On Thursday, at the Black Hat Security Conference in Las Vegas, lennert Wouters, a security researcher at the Belgian University of Leuven, will reveal the security vulnerabilities of Starlink user terminals (that is, satellite antennas located in houses and buildings) for the first time. Wouters will describe in detail how an attacker used a series of hardware vulnerabilities to access the Starlink system and run custom code on the device.
In order to access the software of satellite antenna, Woods modified the satellite antenna he bought and made a customized hacking tool that can be connected to the satellite antenna. The tool uses a customized circuit board called modchip, and the cost of parts is only about $25. After connecting the satellite antenna, the self-made tool can launch a fault injection attack, which will temporarily short-circuit the system and bypass the safety protection of the satellite chain. This "failure" made Wouters enter the locked star chain system.
Wouters released the tool on GitHub, including some details needed to launch an attack. "As an attacker, suppose you want to attack the satellite itself," Wooters explained. "You can try to get your own system to communicate with satellites, but it's very difficult. So the simpler way is through the user terminal. "
Last year, Wouter informed Starlink about these vulnerabilities, and the latter also paid Wouters a vulnerability bounty through its vulnerability bounty program. Woods said that although Space Exploration Technologies has released an update that makes the attack more difficult (modchip has been changed), the fundamental problem cannot be solved unless the company develops a new version of the main chip.
Woods pointed out that all existing satellite link user terminals are still vulnerable to attacks.
According to Wired, Starlink plans to release a "public update" after Wouters's speech at the Black Hat Conference, but declined to disclose any details of the update.
Starlink's Internet system consists of three main parts. The first is the satellite. The satellite runs in low earth orbit, about 340 miles from the surface, and connects down to the surface. Satellites communicate with two systems on the earth: the gateway that sends the Internet connection to the satellite, and the Dishy McFlatface satellite antenna that people can buy. Wooters' research mainly focuses on these user terminals (antennas). These antennas were originally round, but the new models are rectangular.
Wouters revealed that his attack on the satellite link user terminal involved many stages and technical measures. Finally, he completed an open source hacking tool for satellite link antennas. This customized circuit board attack can bypass the signature verification security check when the system is started, and the latter is used to prove whether the system is started correctly and has not been tampered with. "We use this circuit board to accurately calculate the time of jet failure," said Woods.
Wouters began to test the satellite link system in May, 20021. He bought a satellite link antenna and tested its normal function (download speed 268 Mbps, upload speed 49 Mbps) on the top of the university building. Then, he began to dismantle the antenna with various tools, using "hot air guns, prying tools, isopropanol and great patience." Finally, he successfully removed the large metal cover on the antenna and touched its internal components.
Photo: lennert Walter
Covered by a satellite antenna with a diameter of 59 cm, it is a large PCB board, which contains a system on chip (above), including a customized quad-core ARM Cortex-A53 processor. Its architecture is not publicly recorded, so it is difficult to crack. Other components on the board include RF equipment, Ethernet power supply system and GPS receiver. By removing the antenna, Wouters can learn how it starts and downloads the firmware.
Before designing modchip, Woods scanned the satellite antenna and completed the matching design with the existing satellite PCB. Modchip needs to be soldered to the existing star-chain PCB board and connected with several wires. Modchip itself consists of Raspberry Pi microcontroller, flash memory, electronic switch and voltage regulator. When making the user terminal board, the star chain engineer printed the words "made by human beings on the earth" on it. Woods' chip reads: "the failure of mankind on earth."
In order to access the software of Star Chain, Wouters used his customized system to bypass the security protection through voltage fault injection attack. When the satellite antenna is turned on, it will start a series of different boot loaders. Woods' attack was aimed at the running failure of the first boot loader (called ROM boot loader), which was burned to the system on chip and could not be updated. Then, the attacker will deploy custom firmware on the future boot loader, so that Wouters can control the whole system.
"At a higher level, there are two obvious objects that can be attacked: signature verification or hash verification," Wooters said. This failure will attack the signature verification process. "Usually we always avoid short circuits," he said, "but in this case, we did it on purpose."
At first, Woods tried to make the chip fail at the end of its boot cycle (that is, the Linux operating system has been fully loaded), but finally found that it is more likely to cause failure at the beginning of boot. Woods thinks this method is more reliable. He said that in order for the fault to work, he had to stop the operation of the decoupling capacitor used to smooth the power supply. The attack disables the decoupling capacitor, the operation fault bypasses the safety protection, and then the decoupling capacitor is enabled.
This process enables researchers to run the modified version of star chain firmware during the startup cycle, thus gaining access to its underlying system. Wooters said that in response to this research, Starlink provided him with researcher-level access to equipment software, but Wouters refused because he didn't want to delve into it too deeply and focused on making modchip tools. During the test, he hung the modified antenna outside the window of the research laboratory and used plastic bags as a temporary waterproof system. )
Woods pointed out that although Star Chain also released firmware updates to make the attack difficult, it is not impossible. Anyone who wants to crack the antenna in this way must invest a lot of time and energy. Although this kind of attack is not as destructive as destroying satellite systems or satellite communications, Wouters said that this kind of attack can be used to learn more about the operation of satellite link networks.
"My first task now is to communicate with the back-end server." Wouters revealed. Although details of modchip can be downloaded from Github, Wouters has no plans to sell any finished modchip, nor has it provided people with the exact details of the modified user terminal firmware or the faults used in the attack.
As more and more satellites are launched-Amazon, OneWeb, Boeing, Telesat and space exploration technology companies are all building their own "star chains"-their safety will be more strictly examined. In addition to providing internet connection for families, these systems can also help ships to network and play a role in key infrastructure. Satellite Internet system has become the target of malicious hackers.
"I think it's important to assess the security of these systems because they are critical infrastructure," Wooters said. "I think there will always be people trying to carry out this type of attack, because the antenna on the client side is easy to obtain."
Reference link:
/story/starlink-internet-dish-hack/