In the same way that me turning off secure boot on my desktop means free Netflix for everyone and we should shut down Comcast until there's a fix.
This is a cool attack, but (so far) no more than that. I'd expect that the SpaceX security team is over there putting in some glitch resistant compares at the moment, assuming they haven't already.
> meaning everyone of those floating satellites needs to be brought back down and modified
Don’t they have a fairly short operational lifetime, thanks to increased drag from being in LEO? IIRC it’s around 5 years. I believe that’s part of the reason for the high launch cadence. Worst case they just limp along with what they’ve got until they’re all replaced with new satellites.
This demonstrates that a determined attacker can get access to the software running on their own personal terminal. That's like a determined attacker being able to get access to their own personal router. It sounds like strictly a good thing and with how many satellite internet companies are coming online we will hopefully see some common hardware devices that users have full access to along with some custom firmware that folks can run on them.
This has almost nothing to do with the security of the satellite constellation itself.
That's not necessarily true. Hacking the ground station means in all likelihood getting access to low level protocols between the ground station and satellite, which potentially means getting the ability to affect the satellites. Not a sure thing, but if I wanted to attack a StarLink satellite, this would be a solid first step in doing so.
Do you write a comment like that every time someone roots a cable modem too? That seems a little over the top.
This is an exploit of the base station device. It seems that it might be used to grant access for which the owner hadn't paid, but that's also something that can be trivially patched around at the routing level ("sure, it's a valid base station, but if it's not on the list of paying customers it doesn't get packets"). It doesn't seem like there's a broader exploit against the network at all, beyond allowing the thing to attempt a DoS attack (something that is also always possible with jamming hardware, but very difficult in practice given the number of satellits).
That was never considered a large part of the funding. That would simply have been some additional income over the next decade. And its not happening now anyway.
And given the limited capacity, they might as well use that capacity for other costumers.
Eh low threat hack. Requires physical access to dish and installs piece of easily identifiable hardware. Tbh give unfettered access to most hardware and you can hack it.
The value of this attack isn't breaking into the terminal itself, but that it allows the end user to modify the control channel to the satellite. It allows internal inspection of the protocols, authentication, data formats, etc between the terminal and the satellite itself.
I assume that the actual received and transmitted packets from the terminal are encrypted so "outside in" inspection is very very difficult.
I think he meant what he would like to happen not when he predicts will happen. "I expect you to behave yourself" not "I expect that you will behave yourself".
"We will happily ship a Starlink kit to any customer that purchases one. With Starlink kits all over the world, we don't have much control over what users do to them. History shows us that it's hard (and maybe impossible) to make devices completely resilient to persistent attackers with unrestricted physical access – the attacker just has too much power when they have infinite time to modify the hardware. In the limit they could always just build their own user device from scratch, though we know from experience that it's pretty hard to do so. Ultimately, the only way for us to build a secure system is to assume that attackers will eventually get into the Starlink kit, and add additional layers of defense-in-depth to protect our network and the other users within it. Other parts of the Starlink network, like satellites, might be more difficult for a consumer to get their hands on, but similarly are built with layers of defense.
To provide these additional layers of protection, there are a number of security properties that we believe are important both in the Starlink kit and in the rest of the system"
When I worked at SpaceX, lots of software folk used an internal IRC server. One time I created a chatbot that would execute arbitrary python commands on my workstation. Knowing that coworkers would maliciously try to pwn my computer, I ran it in a chroot with very restricted permissions. It took about 20 minutes for someone to figure out how to fork bomb it hard enough to lock up my system.
Another time as a team building activity, we were using mission control and backup mission control to play a multiplayer space ship bridge simulator game. My team was winning, up until our terminals started failing. Someone on the other team had credentials to the IT system, and was remotely rebooting them.
I know it's somewhat unlikely, but I was replying to someone who couldn't even see the potential value of a hacked terminal as the entry point to an attack chain.
You are completely right about the potential magnitude of the hack, but my first approach was purely as an individual consumer, this doesn't affect me. Seeing this as an engineer...yikes
Even Sony doesn't considers its terminals trustworthy.
They really don't want you to root your PlayStation, but that's mostly because it allows you to hack offline games. Hacked consoles are usually banned pretty quickly from online services.
It doesn't mean Sony has the best track record when it comes to security just that they are not completely clueless.
I was a big fan of modded playstation portables back in the day, to do it you would take a particular model of battery and remove one terminal or something similar which would activate a debug mode that let you flash it.
They fixed that with the newer batteries as I recall but was a pretty big hole at release
Ah, the old and beautiful Pandora battery. It was magic, you could recover every bricked PSP with it, i hate that no other device can do something like that.
DEF CON goon here. Sometimes our presenters provide the link to a private GitHub repo to the press in advance of their presentation. After the presentation they make the repo public.
Might be better to encourage placeholder repository to avoid concerns from the public such as this but as long as the presenter ultimately controls the namespace it is not really at issue.
