0:00:15.001,0:00:22.301 So now we come to our next talk,[br]it's about the Amazon Dash button. 0:00:23.191,0:00:30.181 Who of you knows what the Amazon Dash[br]button is? Okay... kind of everybody. 0:00:30.641,0:00:33.291 Who has a Amazon Dash button? 0:00:35.451,0:00:38.502 Who has used it to buy something? 0:00:40.082,0:00:45.983 Okay. [clapping and laughter] 0:00:46.703,0:00:50.413 So for everybody who has never seen a[br]Amazon Dash button you now get the chance. 0:00:50.664,0:00:50.914 I brought one. 0:00:52.424,0:00:53.203 It looks like this. 0:00:53.916,0:00:55.403 It's a small tiny thing. 0:00:56.372,0:01:00.445 You can click on it, you can order stuff,[br]and you can order great stuff. 0:01:01.125,0:01:08.264 Like... things which make sense, like[br]dog-food, shampoo, stuff like that. 0:01:08.984,0:01:11.584 But also fun things... so things you need[br]regulary... 0:01:12.306,0:01:17.476 But also fun things like Play-Doh,[br]you know, it's the stuff for kids. 0:01:18.135,0:01:23.337 I have no idea who regulary needs to buy[br]Play-Doh... where does it go? 9:59:59.000,9:59:59.000 Is it like your child eat it all up so you[br]need new one? Or...? 9:59:59.000,9:59:59.000 So this is something we perhaps won't[br]learn in this talk, so why we need this. 9:59:59.000,9:59:59.000 But we will learn how you can hack[br]it to use for a different purpose. 9:59:59.000,9:59:59.000 Some of you might say "Okay wait, I've[br]already heard of something like that" 9:59:59.000,9:59:59.000 Yes, because the first version was shipped[br]out, there such an analysis was already done 9:59:59.000,9:59:59.000 But there is a new version and like[br]it's often with the Internet of Things 9:59:59.000,9:59:59.000 stuff they tried to make it more[br]secure. 9:59:59.000,9:59:59.000 I mean that's what the 'S' stands[br]for in "IoT". 9:59:59.000,9:59:59.000 What we'll hear about is about[br]the hardware, the software 9:59:59.000,9:59:59.000 and also how the communication with[br]the server looks like. 9:59:59.000,9:59:59.000 And hanz will give us a talk[br]about this. 9:59:59.000,9:59:59.000 He is somebody hacking hardware[br]since quite a time so... 9:59:59.000,9:59:59.000 Let's give him a warm round of[br]applause and let's learn. [clapping] 9:59:59.000,9:59:59.000 Thanks, nice to see you. 9:59:59.000,9:59:59.000 Let's have a closer look at[br]the Amazon Dash button now. 9:59:59.000,9:59:59.000 The Dash button is basically a[br]Wi-Fi connected button 9:59:59.000,9:59:59.000 It's been around in the US since[br]about 2014, I think. 9:59:59.000,9:59:59.000 And in Germany it's available[br]since August of this year. 9:59:59.000,9:59:59.000 There are two hardware revisions and[br]in this talk I'll only cover revision 2 9:59:59.000,9:59:59.000 because that is the current revision. 9:59:59.000,9:59:59.000 I don't think you still can get[br]the old revision. 9:59:59.000,9:59:59.000 The old revision is also quite[br]hacked already. 9:59:59.000,9:59:59.000 This button can be used to order[br]or reorder certain consumer goods 9:59:59.000,9:59:59.000 like pet-food or washing supplies[br]and stuff 9:59:59.000,9:59:59.000 It's only available for certain brands[br]and products and you can not configure 9:59:59.000,9:59:59.000 it freely. 9:59:59.000,9:59:59.000 It costs five Euros and you get a refund[br]on your first button-triggered order. 9:59:59.000,9:59:59.000 There is also a customizable version[br]available, at least in the US 9:59:59.000,9:59:59.000 for twenty dollars and you still[br]can't load your own code on this button 9:59:59.000,9:59:59.000 but you can use the Amazon Web Services[br]to get the button presses. 9:59:59.000,9:59:59.000 So what is interesting about this thing? 9:59:59.000,9:59:59.000 Well, it has Wi-Fi and it must be some[br]sort of a computer 9:59:59.000,9:59:59.000 so it's a sort of Internet of Shit[br]device, though it might be more useful 9:59:59.000,9:59:59.000 than certain other products. 9:59:59.000,9:59:59.000 One question of course is: How does it work?[br]We just want to know. 9:59:59.000,9:59:59.000 Then: What about security? If we put this[br]thing on our network is this a security risk 9:59:59.000,9:59:59.000 and can it be used for cyber, ddos and so on? 9:59:59.000,9:59:59.000 Another important aspect for the hardware[br]hackers is whether we can reprogram it 9:59:59.000,9:59:59.000 for our custom Internet of Thing project. 