Focus Determines Reality
Threat modeling Starlink satellite cellular risks.
Published:
Updated:

Table of Contents

Introduction

In this article, I'm going to discuss Starlink satellite capabilities because of how prolific they are. As you may know, I've been writing about the technical risks associated with cell phones for the past 10+ years. What I discuss here is not limited to SpaceX Starlink and are capabilities probably used by any well-funded threat actor with modern, low Earth orbit (LEO) satellites.

We already know that SpaceX, an American company, cooperates with US intelligence agencies, so these capabilities are shared across FVEY entities. Read more about Starshield.

This content was going to be published in my How to Use an iPad as a Secure Calling and Messaging Device and How to Use a Pixel Tablet as a Secure Calling and Messaging Device publications to further convince high-risk people to abandon cell phones. However, this research and risk analysis, using Starlink as an example, is so complex and nuanced that it fell out of scope of those articles.

Given the outcome of the November 2024 US election, it's not difficult to think that Starlink satellites might be used to target people while sweeping up data about American citizens. While SpaceX is not any worse than a typical, terrestrial cellular provider in terms of technical privacy and security risks, there are a lot of terrestrial places where there is no cell service, places where undocumented people live. Per T-mobile on December 16th 2024:

Coming on the heels of FCC approval, T-Mobile has opened registration for a beta program for T-Mobile Starlink, a direct-to-cell satellite service that will help eliminate dead zones by providing coverage for the 500,000 square miles of land in the United States not covered by earth-bound cell towers.

Terrestrial Location Tracking

SpaceX uses features of the LTE protocol that were intended for high speed trains in order to offer Direct to Cell coverage. With Doppler shift compensation from a Starlink satellite, SpaceX can make any modern LTE phone think that the timing and Doppler is within specification in order to establish communication between satellite and cellular baseband devices.

Band 25 (1900 MHz) is used by Starlink satellites in the United States. Band 7 (2600 MHz) is used outside the United States, but SpaceX is more broadly approved for 1429-2690 MHz globally. Any cell phone or cellular tablet must support 3GPP Release 13 or newer (requires Timing Advance) in order to connect to Starlink services. These 3G/LTE and 4G/LTE devices can communicate with Starlink satellites, and SpaceX and other companies are working on 5G methods. 5G has non-terrestrial networking built into the protocol so it won't be long before 5G is supported.

Cellular baseband devices typically maintain only one active connection at a time, either to a terrestrial cell tower or to a satellite. In most scenarios, a mobile network operator (MNO) subscriber—-such as a T-Mobile user—-whose phone is configured for satellite connectivity will attempt to connect to SpaceX satellites when terrestrial tower coverage is lost, ensuring the device can maintain a cellular connection.

Prior to November 26th 2024, SpaceX was not yet authorized to service these requests. SpaceX fielded and rejected hundreds of thousands of cellular attach requests per day from T-mobile cellular tablets and phones and logged those connection attempts. Logging includes hardware identifiers, network data, and physical location data associated with all requests. This is also true for any 3GPP R13 cell device that supports satellite connectivity, globally, for any carrier. SpaceX can negotiate, reject, and log all connection attempts when a device loses terrestrial service.

As of November 26th 2024, the FCC has authorized SpaceX to field T-mobile subscriber's requests in the United States. If a user's device is not authorized, wether or not it's from a T-mobile subscribed device or not, SpaceX still gets device, network, and physical location metadata. As of writing, T-mobile has opened a public beta of subscribers to begin testing Starlink's offering.

Like dirtboxes, satellite cells can force a user's device to connect to it directly, or force all users within said satellite's broadcast beam, depending on which public land mobile network (PLMN) it broadcasts. It can do this in one of two ways:

  1. Starlink satellites can present itself as a SpaceX PLMN directly to a target device, or

  2. Starlink satellites can pretend to be a specific MNO tower, like as a T-mobile tower, directly to a target device. This can be done in a way that, to a user, it appears as though they are connected to a T-mobile cell tower, but in reality they will have a direct connection to a Starlink satellite.

In October 2024, the FCC allowed SpaceX to temporarily inject cell service in areas affected by Hurricane Helene and Hurricane Milton.

T-Mobile customers in areas affected by both hurricanes will be able to send SMS texts over Starlink DTC /D2D (direct-to-device) satellites at no cost, according to SpaceX.

The greatest location tracking concern with threat actors such as SpaceX and their partners is being outside and visible from above. Some companies already have millimeter-resolution synthetic-aperture radars (SAR) performing multiple imaging passes per day. SpaceX observability is lower, but software capabilities to watch devices of interest is a significant risk.

Satellite Limitations

Certain limitations (physics) apply that don't apply to terrestrial cell towers. Any one Starlink satellite uses ~250 focused cellular beams that are formed and pointed using a phased array antenna. They can either be targeted to a fixed point on the surface of the Earth, or given a path to follow (a sliding beam).

The timing between users and satellites cannot be more than a couple hundreds microseconds, which limits the beam size and scan angle of a satellite. In other words, the beams can't be too big, and Starlink satellites can't service devices at too low of elevation angles. But the Starlink network is being made to never have gaps in coverage.

Like terrestrial cell networks, satellite cellular operators are acutely aware of which eNodeB a user's cellular device is connected to. Starlink satellites orbit at speeds of 7.7 km/s, so their beams slide across the Earth's surface at a slower rate. SpaceX is aware of which beam is on which area.

  • For high-gain terrestrial antennas, SpaceX can estimate where a device is within a roughly 10 to 20 km radius within any beam. With multiple passes, SpaceX could triangulate a finer point of a stationary or moving device.

  • For low powered cell phones, it's only possible for SpaceX to track devices within a satellite's beam.

There are many conditions that impede connectivity and thus surveillance of LEO satellites. Being under heavy ground cover such as dense forests, high atmospheric moisture, or the lack of line-of-site are challenges for LEO satellites. Baseband devices inside buildings can sometimes establish a link with Starlink satellites but you'd need to be near a window.

Satellite Attacks

Each of the Starlink's beams has its own cell. So if a satellite wanted to mess with transport protocols, any one satellite could limit disruption to any covered area by manipulating cellular coverage on a per-beam basis. Further, static (non-sliding) beams perform better.

Even simple attacks, like disruption attacks that intentionally maintain a satellite connection in order to drain a target's battery is possible.

Lastly, cellular basebands are extremely trusting in order to support interoperability. Satellite LTE connectivity suffers from the same attacks that SS7 and Diameter allows. If SpaceX wanted to attack any particular device, they would likely utilize existing SS7/Diameter networks.