Researcher Hacks Starlink Terminal Using a $25 Homemade Board
Lennert Wouters, a security expert from KU Leuven who previously discovered a bug allowing a Tesla to be stolen in minutes, has revealed that he managed to compromise a Starlink terminal using a custom mod chip costing just $25. At the Black Hat 2022 conference, Wouters announced his intention to make this tool available for others to replicate.
Since 2018, Elon Musk’s company has launched over 3,000 Starlink satellites into orbit. This satellite network is designed to provide internet access in the most remote areas of the planet, where connectivity was previously unreliable, expensive, or completely unavailable. As the network grows, thousands more satellites are planned, and, like any new technology, Starlink has attracted the attention of hackers and researchers.
How the Starlink Terminal Was Hacked
Wouters described one of the first hacks of a Starlink terminal, specifically the satellite dish known as Dishy McFlatface, which is typically installed on buildings. To access the dish’s firmware, Wouters disassembled a purchased terminal and developed a special tool for hacking it.
This tool is a custom board (mod chip) assembled from off-the-shelf components, with a total cost of about $25. After connecting the board to the Starlink dish, it is used to perform a fault injection attack, temporarily disrupting the system to bypass Starlink’s security mechanisms. This “glitch” allowed Wouters to access previously locked parts of the Starlink system.
To create the mod chip, Wouters scanned the Starlink dish and designed a board that fits the existing Starlink hardware. The mod chip must be soldered onto the Starlink board and connected with several wires.
The mod chip itself consists of a Raspberry Pi microcontroller, flash memory, electronic switches, and a voltage regulator. When Starlink engineers created the user terminal, they printed “Made on Earth by humans” on the board. Wouters’ mod chip, in turn, is labeled “Glitched on Earth by humans.”
Open Source and Security Implications
Wouters decided to make his tool open source, publishing his work on GitHub, including some details necessary to launch the attack.
“Suppose you’re an attacker and want to target the satellite itself,” Wouters explains. “You could try to build your own system to communicate with the satellite, but that’s quite difficult. So, if you want to attack satellites, it’s easier to start with the user terminal, as that will likely make your life easier.”
According to Wired, the Starlink system consists of three main parts: the satellites themselves, which orbit about 550 kilometers above Earth and transmit signals to the ground; ground gateways that send internet connections to the satellites; and the Dishy McFlatface dishes that users can purchase. Wouters’ research focused on the user terminals, which were originally round but now come in a rectangular form.
Inside the Hacking Process
Enthusiasts have long studied Starlink user terminals, disassembling them and discussing their design on Reddit, but Wouters was the first to focus on the security of the terminal and its chips. He went through several stages and tried many different approaches before creating his open-source mod chip.
Wouters began testing the Starlink system in May 2021, achieving download speeds of 268 Mbps and upload speeds of 49 Mbps from the roof of his university building. He then decided to take the device apart. Using a combination of a heat gun, tools, isopropyl alcohol, and a lot of patience, he managed to remove the dish’s cover and access its internal components. This helped him understand how the device boots and downloads firmware.
Overall, Wouters’ attack works by bypassing security checks and signature verification, which are meant to ensure the system boots correctly and the code hasn’t been tampered with. “We use this to precisely time the fault injection,” Wouters explains.
When the Starlink dish powers on, the bootloader goes through several stages. Wouters’ attack triggers a fault in the first bootloader, the ROM loader, which is hardcoded into the SoC and cannot be updated. This then allows custom firmware to be deployed and full control over the terminal to be gained.
Starlink’s Response and Ongoing Vulnerabilities
Wouters notified Starlink of the vulnerabilities he found last year, and the company rewarded him through its bug bounty program. Starlink developers even offered Wouters access to the device’s software, but he declined, as he was already deep into developing his mod chip.
Wouters notes that while SpaceX released an update to make the attack more difficult (to which he responded by modifying his mod chip), the core issue cannot be fixed until the company creates a new version of the main chip. For this reason, all existing user terminals remain vulnerable, although carrying out the attack has become harder.
Although the mod chip’s specifications are available on GitHub, Wouters says he does not plan to sell ready-made boards or distribute custom firmware for the user terminal, nor will he provide exact details about the fault he exploited.
After Wouters’ presentation at Black Hat, Starlink engineers published a six-page PDF explaining how they protect their systems.
“We find this attack technically impressive, and it’s the first of its kind that we’re aware of,” the document states. “We expect that attackers with invasive physical access could perform malicious actions using a single Starlink kit and its identifier, so we rely on the principle of ‘least privilege’ to limit the impact on the overall system.”
Starlink specialists emphasize that such an attack requires physical access to the terminal, and that only a single device can be compromised through this boot-time fault, not the entire Starlink network.
“Regular Starlink users don’t need to worry about this attack affecting them or take any action in response,” Starlink concludes.