The Hacking of Starlink Terminals Has Begun (wired.com) 48
AmiMoJo shares a report from Wired: Since 2018, ELON Musk's Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia's war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked. Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink's user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people's homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.
To access the satellite dish's software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack -- temporarily shorting the system -- to help bypass Starlink's security protections. This 'glitch' allows Wouters to get into previously locked parts of the Starlink system. The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can't be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says. Wouters is making his hacking tool open source on GitHub. Following his presentation, Starlink says it plans to release a "public update" to address the issue but additional details were not shared.
To access the satellite dish's software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack -- temporarily shorting the system -- to help bypass Starlink's security protections. This 'glitch' allows Wouters to get into previously locked parts of the Starlink system. The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can't be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says. Wouters is making his hacking tool open source on GitHub. Following his presentation, Starlink says it plans to release a "public update" to address the issue but additional details were not shared.
Don't get too excited (Score:2)
Back in ye olde days when DirecTV hacking was a thing, that company went completely scorched Earth and sued every customer who bought hardware which could be used for stealing service. Musk taking a page out of DirecTV's book totally wouldn't surprise me. Don't poke the Elongated Muskrat, kids; he bites.
Re: (Score:2)
He's not selling hardware.
He was likely offering SpaceX the opportunity to recompense him for the inability to academically publish his research to the extent he desired and needed for his career. The current situation is likely what 25K$ bought SpaceX in that regard.
Re: (Score:2)
He's not selling hardware.
But since he did release everything on his Github, it'd be trivial for someone else who is so inclined, to produce the hardware.
Re: Don't get too excited (Score:4, Insightful)
I kind of doubt the usefulness of this hack includes getting free service, so I don't think the DirecTV situation is applicable.
Re: (Score:2)
Agreed. The only thing those stories have in common is... a dish?
The issue with Dish Network and other satellite providers is they were effectively one way. The media was streamed out for anyone to decrypt AND use stealthily.
With Satellite internet it's pretty useless if it's unidirectional and anyone trying to send data would have their stream ignored. The other malicious option of DDOSing satellites would get expensive because unlike zombie bots that hijack other peoples unsecured PCs this is a hardwar
Re: (Score:1)
> All bug bounty hunters are black hats
You have to think like a black hat and know how a black hat works to beat a black hat. Intent is the difference, see Mens Rea. With bug bounties you stop before you cause harm, demonstrating your lack of intent to harm, showing a lack of mens rea.
Bug bounty != blackmail (Score:4, Informative)
"Lovely datacentre you have here. It'd be a shame if anything would happen to it."
The difference between a bug bounty and protection racket is that:
- The hacker doesn't just litterally say "...if anything would happen..." but goes into great detail to explain what vulnerability there is. It's not just menacing, it's detailing what is built wrong, e.g.:, in said datacentre, there's actually flammable material that could allow arsonist to set the whole centre on fire.
- The owner doesn't just pay an appeasement money to delay some crime, they are paying the bounty to buy all the details of the bug, and temporary exclusivity over that information. The owner is supposed to use that time to fix the problem, so by the time the hacker will go public with the information, the risk has been mitigated. e.g. In your datacentre metaphore, the owner buys a detailed list of every inflammable material in the centre, and arrange for a 6 months exclusivity of the information, so they can replace it. 6 months later, the datacentre is now supposedly fire-proof (to the best knowledge of the owner and the hacker) and the hacker is making interview on the TV "How I discovered that the datacentre could go up in flame".
In the specific case of Stalink the security flaw is not fixable without making an entirely new device due to fundamentally bad design.
It is as if your metaphorical datacentre turned out to be entirely made of highly inflamable ethanol-impregnate wood. In the 6 months the owner managed to dry the alcool out of the wood, but it's still very flammable and the only way to actually fix would be build an entirely new (costly) datacentre, because the owner was to cheap to hire an actual architect consultant to explain some basics.
I am sure there's also a car metaphore somewhere that we could use.
