To secure Starlink, SpaceX is inviting security researchers to try and hack the satellite internet system and then report any vulnerabilities to the company.
Interested security researchers can submit their findings to SpaceX’s bug bounty program, which can pay up to $25,000 per discovered vulnerability. The company is looking for bugs covering the entire Starlink ecosystem, including its mobile apps and the main website Starlink.com.
SpaceX made the announcement this week after a security researcher at the Black Hat conference publicly disclosed several vulnerabilities in the Starlink dish that can be used to run custom computer code over the hardware at all privilege levels.
“We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system,” SpaceX said in its announcement.
The researcher, Lennert Wouters, told Wired that a SpaceX patch has rolled out for Starlink dishes to make it harder to exploit the vulnerabilities. Even so, the flaws will persist in existing hardware unless the main chip inside can be replaced. He discovered the flaws after tearing down a Starlink dish.
Still, users shouldn’t worry about the discovered vulnerabilities, according to SpaceX. The flaws can only be exploited if the attacker has physical access to a Starlink dish, meaning a remote attack that can infect a user’s Starlink dish isn’t possible.
Perhaps more importantly, the vulnerabilities also can’t be used to attack a Starlink satellite in orbit. Nor can they expose other user’s information or be exploited to tamper with other Starlink dishes over the network.
Nevertheless, the discovered flaws underscore the cybersecurity risks facing Starlink. SpaceX is particularly concerned about elite hackers uncovering vulnerabilities in the dish hardware, which could allow them to access the thousands of Starlink satellites currently up in orbit.
“The Starlink kit is the user’s entry point into the broader network,” the company wrote, while adding: “We are going to sell a lot of Starlink kits (that’s our business!), so we have to assume some of those kits will go to people who want to attack the system.”
The risk of a…