They get to dictate to Microsoft what is and isn’t allowed on github.com. Microsoft will not fight a 1A battle against one of their biggest and oldest partners.
Not only are they one of their largest customers, they have physical control over the place where Microsoft and GitHub staff live and work.
... you mean the US, possibly allies? Not only is that broad enough to be meaningless, I don't know offhand of any military going to someone's house to require them (by force I assume) to change their GitHub repo name. What are you getting at?
archive.org only ever captured 404s for that page. i wonder if it was a typo in the article. does Starlink use TI’s SimpleLink? because there’s a very similarly-named repo doing similar fault injection here: https://github.com/KULeuven-COSIC/SimpleLink-FI
Wondered that too but the presentation slides make no mention of anything related to SimpleLink. Than again there could be more under the hood than just what the slides themselves describe. Close but probably not a match.
Repository is live now. Commit cbde04c9bc45ea54cc509a65247c62a82f64bca9
From README
> We are not providing exact glitch parameters. The presentation slides contain various hints and the parameters will vary depending on how you patch the firmware.
Some may see this as capitulation towards Starlink business interests but a more benign reason could involve the glitch parameters varying based on various hardware factors and as stated the execution of firmware as well.
This is quite impressive and congratulation are well deserved.
Now the fun part can start. This work opens a door to the user segment, i can't wait to see what's behind and hope for starlink that their C2 and user segments are well isolated. Let the fuzzing begin.
The article compares the Russian jamming of Viasat with the compromise of a Starlink UT. No, no, no... This is really wrong!
> As is typically the case with any technology, the increase in use and deployment of Starlink and other satellite constellations also means that threat actors have a greater interest in finding their security holes to attack them.
> Indeed, Russia saw an advantage in taking out a satellite providing internet communications across Europe by attacking its technology on the ground as Russian troops entered Ukraine on Feb. 24.
Viasat orbits at 22,000 miles, Starlink is in LEO. Precisely for this reason Starlink is naturally more resistant to jamming, and is used in Ukraine because of this.
Locally compromising a UT is a hack of an endpoint connection device, which has nothing to do with ELINT and electronic warfare activities (which is an entirely different kind of attacks for satellite networks).
The attack on Viasat was not related to it's GEO vs LEO situation, or blocking signals, it was an attack specifically on the consumer device to disable them
There's no reason that Starlink is any less susceptable to that. The attackers got into a terminal management network and issued various commands to shut down the endpoints. There's no reason an LEO constellation is more or less susceptible to this type of attack than a GEO system.
The Russian approach is hybrid: in addition to the use of jamming (they use Divnomorye, Leer, Moskva, Krasukha, ...), traditional hacking is used to extend the damage range beyond what can be obtained through pure electronic warfare.
In the case of Viasat they had access to a badly configured VPN appliance and used it to deploy on the terminals. Which is a classical case of network compromise, not a direct hack of the user devices.
Also considering this aspect the comparison is not there: it's a local access to the hardware vs an "I own your infrastructure and I'm able to deploy my firmware".
> Also considering this aspect the comparison is not there: it's a local access to the hardware vs an "I own your infrastructure and I'm able to deploy my firmware".
Yes, performing this reverse engineering requires physical access. But it potentially enables one to find further vulnerabilities and systems knowledge necessary to build attacks that brick network terminals or otherwise disrupt the network. Russia's action proves these attacks are viable and useful (even if an authenticated management vector was used).
Your original comment about the constellation height was a non-sequitur: we're talking about threat actors' attacks on end-user terminals. The article makes clear ("on the ground") that this is what it was referring to.
Yes, jamming, etc, are also useful attacks that threat actors use but not what we're talking about.
> The article compares the Russian jamming of Viasat with the compromise of a Starlink UT. No, no, no... This is really wrong!
This is a bit misleading. The article mentions the Viasat hack in the next-to-last paragraph of the article before the update in the context of satellite security more broadly:
> "As an increasing amount of satellites are launched—Amazon, OneWeb, Boeing, Telesat, and SpaceX are creating their own constellations—their security will come under greater scrutiny. In addition to providing homes with internet connections, the systems can also help to get ships online, and play a role in critical infrastructure. Malicious hackers have already shown that satellite internet systems are a target. As Russian troops invaded Ukraine, alleged Russian military hackers targeted the Via-Sat satellite system, deploying wiper malware that bricked people’s routers and knocked them offline. Around 30,000 internet connections in Europe were disrupted, including more than 5,000 wind turbines."
> Viasat orbits at 22,000 miles, Starlink is in LEO. Precisely for this reason Starlink is naturally more resistant to jamming, and is used in Ukraine because of this.
Orbit height is incredibly and completely irrelevant to the ease of breaking into systems...
Starlink by its nature of using phased array antennas are inherently pretty hard to jam through traditional means. Not impossible but more difficult than older systems with simpler antennas.