9:59:59.000,9:59:59.000 It's more powerful than the common ESP8266[br]and the price is comparable. 9:59:59.000,9:59:59.000 The next point of course is: If we can[br]not run code on it we don't really own it. 9:59:59.000,9:59:59.000 So we want to run our code on it. 9:59:59.000,9:59:59.000 There is some prior research that[br]has already been done for the old button 9:59:59.000,9:59:59.000 You can get the slides from the Fahrplan[br]and I'll refer to these two links later 9:59:59.000,9:59:59.000 during the talk. So this has been done[br]already, you can read it up. 9:59:59.000,9:59:59.000 The easy way of repurposing the Dash button[br]is to use the smartphone app 9:59:59.000,9:59:59.000 and configure the Dash just normally,[br]but you close the app 9:59:59.000,9:59:59.000 once you get to choosing a product 9:59:59.000,9:59:59.000 Then this prevents the Dash from ordering[br]anything 9:59:59.000,9:59:59.000 The product selection is stored server-side[br]while the Wi-Fi configuration is stored in the button 9:59:59.000,9:59:59.000 The button still contacts the server[br]and says "I want to order something" 9:59:59.000,9:59:59.000 whatever there is configured. 9:59:59.000,9:59:59.000 The server says "Nope, there is[br]nothing configured" 9:59:59.000,9:59:59.000 and the button blinks red and that's it. 9:59:59.000,9:59:59.000 So you don't get stuff and of course[br]it does a lot of things to get online 9:59:59.000,9:59:59.000 It connects to your Wi-Fi, it does[br]a DHCP request, ARP Request, DNS lookup 9:59:59.000,9:59:59.000 and so on 9:59:59.000,9:59:59.000 So you can monitor all these things[br]to find out when the button is activated 9:59:59.000,9:59:59.000 and monitoring the DHCP logfile of course[br]is the most easy way, I guess. 9:59:59.000,9:59:59.000 Who is doing this already? 9:59:59.000,9:59:59.000 Okay, a few, about three people. 9:59:59.000,9:59:59.000 We'll go a lot further than this in[br]this talk. 9:59:59.000,9:59:59.000 First we'll have a look at the hardware[br]so what's in this Dash button 9:59:59.000,9:59:59.000 the communication protocol and the crypto.[br]The firmware revision, this revision was 9:59:59.000,9:59:59.000 still the most recent on 25th i checked it last 9:59:59.000,9:59:59.000 and we'll run some custom code on the button[br]without desoldering anything. 9:59:59.000,9:59:59.000 I didn't analyze the Amazon smartphone[br]apps because this is way to high-level for me 9:59:59.000,9:59:59.000 Regarding the hardware... 9:59:59.000,9:59:59.000 The housing is heat-sealed plastic, so you[br]can't open a screw, you have to somehow 9:59:59.000,9:59:59.000 break it open or cut it open 9:59:59.000,9:59:59.000 My first attempt was with a knife,[br]cutting along the seal 9:59:59.000,9:59:59.000 but that didn't work so well. I removed[br]some SMD components in this process and 9:59:59.000,9:59:59.000 my latest attempt was using a cutting wheel[br]from the top, because I already knew where 9:59:59.000,9:59:59.000 the stuff is, where I wanna get.[br]You can see the testpoints here. 9:59:59.000,9:59:59.000 And this is the microcontroller so I simply[br]cut it open there's some space between 9:59:59.000,9:59:59.000 the plastic package and the pcb. 9:59:59.000,9:59:59.000 The PCB has four layers and a lot of[br]SMD 0201 parts, you can see those here. 9:59:59.000,9:59:59.000 This is all very tiny and you can[br]see the pads of the microcontroller 9:59:59.000,9:59:59.000 here you can not because there is some[br]black stuff poured over it. 9:59:59.000,9:59:59.000 I don't know why exactly they are doing this[br]but you can remove it carefully. 9:59:59.000,9:59:59.000 It can be softened a bit with acetone,[br]that makes things easier. 9:59:59.000,9:59:59.000 The microcontroller is actually quite[br]powerful, it's a Cortex-M4 with a 9:59:59.000,9:59:59.000 floating point unit and it runs or it can[br]be clocked at 120Mhz. 9:59:59.000,9:59:59.000 It has half a MB of flash and 160 kB of RAM 9:59:59.000,9:59:59.000 The downside is the package of this chip 9:59:59.000,9:59:59.000 So you can not easily solder additional[br]stuff there and.. the black stuff. 