researcher actively hacking your gear, is absolutely the way to go about it.

Even during the research when he accidentally broke parts of the dish, SpaceX was happy to replace it. And, after the details were released, SpaceX reiterated that they welcome hackers—paying up to $25,000 bounty for "non-disruptive" hacks (i.e. hacks that don't disturb other users).

Secure Your DNS Layer (Even in Space)

The talk ended with Wouters demonstrating the attack on stage and showing the audience debug output from a Starlink terminal itself. That kind of thing is always risky to try, but definitely paid off this time and really put the cherry on the top of an already impressive presentation. (Black) Hats off to you, Lennert!

Now that Starlink has been hacked, though, it raises the interesting question of whether perhaps SpaceX might need some DNS filtering services? Do get in touch if you're reading this, Elon—I'm sure we could all benefit from a few new Anycast nodes in space!

* Apologies must be given for the cheesy headline here, that I confess only has a thin connection to the content—I'm afraid I just couldn't help myself.

Search
Latest posts
5 Cybersecurity Trends That Will Impact Your Company's Security Measures in 2023

Cybersecurity threats have intensified in recent years, requiring that organizations step up their security.

Virginia-Based MSP Finds Peace of Mind with DNSFilter

Virgina-based MSP, Tech Team Solutions, appreciates the peace of mind DNSFilter brings them.

“Nothing else stops ‘em!” says rural ISP, Triangle Communications

Triangle Communications, an ISP serving residents in rural Montana, shares how DNSFilter protects their employees and customers at an unbeatable cost.

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.
dnsfilter ai powered dns security

Intelligent web content filtering

No comparison. No compromises. No-brainer pricing.
START YOUR FREE TRIAL