Well, I saw this some time ago and I just couldn’t resist it.
When I first saw the Amazon Dash buttons, I thought… wow… how useless… a single purpose WiFi enabled IoT device whose only reason for it existence is to help you spend money on Amazon. Even worse, the buttons are technically tied to certain product lines. (ie. The bounty button is for bounty only products… BTW, I am NOT pushing any particular product here). However, I’d prefer… myself, the buttons were more generic and you could set the button up to order anything from Amazon Fresh or Amazon Groceries… there loss in my opinion. For example, there is no button, currently, for anything I like to drink… although the Mac and Cheese button is sorely tempting me… had the buttons been more generic, I’d simply set one up to order a case of Lori’s Lemon iced Tea from Honest Tea and cheerfully chug it while programming. But … no…
Ok, after I got over the laughter it induced when first seeing the buttons, I realized… actually its a bit intriguing none the less… I was completely curious about how it worked, particularly for $5.00. Adafruit.com curated some tear downs of the button hardware and rehashed some already existing blog posts about repurposing the buttons.
- Reprogram the hardware (definitely not easy)
- Cheat, and do not complete the button’s initial setup and monitor your network for ARP broadcasts (the easier way).
As a security guy by trade, I *really* don’t like the second option. It is an example of why IoT is so dangerous. However, for yucks (and time constraints), I went for the second option. The funny part is, while Ted Benson is in the process of teaching you how to hack the button, he is also showing you how to hack… the hack… the observant techie will see this.
So first… the victim…
I would never be caught dead ordering a case of water from anyone personally unless it was for some kind of emergency, so I figured buying the SmartWater dash button would help me resist the urge of wanting to use the Dash button for Amazon’s intended purpose. (And yes, I have one for ordering pet food and have considered one or two others; ie. the Mac & Cheese one).
So, as per Ted Benson’s instructions, I proceeded to go to the Amazon Shopping App on my Android Tablet and configure the button for use on my WiFi network. The last step in the configuration is to select the item from the buttons “product” line you wish it to purchase when you press the button. At this point, I just closed the app.
Next, a little Python magic on a Raspberry Pi like computer (actually its called a Wandboard Quad, and I use it for development work) and using the Scapy library. All the code examples and details are in the Ted Benson blog post and I won’t rehash them here. However there are a few gotchas in the post…
- The demo python code is missing “#!/usr/local/bin/python” on both examples, so either you add it or execute the scripts like this, “python dash-listen.py”.
- You must install Scapy… and… everything it relies on. The simplest way to do this is, is on any Linux distro with a decent package manager (apt, yum, etc….) simply, for example on Debian derived Linux distros, “apt-get -y install scapy” will do the trick. This will bring down scapy and all its dependencies. If you install Scapy any other way… don’t ask me for help, your are on your own.
Anyhow, following Ted’s instructions, I obtained the button’s MAC address. Then I altered the python script to suck up the MAC address from a config file (which will be capable of holding an arbitrary number of such addresses for the future) so they can be recognized; ie the file contains the button type, MAC Address and script to be executed when pushed. As mentioned, I already have one button deployed Amazon’s way to keep my cats neck deep in tasty cat food (see picture below of the little beasties) and to keep my lazy lower posterior from having to leave the house to get it). However, it also stands to reason I can also see this ARP’ed MAC address for this button and launch a script if need be, like emailing both my wife and myself to be on the look out for the impending delivery and adding a calendar entry on Gmail for the probable delivery date.
Now, I have all the workings I need to get the button to do something… first lets demonstrate that it works…
As you can see from the video, once the button is pressed, its ARP broadcast can be detected with a great deal of ease. Interestingly enough, you may have noticed the video is much longer then it needs to be. In this particular test the button failed to do something. Usually, the button flashes the white LED, then flashes red (ostensibly to indicate it failed to order anything). For some reason this time it did not do that. Not sure why, I suppose if a case of SmartWater shows up, then I’ll know. 🙂 You may have also noticed that I did not display the complete MAC Address of the button… read on to discover why….
I have not yet figured out what I will use the button for, although I have some ideas, clearly though, I have to use it for something that is not critical or terribly bothersome should, uh, ahem… something goes wrong… read on for details. This was more of a “I wonder if I can do this” kind of thing. Actually, I think reprogramming the button would be better. Primarily because, technically, this button can still work as Amazon intends it too. I just have to select something for it to order. Also, I have not yet figured out how to reset the button to work in some other WiFi network. It seems once its configured, then its locked into your WiFi network. Bummer…
…And, for the security minded, you may have noticed… or thought… well… if you can use Scapy to see the ARP broadcast… then can’t you just make Scapy forge an ARP packet with the same MAC Address???? Why yes… you certainly can! This would essentially simulate a button pushing.
I can just picture a scene straight out of the Simpsons, with Nelson Muntz mercilessly running a Scapy script while shouting, “stop pushing yourself, stop pushing yourself”. (for the Simpsons deprived…).
So… for example, say I rigged this thing up through IFTTT (If This Then That, ifttt.com) to control my household Wemo switch which drives a living room lamp. Then some idiot can simply instruct the python code to turn the lamp on and off all day long just for giggles by repeatedly issuing forged ARP broadcasts. This is why I did not display the last 3 octets of the MAC address… I’d just be giving you the keys to the python script by showing you that.
Bonus points for anyone who can tell me why showing the 1st 3 octets wasn’t so smart either!!!
If you reprogram the button instead of using this ARP method, which it is a rather brain-dead hack, you can add some security to, perhaps, for example, actually have the Dash button reach out to IFTTT itself over HTTPS instead of using a go-between python script. But reprogramming the button requires much more sophistication in dealing with electronics and a boat load of TIME which I do not currently have.
Anyhow, something to consider.
Any suggestions for what to use the button for?
I suspect my next attempt at this, will literally be to build a similar device using an ESP8266 Wifi module ($2.50) running NodeMCU and an ATMEL AT-Tiny 85 microcontroller ($0.95) with a quartet of cheap push buttons and a 3.3v coin cell. Altogether, the cost should be on par with the Dash button, but the ESP8266 and AT-Tiny85 are *much* easier to program. Which opens the possibility of greater security features and significantly better configuration (ie. use in multiple WiFi networks) and possible greater non-security features too. It will just simply be, much more flexible.