And let's completely miss the point!~ (Score:2)
I would suggest it would be easiest if you start your search with Tesla's "Full Self Driving" feature.
Oh, yeah, great idea!
So imagine there are flammable material inside the computer running the AI, and there is a manufacturing problem in the under-seat fire extinguisher that you're supposed to use to put off this fire.~~~
Yup, that's what you get when English is your third language, none of which agree with the 2 others how to spell words they lifted from ancient Greek (and none of them sharing an alphabet with that.one): a lot of sic burns.
Re: Bug bounty != blackmail (Score:2)
FSD's critics love to moan about its limits compared to hypothetical "attentive, well-trained drivers", and completely miss the point that it's a *huge* net improvement over the historical safety rate of its *actual users*.
FSD's most enthusiastic users wouldn't be paying (much) attention if they were driving a "normal" car, either. At least with FSD, *something* is paying attention to the road at all times. The proper metric isn't "thoughtful, attentive drivers vs FSD", it's "actively-distracted drivers who
Re: (Score:2)
what the actual fuck does tesla have to do with fsd, apart from fraudulently claiming they offer it?
Hacking is such a general term. (Score:2, Insightful)
Re: (Score:2)
Re:Hacking is such a general term. (Score:5, Interesting)
That's not what TFA is saying.
Like many embedded systems, the disk uses an SoC with protection to stop the firmware being read out or replaced with something else. Like most of those systems, it is vulnerable to having the protection disabled by glitching the power supply. Through trial and error it is possible to determine exactly when to make the power supply glitch to cause the embedded security system to skip over disabling debug capability or firmware signature checks.
So now the firmware can be read out, and new code injected. By doing that, flaws in the boot process firmware, stored internally in the SoC in a ROM that cannot be updated, have been found and exploited. It can't be fixed, the only solution is to replace every single dish out there and then block access to all V1 models. Even then, Starlink can't stop them transmitting stuff to the satellite...
Which brings us to the next and much bigger problem. Now that the firmware can be examined and hacked to send arbitrary signals to the satellite, the satellites themselves are vulnerable. If there is some kind of flaw in the satellite's firmware, say a buffer overflow or crash due to receiving bad data, the satellites could experience anything from a DOS attack to being hacked to run arbitrary code themselves.
Presumably Starlink prepared for this as it was somewhat inevitable, but if someone finds a way to brick satellites it could take out a lot of them before Starlink can react and get protections in place. Remember that from Starlink's point of view they will just see satellites going dark, they won't have any idea who did it or how, or what the vulnerability is, and unless they can revive the bricked satellites there may be no way to get that data.
Re: Hacking is such a general term. (Score:2)
Is the hack detectable by Starlink? Since it requires physical access,, I suspect that it will be used to unlock previously inaccessible system capabilities. Once Starlink sees this, it can place that dish ID on a blacklist.
So kiss your own Starlink service goodbye.
Re: (Score:2)
> Once Starlink sees this, it can place that dish ID on a blacklist.
It's doubtful that any attacker would be transmitting a legitimate ID. The whole premise is dubious and unlikely anyway, outside of a DoS. Still, Nation States like to DoS comms of their enemies (usually civilians who get too uppity for their tastes) so somebody might try reducing service availability. Reportedly the Azov Battalion is using Starlink to coordinate attacks on civilian centers in Western Russia, so the possibility exists
Re: (Score:3)
Sure, but even if they blacklist the terminal, the satellite still has to receive the packet before it can decide to ignore it.
Also once you control the hardware you can change the identifiers, cloning other people's.
You could also just DOS the satellite by constantly sending random garbage to it, making it impossible for other terminals to talk to it.
"vulnerable" (Score:1)
Now that the firmware can be examined and hacked to send arbitrary signals to the satellite, the satellites themselves are vulnerable.
Maybe the hacker can pay SpaceX for a trip up to space to capture a StarLink satellite...
