https://www.wired.com/story/starlink-internet-dish-hack/ Skip to main content Open Navigation Menu To revist this article, visit My Profile, then View saved stories. Close Alert WIRED The Hacking of Starlink Terminals Has Begun * Backchannel * Business * Culture * Gear * Ideas * Science * Security More To revist this article, visit My Profile, then View saved stories. Close Alert Sign In Search * Backchannel * Business * Culture * Gear * Ideas * Science * Security * Podcasts * Video * Artificial Intelligence * Climate * Games * Newsletters * Magazine * Events * Wired Insider * Coupons Matt Burgess Security Aug 10, 2022 10:00 AM The Hacking of Starlink Terminals Has Begun It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes. * * * * To revist this article, visit My Profile, then View saved stories . SpaceX Starlink internet terminal installed on roof of building Photograph: Nina Lyashonok/Getty Images * * * * To revist this article, visit My Profile, then View saved stories . Since 2018, Elon Musk's Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia's war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked. Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink's user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people's homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices. To access the satellite dish's software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack--temporarily shorting the system--to help bypass Starlink's security protections. This "glitch" allows Wouters to get into previously locked parts of the Starlink system. Wouters is now making his hacking tool open source on GitHub, including some of the details needed to launch the attack. "As an attacker, let's say you wanted to attack the satellite itself," Wouters explains, "You could try to build your own system that allows you to talk to the satellite, but that's quite difficult. So if you want to attack the satellites, you would like to go through the user terminal as that likely makes your life easier." The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can't be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says. Starlink says it plans to release a "public update" following Wouters' presentation at Black Hat this afternoon, but declined to share any details about that update with WIRED prior to publication. Starlink's internet system is made up of three major parts. First, there are the satellites that move in low Earth orbit, around 340 miles above the surface, and beam down connections to the surface. The satellites communicate with two systems on Earth: gateways that send internet connections up to the satellites, and the Dishy McFlatface dishes people can buy. Wouters' research focuses on these user terminals, which originally were round, but newer models are rectangular. There have been multiple teardowns of Starlink's user terminals since the company started selling them. Engineers on YouTube have opened up their terminals, exposing their components and how they work. Others discuss the technical specs on Reddit. However, Wouters, who previously created hardware that can unlock a Tesla in 90 seconds, looked at the security of the terminal and its chips. "The user terminal was definitely designed by capable people," Wouters says. Most Popular * Mohsin Hamid culture A Glimpse of a Future Without White People Jason Parham * silhouette of man security This Anti-Tracking Tool Checks If You're Being Followed Matt Burgess * FBI in front of trump's mansion security Big Takeaways From the FBI's Mar-a-Lago Raid Garrett M. Graff * contact like cornea science A Bioengineered Cornea Shows It Can Improve People's Sight Emily Mullin * His attacks against the user terminal involved multiple stages and technical measures before he finally created the now open source circuit board that can be used to glitch the dish. Broadly, the attack using the custom circuit board works by bypassing signature verification security checks, which look to prove that the system is launching correctly and hasn't been tampered with. "We're using this to accurately time when to inject the glitch," Wouters says. Starting in May 2021, Wouters began testing the Starlink system, getting 268-Mbps download speeds and 49-Mbps upload speeds on his university building's roof. Then it was time to open the device up. Using a combination of a "heat gun, prying tools, isopropyl alcohol, and a lot of patience," he was able to remove the large metal cover from the dish and access its internal components. Computer chip proccessing board Photograph: Lennert Wouters Under the 59-cm diameter hood is a large PCB that houses a system-on-chip, including a custom quad-core ARM Cortex-A53 processor, the architecture of which isn't publicly documented, making it harder to hack. Among other items on the board are radio frequency equipment, power over ethernet systems, and a GPS receiver. Opening up the dish allowed Wouters to understand how it boots up and download its firmware. To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. The modchip requires soldering to the existing Starlink PCB and connecting it using a few wires. The modchip itself is made up of a Raspberry Pi microcontroller, flash storage, electronic switches, and a voltage regulator. When creating the user terminal's board, Starlink engineers printed "Made on Earth by humans" across it. Wouters' modchip reads: "Glitched on Earth by humans." To get access to the dish's software, Wouters used his custom system to bypass security protections by using the voltage fault injection attack. When the Starlink dish is turning on, it uses a series of different bootloader stages. Wouters' attack runs the glitch against the first bootloader, known as the ROM bootloader, which is burned onto the system-on-chip and can't be updated. The attack then deploys patched firmware on later bootloaders, which allows him to take control of the dish. Most Popular * Mohsin Hamid culture A Glimpse of a Future Without White People Jason Parham * silhouette of man security This Anti-Tracking Tool Checks If You're Being Followed Matt Burgess * FBI in front of trump's mansion security Big Takeaways From the FBI's Mar-a-Lago Raid Garrett M. Graff * contact like cornea science A Bioengineered Cornea Shows It Can Improve People's Sight Emily Mullin * "From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification," Wouters says. The glitch works against the signature verification process. "Normally you want to avoid shorts," he says. "In this case we do it on purpose." Initially, Wouters attempted to glitch