Buuuut.... If you wanted to jam starlink, then having full access to a terminal would be a really good start....
For example you could modify the terminal to transmit at the exact time another user is supposed to be transmitting, therefore clobbering their data and DoS-ing them.
The transmission schedule of exactly which user should be transmitting in which slots is probably transmitted with a single encryption key the terminal has access to.
Essentially these chips are locked by setting certain flags in memory. Various flags control various peripherals, including a flag to disable read/write access to the firmware. Obviously once you disable access, it’s permanent because you don’t have access to reenable it.
This side channel attack takes advantage of a flaw in the actual silicon, where branches can be skipped if the power is altered momentarily. So if you skip that first check, the attacker has low level firmware control.
(This was also how the firmware was dumped on the Apple AirTags)
The only mitigation is to use a chip that doesn’t suffer from this flaw or change the software to prevent “root” access even if an adversary has access to the entire firmware (ie do things server side)
Xbox 360 had the reset glitch hack where if you powered cycled the chip at the exact right timing you could run unsigned code. It required a small mod chip soldered to some of the smallest points on the motherboard that I have ever soldered. Different versions of the 360 worked better but most worked even if it took a minute or so before the glitched worked and booted into custom firmware. Mine worked really well and booted first try almost every time. I was very proud to successfully install it and watch my 360 boot into fsd a custom OS that allowed me to play all my games from a HDD.
Yep - the Switch had an issue in the mask ROM / first stage bootloader too, but it was a traditional software one, where the recovery mode bootloader passed an unverified length to a memcpy and smashed the stack.
You can make the code more robust. For example, instead of a yes/no check, make the check come up with a symmetric crypto key to decrypt the next chunk of code (if it also passes a hash check). Glitches will end up generating garbage, and even if you successfully glitch the hash check, you're executing random garbage.
Of course, the challenge there is that you've merely eliminated one glitching candidate.
Stuxnet had code blocks that encrypted by a hash of target hardware identifiers. No way to know what all code is contained, until it happens to run on the target system.
Agreed, usually if they have hardware access it’s gonna be cracked eventually. Hard to imagine a system that was truly unhackable with infinite unrestricted physical access.
Usually equipment that has to be robust against this attack will have things like tamper switches that wipe storage keys and brick the device if it’s opened. I’d assume they also have software tripwires too if you manage to get the access you need (for instance if you drilled holes through the enclosure to access areas you needed without opening it - although if you really wanted to stop that you can do things like potting much of the board in epoxy that is extremely difficult to remove without destroying things).
This particular glitch seems to rely on Unix shells not differentiating between false test and failure. Implementing this in any other language would have avoided this particular glitch.
I read the article as well as the DEFCON presentation. I still don't know how they used voltage fault injection to bypass the secure boot. Anyone care to explain?
This is what I found at the top of an internet search:
Under voltage fault injection - "In general, single instruction skips are easily achievable, though skips of multiple nearby instructions are more difficult to induce and control."
Your link contradicts that (or at least has NASA denying it):
> However, NASA officials in charge of the day-to-day operations of the ROSAT mission at Goddard, including GSFC Rosat Project Scientist Rob Petre, say definitively that no such incident occurred. Talleur's information appears to have come from one of his interns who exaggerated a hacking incident on an office computer not related to flight operations.
From what I've heard, there are many vulnerable old satelites orbiting around the earth. The attack hasn't happened simply because communication equipment is out of hand for an malicious individual and there is no way he can hide the act.
I'm sure it will never happen but it would be awesome if they would release an 'open' terminal under the same auspices of commercial SDR transceivers. I'm curious if these could be used for very localized doppler radar.
You can build a simple Doppler radar yourself today using a couple of SDRs, but sophisticated phased arrays are the kind of thing that makes for pretty good military equipment. I doubt an open one will come on the market (legally) soon.
Just say you’re doing high resolution of metamaterials for science. Materials resonant at the target radar band, because that wavelength is easier to manufacture/economically useful/etc.
I think you’re more likely to find a job than trouble — SBIR has a bunch of grants in that area. (Last I looked.)
How narrow of a beam is attainable with this? What shape is the beam? How good is that clock chip? I wish I knew more about this stuff at the theory level. A cheap and hackable phased array sounds very cool to experiment with.
Cable modems were easy: all you needed to do was JTAG them. I don't think any glitching was required.
The approach used for the Starlink terminal is more like what was done to reprogram satellite TV smart cards. Get a copy of the ROM, count the processor cycles and find the operation you don't want happens and mess with the voltage or frequency at that point to let you send in unsigned/unauthorized updates.
And remember how the cable companies completely fixed it? Starlink already seems to do the right thing to prevent cloning and unauthorized access. Secure chip (STSAFE) and mTLS for talking to internal services. Maybe researchers will find some bugs in their services but they will be patched quickly.