Theoretically yes, the satellites could maybe be attacked through an uplink... but how realistically would you go about doing that without some hardware you could experiment on easily? There's no real way to no if you are affecting a satellite in any way with what you send.
You could argu
Re: (Score:1)
You write as if what you say is the only possible situation.
People who do that are often wrong.
They are often blinkered woke cunts like yourself.
Starlink satellites may have separate control and datacomms systems. So bricking the datacomms system would not affect the control system, and Spacex would easily be able to detect the hacking.
Re: (Score:2)
Shouldn't a DOS attack on a satellite be quite simple?
Just transmit enough power to desensitize the receiver and you're done.
Or if you want to brick it, increase the transmitted power even further until the LNA onboard just breaks?
But maybe I'm wrong because otherwise hostile countries would have already done it by now...
hbo (Score:2)
goodevening hbo
from captain midnight
$12.95/month ?
no way !
[showtime/movie channel beware!]
Re: (Score:2)
They use steerable phase-array antennas, which gives /some/ resistance to such an attack. But yes, that would work - at the very least you could cause a localised degradation of service.
If someone is going to do that though, my money would be on a state actor. Maybe Russia, trying to shut down Starlink connectivity in occupied Ukraine. They have the technology, the motivation, and the ability to thumb their nose an international authority. "Us, jamming satellites? No, we would never do that. That array of h
Re: (Score:2)
I think one dish would struggle to produce enough power to damage the LNA. Just pumping out noise will be an effective DOS while it is overhead, but well short of bricking it.
Re: (Score:2)
The dish may be shoddily engineered, but no-one sends sub-par hardware into space. I am quite sure that the satellite's own critical power, communications and positioning systems are entirely physically separate from the Starlink communications equipment. They will just as surely include the capability to remotely shut down power to that equipment, wipe the memory, boot it into a safe mode and overwrite the firmware with an update, all while ensuring not a byte of potentially dangerous data flows in the oth
Re: (Score:2)
And nobody would be mad enough to test an alpha version of their self driving vehicle on public roads with amateurs behind the wheel.
Re: (Score:3)
He's hacking in the old-school sense. He's granted himself access to the hardware he owns so he can look around and learn.
It's a long-standing tradition in the hacker ethos, whether it's a printer, a DVR, a crypto wallet, or a satellite receiver.
There's not a remote exploit here or anything that would cause a consumer-device compromise. If you can get into someone's computer and take it apart all bets are off anyway.
Is ELON an acronym? (Score:2)
Re: (Score:2)
It was written by an astronomer who just finished watching Star Trek 2
is there ANYTHING safe from physical attack? (Score:1)
this sounds like FUD.
just need physical access and to pull apart the dish and to attach hacking hardware to the device. oh Nooooooooooooooos!
Re: (Score:1)
it's an attack on a transceiver so the antenna mod concept can be used on any working antenna, i believe. with some more modifications at least.
Re: (Score:2)
this sounds like FUD.
That's because you don't understand the discussion.
just need physical access and to pull apart the dish and to attach hacking hardware to the device. oh Nooooooooooooooos!
It is "oh nos" for Starlink, not so much for you. The "oh nos" for you is not even knowing what this discussion is about, but "contributing" anyway.
Who is to benefit? (Score:2)
Putin appreciates your hard work.
"Hack" means the same as in writing. (Score:2)
Replacing a chip in a single user terminal ain't no Stuxnet, is it?
Who'd a thunk it? (Score:2)
Golly, I took a wrench and a hammer to the engine in my car. I discovered that if I removed part of the intake manifold and replaced it with a home-built gadget and made a bunch of other mods, it runs differently - or even stops running all-together.
Clearly, the car maker made a vulnerable engine that needs security upgrades. How dare they make and sell a product that can be pried open, chopped hacked folded mangled manipulated and [my fave] "spindled". Those idiots thought they were designing, making, and
Dishy McFlatface (Score:2)
Re: (Score:2)
A hammer ðY" can also hack the device (Score:1)