9:59:59.000,9:59:59.000 Then there is the Wi-Fi IC, this is this[br]chip here, and it's 2.4 Ghz and thus 9:59:59.000,9:59:59.000 up to 72 Mbit/s, does WPA1/2 of course,[br]and there is a built-in IP-stack 9:59:59.000,9:59:59.000 It works a bit like with sockets in Unix,[br]this Wi-Fi chip basically handles all the IP-stuff 9:59:59.000,9:59:59.000 and you simply open a socket from the controller[br]and then you can communicate using this socket 9:59:59.000,9:59:59.000 It does have built-in SSL and TLS support[br]and plenty of stuff. 9:59:59.000,9:59:59.000 Of course there needs to be a voltage regulator[br]because there is a single AAA battery 9:59:59.000,9:59:59.000 with 1.5V or less in the button and this[br]needs to boosted to 3.3V so this is done 9:59:59.000,9:59:59.000 with a regulator. This is actually[br]a quite powerful regulator 9:59:59.000,9:59:59.000 they could have used a cheaper one. 9:59:59.000,9:59:59.000 Anyway. There is also Bluetooth Low Energy[br]you can see this here, this is a BLE IC. 9:59:59.000,9:59:59.000 I'm not sure if they are using this[br]already, they might do with the iOS app 9:59:59.000,9:59:59.000 but I haven't analyzed this. 9:59:59.000,9:59:59.000 There is a 4 MB SPI flash and a microphone 9:59:59.000,9:59:59.000 This is here. You can see the package[br]removed, this happened accidentally. 9:59:59.000,9:59:59.000 Then there is an LED, it can not be seen[br]here but it's 3 LEDs actually 9:59:59.000,9:59:59.000 red, green and blue. 9:59:59.000,9:59:59.000 The thing is clocked from a 32KHz[br]oscillator, this is this thing here 9:59:59.000,9:59:59.000 and it generates a higher clock frequency[br]internally using PLL. 9:59:59.000,9:59:59.000 There are also some discrete[br]semiconductors here 9:59:59.000,9:59:59.000 they use them for the powering stuff. 9:59:59.000,9:59:59.000 If we put it all together it looks more or[br]less like this 9:59:59.000,9:59:59.000 This is bit more simpler than reality but[br]we have the Bluetooth connected to 9:59:59.000,9:59:59.000 a UART, the Wi-Fi is connected to the SPI[br]bus and SPI flash is also connected to 9:59:59.000,9:59:59.000 another SPI bus. 9:59:59.000,9:59:59.000 This interesting thing here is that there[br]is an additional UART 9:59:59.000,9:59:59.000 that is used for debugging. 9:59:59.000,9:59:59.000 The voltage regulator gets started by the[br]button press and one interesting thing is 9:59:59.000,9:59:59.000 there is no other wake-up source, no real-[br]time-clock or something like that 9:59:59.000,9:59:59.000 that means the button can never wake up[br]on it's own terms. 9:59:59.000,9:59:59.000 You always have to press the button, and[br]once it goes back to sleep it can't wake 9:59:59.000,9:59:59.000 up again without the button being pressed. 9:59:59.000,9:59:59.000 Power-Enable is held with an external[br]latch, so the microcontroller simply 9:59:59.000,9:59:59.000 clears this latch and goes to shutdown. 9:59:59.000,9:59:59.000 The microcontroller can also measure the[br]battery voltage using the ADC and there 9:59:59.000,9:59:59.000 is an enable-signal to connect or[br]disconnect the battery from the ADC. 9:59:59.000,9:59:59.000 This value is also sent to the server, so[br]Amazon knows when your battery 9:59:59.000,9:59:59.000 is going empty. 9:59:59.000,9:59:59.000 Regarding the power consumption... 9:59:59.000,9:59:59.000 mpetroff already did a lot of measurements[br]regarding this and you can see that 9:59:59.000,9:59:59.000 Wi-Fi is drawing a lot of power, 400 mW.[br]Without Wi-Fi it's down to 80 mW and 9:59:59.000,9:59:59.000 with some power-saving you should be[br]able to go down to about 50 mW. 9:59:59.000,9:59:59.000 The built-in battery is about half a Wh,[br]so that's about 75 minutes with Wi-Fi 9:59:59.000,9:59:59.000 enabled, and about 10 hours with some[br]very good power-saving 9:59:59.000,9:59:59.000 Basically you could make an acoustic bug[br]with this and listen to the microphone for 9:59:59.000,9:59:59.000 some time and then transmit it via Wi-Fi,[br]but it's still limited with this 9:59:59.000,9:59:59.000 battery power. 