The article specifically uses the phrasing "uses off-the-shelf parts that cost around $25". It doesn't say anything about the cost to develop, it doesn't say anything even slightly misleading or ambiguous about this.
Like, what should the article have done instead? How could it possibly be clearer and more explicit about what $25 referred to here?
It may cost $25 to deploy the hack after it has been developed. It's mere $25k to deploy 1000 instances of it, or even cheaper due to the economies of scale.
I have quit the software industry and now get paid what people _should_ get paid for software which is a small fraction of what I was being paid before. By choosing to work on actual real problems, instead of partaking in the pseudo-intellectual clout chasing contest that is the tech industry, I have discovered the real value of software which was never much to begin with as I assumed it was when I was a kid.
tl;dr yep, he could have been shoveling CRUD shit and making more money, or implementing high end algorithms within broken operating systems, or implementing high end algorithms with insufficient education or time to prove them, while getting dumber
scratch that he got a bug bounty for his work so his net gain is equal. check mate
This is how you properly engage the security community. In times where journalists are taken to court for looking at a webpage’s HTML source it’s really great seeing a company that “gets it”. Kudos.
I will never understand why bug-bounty hunters work for such a low pay. They are doing the hard work for peanuts and absolutely no benefits or long-term incentives. $25k per bug, while the CEO and friends are going to make billions from this.
At least if you find a bug, go and exploit it and bring the satellite down. This way we can all have some fun, not just the VPs sitting on the company board. And then they call their conferences with menacing names such as 'Black Hat' or 'DEFCON'. Sounds more like pony-con to me.
Hacking in the older "using a device in an unexpected/unsupported way," not "black-hat hacking" I guess. Typical over-dramatic Wired. Hats off to this guy, hardware hacks always impress.
These days, you pretty much have to "attack" some systems just to be able to "hack" them due to the modern propensity to put intentional road blocks in the way of anyone who wants to modify something they own.
There is an argument to be made that if a word has a very widely-known meaning, and a very niche meaning, then the niche usage requires clarification even among the niche group that invented the niche meaning.
For example, when there is a certain word that you and your peer group use as an in-joke, you usually have to wink or smirk to invoke the joke meaning, that acts as a signal to the group to resolve the word to its group-specific meaning.
In your defense, most media—especially media for general consumption—has spent most or all of my lifetime mostly using the term to mean something like "illegal or nefarious activities," often involving things that you or I might not even consider hacking.
Yeah I can totally see what you mean, the most popular definition is the nefarious one, and news websites always try to get more clicks. Although I have given them the pass on this occasion since their use of the word is technically correct.
IIRC this website was born of a novel use of the term 'hacking' in the startup space- hacking business growth.
Here, hacking is a more well established term- hacking networking hardware is something I suspect most people would associate with black-hat type hacking.
No, Hacker News was named after the people who enjoy doing clever things with computers.
At the time, using "hacker" to mean a black-hat was popular in the press, but not among actual hackers. And "growth hacking" was a metaphor for doing clever things to get growth, but not the primary association with "hacker".
I don't think so. Recall pg wrote "Hackers and Painters" before founding ycombinator and was/is a pretty well known Lisp hacker. I'd be surprised if he meant business hacking when he named this site.
Locking down user terminals is one part of starlink security. Breaking that is a huge accomplishment. It appears that the other layers still prevent this from being a full blown attack, but that may just be a matter of time.
Sure, but an attack to do what? Even with full hardware access there's nothing that can be done with the network itself, nor can it be used to snoop on other users, nor does it give some access to the satellites themselves. It's akin to rooting your ISP provided modem.
If you root your ISP provided modem, aren’t you one step closer to exploiting some bug in DOCSIS? Similarly here wouldn’t you be one step closer to exploiting the “network itself?” (Air-quotes because I’m not actually sure what that means in this context.)
Yes, for some definition of the word hacking, because one of the underlying assumptions of the 5G network is that all of the devices operating on it are subject to local regulatory rules (won't behave badly on that spectral region) and rooting your Android phone could potentially give you access to do unacceptable things with the radio, up to and including interfering with other devices using the network.
I guess my point is that this is trivially easy to do but 5G networks in practice have no problem chugging along supporting a bunch of user-controlled devices.
Practically speaking, roughly 100% of those devices are fully regulator-approved and compliant with standards, because roughly 100% are running firmware from vendors who rely on regulatory approval.
Essentially 0% of those devices are user-controlled in the "I can make the radio do whatever I want" sense.
I suppose that depends how you define “chugging along.” They might be relatively stable and safe from DDOS, but malicious devices can certainly do damage to other users of a network, in some cases without even connecting to it.
For example, an IMSI catcher isn’t technically _connected to_ any cell network, but it does exploit the assumptions of clients who attempt and expect to connect to one.
They are using a layered model. Giving an attacker access to communicate directly with your satellites and send specially crafted packets is giving them a really useful tool.
