Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal

The presentation discusses the process of bypassing secure boot using voltage fault injection in the ROM bootloader of a SpaceX user terminal. The speaker explains the development of a mod chip and mobile setup to enable and disable the coupling capacitors voltage and insert the glitch using the gold bar mosfet. The goal is to encourage others to explore the system and infrastructure.

• Bypassing secure boot using voltage fault injection in the ROM bootloader of a SpaceX user terminal
• Development of a mod chip and mobile setup to enable and disable the coupling capacitors voltage and insert the glitch using the gold bar mosfet
• Encouraging others to explore the system and infrastructure

The speaker attempted a live glitching demo during the presentation, which was not deterministic and took several minutes to complete. They also shared their experience of contacting SpaceX and declining an offer for a ubiki that would allow them to SSH into the user terminal.

The SpaceX operated Starlink low Earth orbit satellite constellation aims to provide satellite internet coverage to the whole world. The widespread availability of Starlink User Terminals (UT) exposes them to hardware hackers and opens the door for an attacker to freely explore the network. The recent Viasat attack demonstrates a need for satellite communication security and the impact security vulnerabilities can have on UTs that are often deployed in isolated locations. This presentation covers the first black-box hardware security evaluation of the SpaceX Starlink UT. The UT uses a custom quad-core Cortex-A53 System-on-Chip (SoC) that implements verified boot based on the ARM trusted firmware (TF-A) project. The early stage TF-A bootloaders, and in particular the immutable ROM bootloader include custom fault injection countermeasures. Despite the black-box nature of our evaluation we were able to bypass firmware signature verification during execution of the ROM bootloader using voltage fault injection. Using a modified second stage bootloader we could extract the ROM bootloader and eFuse memory. Our emulation based analysis demonstrates that the fault model used during countermeasure development does not hold in practice. Our voltage fault injection attack was first performed in a laboratory setting and later implemented as a custom printed circuit board or 'modchip'. Our attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code. The ability to obtain root access on the Starlink UT is a prerequisite to freely explore the Starlink network. This presentation will cover an initial exploration of the Starlink network and provides some details on the communication links. Other researchers should be able to build on our work to further explore the Starlink ecosystem. The documented attacks were performed within the scope of the SpaceX Bug Bounty program and were responsibly disclosed.