9:59:59.000,9:59:59.000 The debugging interface is also there, you[br]already saw those test-points earlier 9:59:59.000,9:59:59.000 The old Dash button hat single-wire-[br]debugging enabled and a serial console 9:59:59.000,9:59:59.000 with debugging commands, you could simply[br]dump memory using the serial console 9:59:59.000,9:59:59.000 The new button has test-pads for SWD and[br]a serial console, but SWD is disabled and 9:59:59.000,9:59:59.000 the serial console is stripped down to a[br]few boring commands 9:59:59.000,9:59:59.000 We'll come to these later. 9:59:59.000,9:59:59.000 Here you can see the debugging interfaces[br]from the bottom side, you can mount a 9:59:59.000,9:59:59.000 connector here. Which connector you can[br]find on the petroff website, all of these 9:59:59.000,9:59:59.000 IOs are 3.3V, the pinout is basically[br]compatible to the old button. 9:59:59.000,9:59:59.000 Here are some UART commands, you can see[br]there are three different modes 9:59:59.000,9:59:59.000 There is a test mode menu, this has a lot[br]or more commands, they probably use this 9:59:59.000,9:59:59.000 in the factory to do some calibration and[br]testing. 9:59:59.000,9:59:59.000 This is the user mode menu. You have if[br]you open the button and connect the serial 9:59:59.000,9:59:59.000 port. There's just some firmware revision[br]you can query and you can measure the 9:59:59.000,9:59:59.000 battery voltage. "immortal" prevents the[br]automatic shutdown, it stays then on 9:59:59.000,9:59:59.000 until you issue a shutdown or you switch[br]to "mortal" again. 9:59:59.000,9:59:59.000 The developer mode menu has some more[br]interesting commands. 9:59:59.000,9:59:59.000 There is still no memory access, but you[br]can enter certain modes, configure mode, 9:59:59.000,9:59:59.000 access point mode, scan for Wi-Fi, and so[br]on. 9:59:59.000,9:59:59.000 Let's have a look at the communication[br]protocols and the crypto stuff. 9:59:59.000,9:59:59.000 The communication works like this, you[br]have the SAMG55, this is the 9:59:59.000,9:59:59.000 microcontroller, then you have the Wi-Fi[br]chip, this is this ATWINC, and this chip 9:59:59.000,9:59:59.000 handles all the TLS stuff, so those two[br]communicate in plain-text using SPI 9:59:59.000,9:59:59.000 and then the Dash button uses HTTPs[br]when connecting to the Amazon server. 9:59:59.000,9:59:59.000 So you can see plain-text data here and 9:59:59.000,9:59:59.000 it's clocked at 40 MHz so this is rather[br]fast. 9:59:59.000,9:59:59.000 One of the first things I did was I wanted[br]to analyze the communication 9:59:59.000,9:59:59.000 that was there because I didn't actually[br]know if they are using TLS inside the 9:59:59.000,9:59:59.000 Wi-Fi NIC or if they are doing the TLS in[br]the microcontroller 9:59:59.000,9:59:59.000 They did it in the microcontroller in the[br]last hardware revision, and so I put an 9:59:59.000,9:59:59.000 FPGA between those two things and logged[br]all the data that came by. 9:59:59.000,9:59:59.000 I did cut the bus so I could do man-in-[br]the-middle as well, and I did this before 9:59:59.000,9:59:59.000 I had the full Dash firmware, with the[br]knowledge know this wouldn't really have 9:59:59.000,9:59:59.000 been necessary. 9:59:59.000,9:59:59.000 I looked like this, you can see I removed[br]the microcontroller here and added plenty 9:59:59.000,9:59:59.000 of wires, this then go to some sort of[br]base-board where I can plug in a break- 9:59:59.000,9:59:59.000 out-board for the microcontroller. 9:59:59.000,9:59:59.000 The microcontroller is actually here on[br]this board, there are some LEDs for... 9:59:59.000,9:59:59.000 yea they are the RGB leds. Here I have[br]the serial console, here I have SWD, 9:59:59.000,9:59:59.000 here is the reset button, and here is the[br]actual Dash button. 9:59:59.000,9:59:59.000 This here is 3.3V supply and you can see[br]a lot of jumpers here, these are all the 9:59:59.000,9:59:59.000 connections to bluetooth and Wi-Fi, so I[br]can simply remove the jumper and 9:59:59.000,9:59:59.000 do man-in-the-middle there. 9:59:59.000,9:59:59.000 This is the thing with the FPGA-board[br]plugged in. 9:59:59.000,9:59:59.000 That's how I analyzed this communication[br]which I'm now going to present.