The response from Starlink[0] was pretty amazing. I love this quote:
"we want to congratulate Lennert Wouters on his security research into the
Starlink user terminal – his findings are likely why you're reading this, and help us create the best product possible."
A lot better than companies that would try to prosecute him..
Full of good sense. They do try to control the terminal to do a secure boot:
> We want our devices to only run software that we wrote. This isn't like a personal computer where the user can install apps or save files – the only software we want to run on our devices is software that we've explicitly built, tested, and signed off on.
> The same concepts that go into secure boot on our satellites are also useful on the Starlink user terminals. Even though we know that an attacker with persistent and invasive physical access will eventually be able to defeat secure boot on their own device, the protections of secure boot are still valuable for protecting against remote attacks over the Internet (or over wifi). There is a big difference between being able to take your own device off your roof and
attack it, vs. someone else being able to compromise your device without you noticing.
But recognize that it's not foolproof:
> We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of "least privilege" to constrain the effects in the broader system. We treat Starlink user terminals as inherently untrusted and only expose the minimal necessary information and capabilities to each specific client.
The article talks about the researcher "exploring the Starlink network" as if there's a screen on the satellites that will suddenly display "Access Granted" with a blinking cursor now that he's achieved root on his own dish. Getting access to the dish is an important step if the former is to be achieved, but it's by far the easier of the two steps.
Step 1: Why does Google Chrome on KDE/GNU/Linux refuse to allow me to copy text from this PDF??? So f-in annoying!
That PR says: <<from embedded Linux running hundreds of thousands of computers in space>>
Are these "computers" strictly controlled/owned by SpaceX? If yes, are there multiple computers per satellite? Please help me to understand this claim. In 2022, I assume when someone says "computers" they mean kernel count.
An article from 2020 [1] claims that they had "32,000 linux computers" in orbit. At that time they had 480 satellites in orbit, so ~66 "computers" per satellite. That would put us at about 180,000 computers today.
Satellites definitely have multiple computers onboard. Their design philosophy evolved from aircraft which tend to use discrete computer for different tasks. Communications, navigation, data logging etc. That's not counting the computers providing whatever the satellite's mission is and they almost always have redundant hardware to make up for failures which are common in space. So there are definitely far more "computers" in space than there are total satellites. Are there "hundreds of thousands"? I'm not sure.
Yes, triple redundancy for critical systems is typical for space applications.
With small computers being relatively cheap and lightweight, I suppose a satellite has a highly available internal computing configuration, with large level of redundancy, capable of functioning even after serious hardware degradation.
I see a lot of articles that quote the cost for hacking a product or service. I feel like these type of titles undermine the effort that took place. Surely the lab Wouters used had tools and processes that aren't cheap, nor would you consider his expertise inexpensive.
I'm not impressed by a PCB board being cheap. Does anyone else feel this way about similar headlines?
Interestingly, either H/N changed the submission title, or the article itself changed their title to reflect the content of the article better. Is there a way I can check which happened in the last few hours?
I think the point is that anyone with $25 can hack Starlink once the script or instructions are published online. Information costs almost nothing to publish/ share so it's the cost of the hardware that matters.
I think it's useful to differentiate between attacks anyone can do with common hardware and things like smartcard attacks that you can only do with access to an electron microscope.
Yes and no. Is the $25 increasingly irrelevant. Sure. Is it clickbait-y, yes. Does it matter because it might make it more widespread, it probably still does.
Absolutely. This modchip is just a raspberry pi plus a couple parts. You'd have to try hard to get it to be expensive. The BOM for most embedded systems is going to be cheap unless you need some exotic hardware. It really does seem to ignore the amount of time this guy spent to get to figure out what parts he needed and where to solder them. If it was developed by a company instead of an individual, you can bet it wouldn't have cost "only $25 to develop".
The original hacker might have needed a lot of specialized, highly valuable knowledge, but what $25 means is that almost anybody can do the same with some instruction even if they couldn't come up with the instructions or even don't understand what they are doing.
It shouldn't count as a vulnerability that you can get root of a device that you have physical possession of. If there's any real vulnerability here, it's that having root of your terminal gives you any extra privileges to the rest of the network.
I'm convinced that it's impossible to prevent anyone that can physically tamper with a system from having full privileges on that system, as a result of physics. The only way to truly protect information is to make use of quantum effects, and we've only just started doing that in labs. Everything else is just making it harder.
So, if you make things harder and someone comes along that invests more effort to overcome, can you really call that a vulnerability? It'd be a real vulnerability if with this access to a user terminal they could elevate permissions on the satellites, but that hasn't been shown (yet?).
Yes. Vulnerabilities exist with respect to a system's expected functionality and must be understood and weighed against other requirements to determine the system's security model. Even if you think the expected functionality is stupid or impossible, that doesn't change the fact that the system has a particular expectation that it doesn't meet and a mechanism by which that expectation can be violated, i.e. a vulnerability.
