To secure Starlink, SpaceX is inviting security researchers to try and hack the satellite internet system and then report any vulnerabilities to the company.
Interested security researchers can submit their findings to SpaceX’s bug bounty program, which can pay up to $25,000 per discovered vulnerability. The company is looking for bugs covering the entire Starlink ecosystem, including its mobile apps and the main website Starlink.com.
SpaceX made the announcement this week after a security researcher at the Black Hat conference publicly disclosed several vulnerabilities in the Starlink dish that can be used to run custom computer code over the hardware at all privilege levels.
“We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system,” SpaceX said in its announcement.
The researcher, Lennert Wouters, told Wired that a SpaceX patch has rolled out for Starlink dishes to make it harder to exploit the vulnerabilities. Even so, the flaws will persist in existing hardware unless the main chip inside can be replaced. He discovered the flaws after tearing down a Starlink dish.
Still, users shouldn’t worry about the discovered vulnerabilities, according to SpaceX. The flaws can only be exploited if the attacker has physical access to a Starlink dish, meaning a remote attack that can infect a user’s Starlink dish isn’t possible.
Perhaps more importantly, the vulnerabilities also can’t be used to attack a Starlink satellite in orbit. Nor can they expose other user’s information or be exploited to tamper with other Starlink dishes over the network.
Nevertheless, the discovered flaws underscore the cybersecurity risks facing Starlink. SpaceX is particularly concerned about elite hackers uncovering vulnerabilities in the dish hardware, which could allow them to access the thousands of Starlink satellites currently up in orbit.
“The Starlink kit is the user’s entry point into the broader network,” the company wrote, while adding: “We are going to sell a lot of Starlink kits (that’s our business!), so we have to assume some of those kits will go to people who want to attack the system.”
The risk of a cyberattack was highlighted earlier this year when a massive disruption temporarily took down the satellite internet network at rival company Viasat for users in Ukraine and across Europe. The US has since blamed the disruption on the Russian government, which may have used a data-wiping malware to carry out the attack.
In addition, SpaceX has warned that the Kremlin has been trying to hack Starlink due to its wide usage in Ukraine, which is facing an ongoing invasion from Russia. SpaceX has already deployed 12,000 Starlink dishes in Ukraine in an effort to keep the country online.
Thursday’s announcement from SpaceX includes a document that outlines how the company is trying to protect the Starlink network from malicious attacks. One of the main goals has been to ensure that the Starlink hardware will only run with “the minimal set of privileges required” to prevent a hack from affecting the entire Starlink network.
“We treat Starlink user terminals as inherently untrusted and only expose the minimal necessary information and capabilities to each specific client,” the company added.