We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal
Here is the meta description: Security researchers uncover a vulnerability in the SpaceX Starlink user terminal's secure boot process, exploiting a glitch to bypass verification and gain root access to the system.
- The ROM bootloader verifies the root of trust public key to ensure the secure boot process.
- The dish user terminal lacks documentation and open development samples, making it difficult to conduct white-box attacks.
- The attack vector is voltage fault injection, which can be used to bypass the secure boot process.
- The attacker can load the certificate and then inject a glitch to manipulate the signature verification process.
- The glitch can be triggered on an EMMC data zero line, allowing the attacker to skip certain functions.
- The attack can be performed on the Raspberry Pi microcontroller, making it possible to create a standalone mod chip.
- The user terminal is vulnerable to glitches, as cutting off the decoupling capacitors can create an amplification effect.
- The secure element on the system-on-chip (SoC) is used for secure boot and firmware authentication.
- A black-box attack was demonstrated using a custom-built quad-core Cortex-A53 SoC.
- The attacker can gain access to the network infrastructure by exploiting the user terminal vulnerability.
- The attack can be made more scalable by finding software vulnerabilities in the firmware.
- The dish user terminal prints “development log in enabled” when a glitch is successful, allowing the attacker to control the system.
- The secure boot process is implemented using U-boot, but the input is set to null def, making it vulnerable to glitches.
- The glitch can be triggered using a logic analyzer and a Raspberry Pi microcontroller overclocked to 250 MHz.
- The attack is not deterministic and may take several attempts to succeed.
- The attacker can gain a root shell on the device by glitching the reset line.
- The secure element on the SoC implements ARM trust firmware, which includes a ROM bootloader and some trusted firmware boot stages.
- The system-on-chip (SoC) has a custom quad-core ARM Cortex-A53 CPU.
- The attacker can access more of the network infrastructure by exploiting the user terminal vulnerability.
- The dish user terminal lacks obvious low-hanging fruit for exploitation, making it a challenging target.