Literally Tearing Apart A SpaceX Starlink Antenna

November 25, 2020 by Tom Nardi 85 Comments

While SpaceX’s constellation of Starlink satellites is nowhere near its projected final size, the company has enough of the birds zipping around in low Earth orbit to start a limited testing period they call the Better Than Nothing Beta. If you’re lucky enough to get selected, you have to cough up $500 for the hardware and another $100 a month for the service. Despite the fairly high bar for getting your hands on one, [Kenneth Keiter] decided to sacrifice his Starlink dish to the teardown Gods.

We say sacrifice because [Kenneth] had to literally destroy the dish to get a look inside. It doesn’t appear that you can realistically get into the exceptionally thin antenna array without pulling it all apart, thanks in part to preposterous amount of adhesive that holds the structural back plate onto the PCB. The sky-facing side of the phased array, the key element that allows the antenna to track the rapidly moving Starlink satellites as they pass overhead, is also laminated to a stack-up comprised of plastic hexagonal mesh layers, passive antenna elements, and the outer fiberglass skin. In short, there are definitely no user-serviceable parts inside.

The dish hides many secrets under its skin.

Beyond attempting to analyze the RF magic that’s happening inside the antenna, [Kenneth] also takes viewers through a tour of some of the more recognizable components of the PCB; picking out things like the Power over Ethernet magnetics, a GPS receiver, some flash storage, and the H-Bridge drivers used to control the pan and tilt motors in the base of the dish.

It also appears that the antenna is a self-contained computer of sorts, complete with ARM processor and RAM to run the software that aims the phased array. Speaking of which, it should come as no surprise to find that not only are the ICs that drive the dizzying array of antenna elements the most numerous components on the PCB, but that they appear to be some kind of custom silicon designed specifically for SpaceX.

In short, there’s still plenty we don’t know about how this high-tech receiver actually works. While [Kenneth] does a respectable job of trying to make sense of it all, and we admire the dedication required to rip apart such a rare and expensive piece of kit, it’s still going to be awhile before the hacker community truly masters the tech that SpaceX is putting into their ambitions global Internet service.

Continue reading “Literally Tearing Apart A SpaceX Starlink Antenna” →

Easy IoT Logging Options For The Beginner

November 19, 2020 by Lewin Day 20 Comments

If a temperature sensor takes a measurement in the woods but there’s nobody around to read it, is it hot out?

If you’ve got a project that’s collecting data, you might have reasons to put it online. Being able to read your data from anywhere has its perks, after all, and it’s key to building smarter interconnected systems, too. Plus, you can tell strangers the humidity in your living room while you’re out at the pub, and they’ll be really impressed.

Taking the leap into the Internet of Things can be daunting however, with plenty of competing services and options from the basic to the industrial-strength available. Today, we’re taking a look at two options for logging data online that are accessible to the beginner. Continue reading “Easy IoT Logging Options For The Beginner” →

Google Meddling With URLs In Emails, Causing Security Concerns

October 21, 2020 by Lewin Day 58 Comments

Despite the popularity of social media, for communication that actually matters, e-mail reigns supreme. Crucial to the smooth operation of businesses worldwide, it’s prized for its reliability. Google is one of the world’s largest e-mail providers, both with its consumer-targeted Gmail product as well as G Suite for business customers [Jeffrey Paul] is a user of the latter, and was surprised to find that URLs in incoming emails were being modified by the service when fetched via the Internet Message Access Protocol (IMAP) used by external email readers.

This change appears to make it impossible for IMAP users to see the original email without logging into the web interface, it breaks verification of the cryptographic signatures, and it came as a surprise.

Security Matters

A test email sent to verify the edits made by Google’s servers. Top, the original email, bottom, what was received.

For a subset of users, it appears Google is modifying URLs in the body of emails to instead go through their own link-checking and redirect service. This involves actually editing the body of the email before it reaches the user. This means that even those using external clients to fetch email over IMAP are affected, with no way to access the original raw email they were sent.

The security implications are serious enough that many doubted the initial story, suspecting that the editing was only happening within the Gmail app or through the web client. However, a source claiming to work for Google confirmed that the new feature is being rolled out to G Suite customers, and can be switched off if so desired. Reaching out to Google for comment, we were directed to their help page on the topic.

The stated aim is to prevent phishing, with Google’s redirect service including a link checker to warn users who are traveling to potentially dangerous sites. For many though, this explanation doesn’t pass muster. Forcing users to head to a Google server to view the original URL they were sent is to many an egregious breach of privacy, and a security concern to boot. It allows the search giant to further extend its tendrils of click tracking into even private email conversations. For some, the implications are worse. Cryptographically signed messages, such as those using PGP or GPG, are broken by the tool; as the content of the email body is modified in the process, the message no longer checks out with respect to the original signature. Of course, this is the value of signing your messages — it becomes much easier to detect such alterations between what was sent and what was received.

Inadequate Disclosure

Understandably, many were up in arms that the company would implement such a measure with no consultation or warning ahead of time. The content of an email is sacrosanct, in many respects, and tampering with it in any form will always be condemned by the security conscious. If the feature is a choice for the user, and can be turned off at will, then it’s a useful tool for those that want it. But this discovery was a surprise to many, making it hard to believe it was adequately disclosed before roll-out. The question unfolded in the FAQ screenshot above hints at this being part of Google’s A/B test and not applied to all accounts. Features being tested on your email account should be disclosed yet they are not.

