The long, solder-heavy way to get root access to a Starlink terminal

Getting root access inside one of Starlink's dishes requires a few things that are hard to come by: a deep understanding of board circuitry, eMMC dumping hardware and skills, bootloader software understanding, and a custom PCB board. But researchers have proven it can be done.

In their talk "Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal," researchers at KU Leuven in Belgium detailed at Black Hat 2022 earlier this year how they were able to execute arbitrary code on a Starlink User Terminal (i.e., a dish board) using a custom-built modchip through a voltage fault injection. The talk took place in August, but the researchers' slides and repository have recently made the rounds.

There's no immediate threat, and the vulnerability is both disclosed and limited. While bypassing signature verification allowed the researchers to "further explore the Starlink User Terminal and networking side of the system," slides from the Black Hat talk note that Starlink is "a well-designed product (from a security standpoint)." Getting a root shell was challenging, and doing so didn't open up obvious lateral movement or escalation. But updating firmware and repurposing Starlink dishes for other purposes? Perhaps.

Still, satellite security is far from merely theoretical. Satellite provider Viasat saw thousands of modems knocked offline by AcidRain malware, pushed by what most assess to be Russian state actors. And while the KU Leuven researchers note how unwieldy and tricky it would be to attach their custom modchip to a Starlink terminal in the wild, many Starlink terminals are placed in the most remote locations. That gives you a bit more time to disassemble a unit and make the more than 20 fine-point soldering connections detailed in slide images.

It's not easy to summarize the numerous techniques and disciplines used in the researchers' hardware hack, but here is an attempt. After some high-level board analysis, the researchers located test points for reading the board's eMMC storage. Dumping the firmware for analysis, they found a place where introducing errant voltage into the core system on a chip (SoC) could modify an important variable during bootup: "development login enabled: yes." It's slow, it only works occasionally, and the voltage tampering can cause lots of other errors, but it worked.

The modchip used by the researchers is centered around a RaspberryPi RP2040 microcontroller. Unlike most Raspberry Pi hardware, you can still seemingly order and receive the core Pi chip, should you embark on such a journey. You can read more about the firmware dumping process in the researchers' blog post.