DEF CON 30 - Lennert Wouters - A Black-Box Security Evaluation of SpaceX Starlink User Terminal

Рет қаралды 28,009

Жыл бұрын

This presentation covers the first black-box hardware security evaluation of the SpaceX Starlink User Terminal (UT). The UT uses a custom quad-core Cortex-A53 System-on-Chip that implements verified boot based on the ARM trusted firmware (TF-A) project. The early stage TF-A bootloaders, and in particular the immutable ROM bootloader include custom fault injection countermeasures. Despite the black-box nature of our evaluation we were able to bypass signature verification during execution of the ROM bootloader using voltage fault injection.
Using a modified second stage bootloader we could extract the ROM bootloader and eFuse memory. Our analysis demonstrates that the fault model used during countermeasure development does not hold in practice. Our voltage fault injection attack was first performed in a laboratory setting and later implemented as a custom printed circuit board or 'modchip'. The presented attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code.
Obtaining root access on the Starlink UT is a prerequisite to freely explore the Starlink network and the underlying communication interfaces.
This presentation will cover an initial exploration of the Starlink network. Other researchers should be able to build on our work to further explore the Starlink ecosystem.

Пікірлер: 18

@defenseops346 Жыл бұрын

This is on a whole other level, wow.

@DrTune Жыл бұрын

Wout! It's Lennert again! Always a treat...

@Jango1989 Жыл бұрын

Brilliant research and great talk!

@muudus_tv Жыл бұрын

Black Box Security Testing on StarLink taking approx 1year. Kudos to you guys, and i was surprised when you told that the SoC needs to be revised totally again for the patch. I wonder how StarLink gave the permission to disclose this unpatched issue that too on defcon when the terminals are all dispatched & running on war environments.

@dmacpher Жыл бұрын

Iirc they updated firmware and overvolted a fuse remotely on all old hardware and the V2 square dish is secure (for now)

@black_heart_gaming583 Жыл бұрын

This dude is smart af

@TillmannHuebner Жыл бұрын

What triggers me most is the micro-usb plug :D

@SateWake 5 ай бұрын

I'm possibly being slow: should the yubi key be read into any further than how he described it.?

@SamTheEnglishTeacher Жыл бұрын

Wow this guy is amazing. I wondered if DEFCON had completely banned competent hackers from presenting, but we have a proof of concept here - some quality can still sneak through! If you're confused about what I've said, see the thumbnail for the video uploaded immediately after this one: "Some of the Pioneering Black community in Cryptocurrency". Utterly embarrassing.

@antonliakhovitch8306 Жыл бұрын

Wow, great talk! It's nice to hear that their response was seemingly pretty good. I'm pretty sure that the decision never touched Musk's desk, else they would've tried to sue you or something. I have a very similar voltage glitch modchip in my xbox 360, I'm pretty sure they also use MOSFETs to disconnect the decoupling capacitors. Nice to hear that the same technique is being used for something more interesting :)

@Ergzay Жыл бұрын

You guys are ridiculous lol. The news spread around quite a bit. I'm sure he saw it. SpaceX wouldn't have put out an official PDF response about it on their website without Elon known about it (that's still on the website as well).

@ThomasVangelooven 9 ай бұрын

Petje af! Knap werk!

@gus473 Жыл бұрын

😯 It's just that easy....! 😂✌🏼😎

@networknomad5600 Жыл бұрын

So basically, Musk done good.

@___echo___ Жыл бұрын

musk has done jack, he just owns the company

@Ergzay Жыл бұрын

@@___echo___ Musk started the company and personally interviewed the first several thousand employees. Unless you're going to claim that all founders "just own the company" and don't contribute. He also fired all of the Starlink executives in 2018 from lack of progress who then went on to work at Amazon on their satellite internet project, which 4 years later now still hasn't happened.