Protecting innocent users against phishing attacks is a laudable aim, and we can imagine many business owners enabling such a feature to avoid phishing attacks. It’s another case where privacy is willingly traded for the idea of security. While the uproar is limited due to the specific nature of the implementation thus far, we would expect further desertion of Google’s email services by the tech savvy if such practices were to spread to the mainstream Gmail product. Regardless of what happens next, it’s important to remember that the email you read may not be the one you were sent, and act accordingly.

Update 30/10/2020: It has since come to light that for G Suite users with Advanced Protection enabled, it may not be possible to disable this feature at all.

The Google Chrome Dinosaur Game, In Real Life

August 6, 2020 by Orlando Hoilett 6 Comments

[Ryan] wanted to hack the Google Chrome Dinosaur Game so he could control the dinosaur with his own movements. The game only requires two keyboard presses (up and down arrow keys), so controlling the game with the Arduino Keyboard library only requires a few simple function calls.

He uses the Arduino MKR board in his build, but notes any number of other boards would work as well. A force sensor detects his jumps and a stretch sensor detects him ducking. Both the stretch and force sensors are resistive transducers, so two simple voltage divider circuits (one for each sensor) are needed to convert changes in force to a voltage. You may need to adjust the sensor threshold to ensure the code responds to your movements, but [Ryan] makes that pretty easy to do in software as both thresholds are stored as global variables.

It’s a pretty simple hack, but could make for some good socially-distanced fun. What other hackable Google Chrome extensions do you like?

Continue reading “The Google Chrome Dinosaur Game, In Real Life” →

Busting GPS Exercise Data Out Of Its Garmin-controlled IoT Prison

July 28, 2020 by Mike Szczys 21 Comments

If you take to the outdoors for your exercise, rather than walking the Sisyphusian stair machine, it’s nice to grab some GPS-packed electronics to quantify your workout. [Bunnie Huang] enjoys paddling the outrigger canoe through the Singapore Strait and recently figured out how to unpack and visualize GPS data from his own Garmin watch.

By now you’ve likely heard that Garmin’s systems were down due to a ransomware attack last Thursday, July 23rd. On the one hand, it’s a minor inconvenience to not be able to see your workout visualized because of the system outage. On the other hand, the services have a lot of your personal data: dates, locations, and biometrics like heart rate. [Bunnie] looked around to see if he could unpack the data stored on his Garmin watch without pledging his privacy to computers in the sky.

Obviously this isn’t [Bunnie’s] first rodeo, but in the end you don’t need to be a 1337 haxor to pull this one off. An Open Source program called GPSBabel lets you convert proprietary data formats from a hundred or so different GPS receivers into .GPX files that are then easy to work with. From there he whipped up less than 200 lines of Python to plot the GPS data on a map and display it as a webpage. The key libraries at work here are Folium which provides the pretty browsable map data, and Matplotlib to plot the data.

These IoT devices are by all accounts amazing, listening for satellite pings to show us how far and how fast we’ve gone on web-based interfaces that are sharable, searchable, and any number of other good things ending in “able”. But the flip side is that you may not be the only person seeing the data. Two years ago Strava exposed military locations because of an opt-out policy for public data sharing of exercise trackers. Now Garmin says they don’t have any indications that data was stolen in the ransomware attack, but it’s not a stretch to think there was a potential there for such a data breach. It’s nice to see there are Open Source options for those who want access to exercise analytics and visualizations without being required to first hand over the data.

Marian Croak Is The MVP Of VoIP Adoption

July 7, 2020 by Kristina Panos 23 Comments

If you’ve ever used FaceTime, Skype, own a Magic Jack, or have donated money after a disaster by sending a text message, then you have Marian Croak to thank. Her leadership and forward thinking changed how Ma Bell used its reach and made all of these things possible.

Marian Croak is a soft-spoken woman and a self-described non-talker, but her actions spoke loudly in support of Internet Protocol (IP) as the future of communication. Humans are always looking for the next best communication medium, the fastest path to understanding each other clearly. We are still making phone calls today, but voice has been joined by text and video as the next best thing to being there. All of it is riding on a versatile network strongly rooted in Marian’s work.

Continue reading “Marian Croak Is The MVP Of VoIP Adoption” →

Linux-Fu: Automation For Chrome And The Desktop By Matching Screenshots

June 15, 2020 by Al Williams 11 Comments

I will be the first to admit it. This is almost not — at least not specifically — a Linux article. The subject? An automation tool for Chrome or Firefox. But before you hit the back button, hear me out. Sure, this Chrome plugin started out as a tool to automatically test web pages and automate repetitive tasks in the browser. However, it can extend that power to all programs on your computer. So, in theory, you can use it to graphically build macros that can interact with desktop applications in surprisingly sophisticated ways. In theory, anyway; there are a few problems.

The program has a few different names. Most documentation says UI Vision RPA, although there are some references to Kantu, which appears to be an older name. RPA is an acronym for Robotic Process Automation, which is an industry buzz word.

Let’s take it for a spin and see what it’s all about.

Continue reading “Linux-Fu: Automation For Chrome And The Desktop By Matching Screenshots” →