To put it another way, consider physical locks, which must inherently be able to resist direct physical tampering by an adversary. Under your definition, no flaw in a lock could be considered a vulnerability since any lock can eventually be cracked. The problem is that this doesn't provide us any useful insight, it just makes the word "vulnerability" useless. It's already well-known that any lock can eventually be cracked, but tradeoffs still have to be made in deciding which lock to use for a certain situation.
No lock is expected to be able to keep an adversary out indefinitely, since that's known to be completely impossible. They're expected to delay an adversary by a given amount of time, e.g., 2 hours for a UL class 3 vault door lock, and a vulnerability is if there's a way for an adversary to bypass one faster than that. The problem with a security model that relies on people never being able to root devices they possess is that it is expecting the impossible.
> So, if you make things harder and someone comes along that invests more effort to overcome, can you really call that a vulnerability?
Yes? This is defense in depth. Anything that bypasses a defense is still a vulnerability, even if your backup defenses protect you.
Defending physical hardware is indeed a theoretical impossibility as on paper, it will always be possible to make a perfect electrical clone of the original hardware and then modify it to suit. However, reality is different, and mitigations against physical access have become much more effective in recent years (iPhone anti-jailbreaking and the Xbox One come to mind as fairly successful).
So, this is a vulnerability indeed, just not a high severity one. One layer of the defenses are bypassed, but the remaining defenses remain.
If a system is not resilient against rooting a terminal which is in user's physical possession, it's a design flaw. Or, rather, the more resilient the system as a whole is to compromises of individual terminals, the better the design is. Assuming such compromise never happens would be outright incompetent.
You may want to protect end users against implants and other attacks from physical tampering with their terminals.
You might not want hostile parties to have an easy time reverse engineering terminals so they can more easily search for remote vulnerabilities in the terminals.
You may not want to hand hostile parties a phased array optimized to transmit to Starlink running arbitrary software of their choice, along with keys identifying the terminal, because even though you think the satellites and authentication mechanisms are robust, making it hard to get this information adds defense in depth.
Certainly. Best defence is layered. It makes every layer an impediment for an attacker, but does not fail completely if a layer or two is breached. Among other things, it buys time to react.
I have to agree to be fair. Physical access is obviously incredibly different than exploiting a vulnerable even a particularly egregious design flaw. Wouters has to literally short the board.
That said it is a clever approach and it’s good it was discovered by someone without nefarious intentions.
I think we have left this level a long time ago where one could answer:
The system is in a physically secured location. As long as there is no physical access it should be safe.
See mobiles like iPhones, gaming devices like XBox, Playstation etc. authenticators like chipcards or security token and HSM.
All have to asume that the attacker has physical access to the device.
Security Engineering Ch. 16 "Physical Tamper Resistance" is a good read for some special classes of devices.
But I would recommend all topics from this book even unrelated to this thread. ;)
Microsoft and Sony appear to have solved it for their gaming consoles. Satellite TV providers definitely solved it by now after learning from their mistakes.
All in all there are plenty of devices in the world that are protected against physical access, so if Starlink tried doing that and failed, then that's definitely through an exploited vulnerability.
Using this table for reference and the fact that proper smartcards like banking cards and SIM cards are secure I'm pretty confident calling modern CA systems secure too. If some providers don't have one of those, then it's probably because it's not worth it for them to switch or upgrade.
EDIT: More than that, some recent ones even solved so called 'card sharing' which is basically using a legitimate card to transmit control words over network to many users.
I'm not saying the modern CAMs have been compromised, just saying the profit incentive has dwindled. For a while, entirely non-OEM receivers were being used with key distribution over the internet. But at that point, just get a black market IPTV subscription. Compromising the cards has a fraction of the value it used to, and there's more 'locked down' targets in other devices to focus one's skills at.
Handwave all you want, but the topic at hand is a possibility of securing devices against physical access attacks. And it's not only possible, it's pretty straightforward if you don't suffer from NIH syndrome.
And as an example satellite TV providers did it (or acquired a license for it). If you're saying that incentives to hack them aren't there anymore, then that's just wrong because the foundation on which such security is based on affects many things.
Declining popularity of SatTV as a whole in a particular country is neither here, nor there. If a hacker mentioned in the article could hack a CA system, he would've.
> Microsoft and Sony appear to have solved it for their gaming consoles
Have they? I know Apple an Nintendo have been trying for years and we have jailbreak and Homebrew, I believe there is even jailbreak for nintendo switch.
If there isn't yet an exploit to gain root on Xbox and PS5, it's only a matter of time.
>If there isn't yet an exploit to gain root on Xbox and PS5, it's only a matter of time
Xbox One didn't have a root exploit for its entire lifetime and counting. It was released back in 2013. That's nine years. So one could say MS "solved it".