the chip at the end of its boot cycle--when the Linux operating system has fully loaded--but ultimately found it easier to cause the glitch at the start of the boot. This way was more reliable, Wouters says. To get the glitch to work, he says, he had to stop decoupling capacitors, which are used to smooth out the power supply, from operating. Essentially, the attack disables the decoupling capacitors, runs the glitch to bypass the security protections, and then enables the decoupling capacitors. This process allows the researcher to run a patched version of Starlink's firmware during the boot cycle and ultimately allows access to its underlying systems. In response to the research, Wouters says, Starlink offered him researcher-level access to the device's software, although he says he declined as he had gone too deep with the work and wanted to build the modchip. (During testing, he hung the modified dish out of this research lab's window and used a plastic bag as a makeshift waterproofing system.) Starlink also issued a firmware update, Wouters says, that makes the attack harder, but not impossible, to execute. Anyone wanting to break into the dish in this way would have to put a lot of time and effort into doing so. While the attack isn't as devastating as being able to take down satellite systems or connectivity, Wouters says it can be used to learn more about how the Starlink network operates. "What I am working on now is communicating with the backend servers," Wouters explains. Despite making the details of the modchip available for download on Github, Wouters does not have any plans to sell finished modchips, nor is he providing people with patched user terminal firmware or the exact details of the glitch he used. As an increasing amount of satellites are launched--Amazon, OneWeb, Boeing, Telesat, and SpaceX are creating their own constellations--their security will come under greater scrutiny. In addition to providing homes with internet connections, the systems can also help to get ships online, and play a role in critical infrastructure. Malicious hackers have already shown that satellite internet systems are a target. As Russian troops invaded Ukraine, alleged Russian military hackers targeted the Via-Sat satellite system, deploying wiper malware that bricked people's routers and knocked them offline. Around 30,000 internet connections in Europe were disrupted, including more than 5,000 wind turbines. "I think it's important to assess how secure these systems are because they are critical infrastructure," Wouters says. "I don't think it's very far-fetched that certain people would try to do this type of attack because it is quite easy to get access to a dish like this." Update 5 pm ET August 10, 2022: After Wouters' conference talk, Starlink published a six-page PDF explaining how it secures its systems. "We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system," the paper says. "We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of 'least privilege' to constrain the effects in the broader system." Starlink reiterates that the attack needs physical access to a user terminal and emphasizes its secure boot system, which was compromised by the glitching process, is only impacted on that one device. Wider parts of the overall Starlink system are not impacted. "Normal Starlink users do not need to be worried about this attack affecting them, or take any action in response," Starlink says. More Great WIRED Stories * The latest on tech, science, and more: Get our newsletters! * The big business of burying carbon * Laptops are still spying on students * Everything you should know about paxlovid * A glimpse of a future without white people * The rise and fall of a bitcoin mining sensation * [?] Explore AI like never before with our new database * [?] Want the best tools to get healthy? Check out our Gear team's picks for the best fitness trackers, running gear (including shoes and socks), and best headphones Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe. He graduated from the University of Sheffield with a degree in journalism and now lives in London. Send tips to Matt_Burgess@wired.com. Senior writer * TopicsSpaceXspacehackingblack hat More from WIRED hole in paper 'The Internet Is on Fire' A vulnerability in the Log4j logging framework has security teams scrambling to put in a fix. Lily Hay Newman North Korea on a map glitches with a 404 error code. North Korea Hacked Him. So He Took Down Its Internet Disappointed with the lack of US response to the Hermit Kingdom's attacks against US security researchers, one hacker took matters into his own hands. Andy Greenberg [undefined] You Need a Password Manager. Here Are the Best Ones Keep your logins locked down with our favorite apps for PC, Mac, Android, iPhone, and web browsers. Scott Gilbertson Signage outside a McDonald's Corp. fast food restaurant Ice Cream Machine Hackers Sue McDonald's for $900 Million Kytch alleges that the Golden Arches crushed its business--and left soft serve customers out in the cold. Andy Greenberg An eye mischievously peeks through a Bitcoin B next to the words THE CRYPTO TRAP. The Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site They thought their payments were untraceable. They couldn't have been more wrong. The untold story of the case that shredded the myth of Bitcoin's anonymity. Andy Greenberg silhouette of man This Anti-Tracking Tool Checks If You're Being Followed The Raspberry Pi-powered device can scan for phones around you. If it keeps spotting the same one, it'll send you an alert. Matt Burgess FBI in front of trump's mansion Big Takeaways From the FBI's Mar-a-Lago Raid The fact that a search of Donald Trump's Florida home was even necessary says a lot. Garrett M. Graff tape going in reverse A Long-Awaited IoT Reverse Engineering Tool Is Finally Here Ten years after it was first unveiled, the powerful firmware analysis platform Ofrak is now available to anyone. Lily Hay Newman WIRED WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives--from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries. * * * * * * More From WIRED * Subscribe * Newsletters * FAQ * Wired Staff * Press Center * Coupons * Editorial Standards Contact * Advertise * Contact Us * Customer Care * Jobs * RSS * Site Map * Accessibility Help * Conde Nast Store * Conde Nast Spotlight * Do Not Sell My Personal Info (c) 2022 Conde Nast. All rights reserved. Use of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Your California Privacy Rights. Wired may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices