Crashed Starlink terminal.
Starlink quietly shipped software that patched a “kill switch” in its user terminals in December last year.
The discovery was made by a team of academics from Oxford University and a researcher from Switzerland’s Federal Office for Defence Procurement, who published their work at arXiv.
The researchers first learned the structure of commands sent to the terminal’s management interface, and discovered that “the payload always consists of four null bytes, followed by a byte containing the length of the command, followed by the command itself.”
Although the commands use a “non-human-readable encoding”, the structure provided sufficient information for the team to build a fuzzer that cycled through correctly-formatted commands to see which had an effect.
The fuzzing “led to the discovery of the ‘kill’ command 00 00 00 00 03 EA 3E 00, which causes the command handler of the user terminal to crash”.
The crash is only partially a denial-of-service: the terminal will continue to function as a receiver and modem, but will not respond to new commands until it’s power cycled, with its settings and state frozen.
“By attacking the admin interface, the attacker can affect the physical state of the dish, opening up new approaches to denial of service by turning the dish away from the sky. Furthermore, motors and other hardware can be damaged in this way through overuse,” the researchers said.
While the researchers only demonstrated a compromise over the local network, “executing
the attack only requires a few seconds of connection on the local network”, and they note that in some settings, Starlink might be serving a large network.
They also said that there is “some potential for remote attack, provided the attacker can in some way cause a device on the same network as the dish to send HTTP requests.
The team reported their findings to Starlink, which deployed a patch in December.
The researchers said their work is an example of how the advent of low earth orbit (LEO) satellites has led companies to develop their own terminal/modem devices, “without the institutional memory” of broadband router developers’ vulnerabilities and their mitigations.
“Since the router is often part of a physical system including a motorised dish, securing the admin interface is of even greater importance,” the researchers said.
The paper calls for satellite terminal designers to implement “known security improvements from terrestrial router design”, including password authentication for the management interface, using TLS to encrypt management traffic, and only permitting access to the management interface from a dedicated admin network.