Yeah this is a typical article where the author gets all excited and explains the technical details of the "hack", because it can be called a "hack". But it seems nothing was done here other than some reverse engineering and bypassing tamper proofing to gain access to his own OS.
The iPhone is built to be resistant to physical attacks, such as decapping chips or inserting compromised chips. It's an advertised, first class feature that simply having the iPhone shouldn't give you access to its contents or let you circumvent its security measures.
This is different than a Starlink base station. Base stations aren't built to be hardened against a physical attacks, and are rather intended to be untrusted links to the satellites.
So it's kind of in a grey area, but I would also not consider this a vulnerability of the Starlink base station itself, in the same way that rooting an iPhone with physical access would be a vulnerability.
How many versions of the iPhone were required to become resistant to jailbreak. SpaceX should have a leg up on the sins of the past, but its an entirely different concept / product. The security improvements are on a curve of maturity, I imagine software and platform management will mitigate this until hardware updates are released. I will say Starlink customers shouldn't have to pay exorbant upgrade costs due to security vulnerabilities in past hardware. That is an ethical boundary SpaceX must not cross.
> Curious why an iPhone hasn't been susceptible to this type of hack before?
The answer is probably, "it's complicated." These sort of hardware hacks are quite clever, and typically depend on using chips in unintended ways -- I mean most circuits will have some undefined behavior if you start shorting parts!
There are lots of reasons an iPhone might not get a widely popularized exploit like this. Firstly it might be low-priority -- iPhones are general purpose computing devices, so there are usually software bugs for people who want to root their iPhones. Second, it might legitimately be more difficult. Apple has lots of experience in hardware, their circuits might be more robust. And iPhones are quite tightly integrated, it might be hard to sort out which parts you need to short when everything is on a handful of chips.
This reads to me like the (more complicated but ultimately) equivalent of "a user reverse engineers the website's javascript!". As in, this allows the user to mod their client but it doesn't change anything for anyone else, and wasn't meant as a real secure element. I'd assume that getting root access to the user terminal gives them no additional privileges to access the actual Starlink data & control planes.
It might allow them to do things like connect to the Starlink network outside of their geofence. Or hacking a stationary antenna to work on a moving vehicle.
> connect to the Starlink network outside of their geofence
I was wondering about that but can't they determine the location "server side" by triangulation? Or maybe they could in theory but they don't in practice?
For the satellites this is true, but it's not necessary for the clients to be geolocated when the satellite is operating as a bent pipe. Starlink will know which clients are in which footprint and can locate anybody if they want to, but it's not fundamental to the functionality of the system.
Both the client and the satellite use beam forming. The signal is pointed at you in a relatively narrow beam not broadcast spherically. They have to know where you are to point at you (phased array antennas so electronic not physical pointing)
I'm not too familar with the low-level details of the Starlink network, but in the slides of the talk it's shown that the dish contains a GPS receiver, so isn't it possible that the client tells the satellite its location on first contact?
If you trick it into thinking you're a few metres away from your true location then you're not evading any geofence that you couldn't trivially evade simply by moving a few metres.
GPS is the cheap, easy, and more accurate method of finding and determining location. Time sync is also an important part of satellite communication.
They could effectively reimplement GPS or an equivalent location tech with their network but why when a high quality positioning solution already exists.
They will be continually syncing time and position data for the orbits of satellites and positions of clients. (static clients obviously don't need this often outside of timekeeping, but you can set up a mobile plan for RVs, boats, etc which obviously move a lot)
There is a paper out there where someone demonstrates that it would take 1.6% of constellation downlink capacity for StarLink to serve as its own GNSS. As you mention, the GPS network is very high quality, and would only make sense in areas where GPS was undeserving or active denial was expected (and StarLink had the capability to avoid jamming).
Edit: I misrecalled. StarLink can provide 10x more precise positioning than GPS.
Alternatively you could just embed a cheap GNSS chip and let other people build and maintain it.
> I misrecalled. StarLink can provide 10x more precise positioning than GPS.
GPS can also provide much more precise positioning than it does for consumers. There are encrypted bands used for military, etc with significantly better specs.
The GPS is probably used to get the current time and location to orient the dish to the best satellite using ephemeris. Also the accurate time is needed in telecommunications for Time Division Multiple Access (TDMA) and maybe they have an internal GPS disciplined oscillator to transmit at precise frequencies.
It would in the same sense as illegally attaching a wire to the power cables and drawing electricity out of them does. You're stealing a limited resource (in this case radio bandwidth in an region for which you haven't purchased it, in the analogy power), but you're not doing so any more than a legitimate user would be assuming it's done "properly".
If too many people do this, things stop working, because you exhaust the limited resource.
If it gives you direct/raw access to the control plane, you then may be able to launch denial of service and other attacks that would negatively impact the network and other terminals. I don't know anything about the Starlink protocol, but a rough Ethernet analog might be an ARP attack/flood.
