SpaceX Starlink Dish Unauthenticated Administrative Access Vulnerability via LAN gRPC

A vulnerability in SpaceX Starlink Dish devices running firmware 2024.12.04.mr46620, particularly on the Mini1_prod2 model, allows unauthorized administrative actions through gRPC requests sent over the local area network. This issue, known as MARMALADE 2, exploits a cross-origin resource sharing (CORS) policy by omitting the Referer header, enabling the execution of commands such as rebooting the dish or accessing its configuration data. Additionally, the vulnerability could be leveraged to infer the dish's geographical location by analyzing its tilt, rotation, and elevation data, which is accessible via the gRPC interface.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative control over the Starlink dish, allowing for actions such as rebooting the device, manipulating its orientation, and accessing sensitive configuration information. Such capabilities could disrupt the dish's functionality and potentially be used for more malicious purposes, like geo-locating military assets that rely on Starlink for communication.

Reproduction

The vulnerability can be reproduced by sending unauthenticated gRPC requests over HTTP from any device on the same local network as the Starlink dish. This can be done using a gRPC client or through a web browser that has been manipulated to bypass CORS restrictions. The dish's gRPC service is available on port 9200, and requests can be made to perform various administrative functions by targeting specific API endpoints.