Not rooting your phone, but hacking the baseband. And since we're talking about disassembling devices and performing low voltage attacks to reveal secrets, I would draw the analog to baseband hacking.
...found a vulnerability (CVE-2022-20210) that can be abused to disrupt the device’s radio communication via a malformed packet causing a DoS condition. This vulnerability allows attackers can neutralize communications in a specific location.
This is like saying if someone can get close to your house with a hammer they can mount a hammer attack on your windows and bypass your homes security. lmao, what a load of bullshit.
Reposts are fine if a story hasn't had significant attention yet! In fact, if the story is a good one, they're helpful, because they mitigate the randomness of what gets noticed on /newest.
This info is enough to calculate their exact position and is constantly updated as their orbits change due to degradation or powered movements.
But accurately hitting an object at 400km altitude moving at 10km/s is outside the capability of all but corporate and state actors and starlink is not great target because their sats are so small and there's so many of them.
It would cost a fortune in missiles just to make a dent in the constellation.
Pretty sure Russia has physical satellite killer missiles just like US does?
Would a nuke in space even work to take out a group of them, maybe even via an EMP surge or are they hardened?
Sometimes I wonder if the world would be more peaceful if cellphone networks couldn't work anymore but there would be so much other chaos so guess not.
Russia does not have the capability of destroying Starlink because the amount of upmass required to destroy them is larger then what the Russians can actually do.
SpaceX replacement rate would be higher then Russia destroy rate.
Presumably micro missiles would be smaller than micro sats, so the only thing you’d need is to launch one large missile full of micro missiles that then each take out one satalite.
After that… I imagine it’d become impossible to launch anything ever again. So much debris in LEO would be depressing (though maybe the satellites could be given a deorbit burn order before being exploded, if it ever became clear they’d gotten targeted in this way)
While that is potentially true such micro missiles tech currently doesn't exist and modern Russia doesn't exactly have a track record in developing such tech.
In addition, its far harder then you would think. Each such missile would still need complex computer system and propulsion hardware and so on. It would be cheaper then a Starlink sat but not by that much.
Also, even if you assume 1/10 the weight, SpaceX can easily launch 10x more then Russia can. With Starship coming online SpaceX by themselves can launch 100x what Russia can.
And of course if Russia did such a think SpaceX would have US government support.
> After that… I imagine it’d become impossible to launch anything ever again.
I do not think this is actually true. The decay is to fast on this altitude for this to actually happen.
> Each such missile would still need complex computer system and propulsion hardware and so on. It would be cheaper then a Starlink sat but not by that much.
We flew a rocket to the moon with less computing power than a modern pocket calculator. I’m inclined to say we’d manage.
I think I’m confused about your term ‘launch capacity’. If we’re talking average/sustained payload/day, then sure. But I think the capacity of the soyuz and falcon is about the same.
Edit: Never mind, Soyuz has like 2 times less capacity than a default Falcon.
It’s probably not fair to use Starship for that comparison (as much as I want to) because it has yet to successfully launch.
The moon is a pretty big target. A missile needs to hit a sat that is the is 1m² very hard to detact and moving fast with its own propulsion and avoidance system.
> But I think the capacity of the soyuz and falcon is about the same.
Per launch a Falcon 9 lifts about double and in the last couple years Falcon 9 has launched 2-4x as often.
> It’s probably not fair to use Starship for that comparison (as much as I want to) because it has yet to successfully launch.
As of right now Russia likely also doesn't have the missiles you suggest. I would argue that Starship is closer then an advanced anti-sat weapon that can split up in orbit and hit many targets.
Excellent. Now repeat that feat 2500 times to destroy all existing Starlink satellites, and keep doing it 1300 times each year to destroy all the new Starlink satellites that are being launched.
Assuming of course that SpaceX will not increase its launch cadence, and that this act of war will not provoke a response that stops is. The concept is laughable. It is intractable at every level of execution.
Except you don't need one ASAT launch per satellite it's completely asymmetric.
The debris in low Earth orbit travels 10,000-15,000 miles an hour. The high energy debris in LEO does all the work. A 1cm piece of debris would render other satellites useless.
Your idea that space will somehow not be militarized is quite laughable. There's an actual history that proves you wrong:
Not all Starlink are on the exact same orbital plane. There is some asymmetry but at the same time Starlink sats can also avoid debris from known places.
On this altitude debris would quickly drop out so you would never get Kessler synonym.
Russia would have to shoot down a huge amount of sats.
And SpaceX can easily have 100-1000x the upmass of Russia.
And this is before you can consider lots of counter-measures the US could potentially do.
> The PLA has literally robots that can obscure and destroy US satellites without launching missiles at it
This is 100% speculation.
The only thing that China has demonstrably done is blow up satellites. It would be unsurprising if this tech was in development, but nobody has any clue whether there are non-kinetic satellite neutralization weapons deployed.
https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20pre...
https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20pre...