1 00:00:15,001 --> 00:00:22,301 So now we come to our next talk, it's about the Amazon Dash button. 2 00:00:23,191 --> 00:00:30,181 Who of you knows what the Amazon Dash button is? Okay... kind of everybody. 3 00:00:30,641 --> 00:00:33,291 Who has a Amazon Dash button? 4 00:00:35,451 --> 00:00:38,502 Who has used it to buy something? 5 00:00:40,082 --> 00:00:45,983 Okay. [clapping and laughter] 6 00:00:46,703 --> 00:00:50,413 So for everybody who has never seen a Amazon Dash button you now get the chance. 7 00:00:50,664 --> 00:00:50,914 I brought one. 8 00:00:52,424 --> 00:00:53,203 It looks like this. 9 00:00:53,916 --> 00:00:55,403 It's a small tiny thing. 10 00:00:56,372 --> 00:01:00,445 You can click on it, you can order stuff, and you can order great stuff. 11 00:01:01,125 --> 00:01:08,264 Like... things which make sense, like dog-food, shampoo, stuff like that. 12 00:01:08,984 --> 00:01:11,584 But also fun things... so things you need regulary... 13 00:01:12,306 --> 00:01:17,476 But also fun things like Play-Doh, you know, it's the stuff for kids. 14 00:01:18,135 --> 00:01:23,337 I have no idea who regulary needs to buy Play-Doh... where does it go? 15 99:59:59,999 --> 99:59:59,999 Is it like your child eat it all up so you need new one? Or...? 16 99:59:59,999 --> 99:59:59,999 So this is something we perhaps won't learn in this talk, so why we need this. 17 99:59:59,999 --> 99:59:59,999 But we will learn how you can hack it to use for a different purpose. 18 99:59:59,999 --> 99:59:59,999 Some of you might say "Okay wait, I've already heard of something like that" 19 99:59:59,999 --> 99:59:59,999 Yes, because the first version was shipped out, there such an analysis was already done 20 99:59:59,999 --> 99:59:59,999 But there is a new version and like it's often with the Internet of Things 21 99:59:59,999 --> 99:59:59,999 stuff they tried to make it more secure. 22 99:59:59,999 --> 99:59:59,999 I mean that's what the 'S' stands for in "IoT". 23 99:59:59,999 --> 99:59:59,999 What we'll hear about is about the hardware, the software 24 99:59:59,999 --> 99:59:59,999 and also how the communication with the server looks like. 25 99:59:59,999 --> 99:59:59,999 And hanz will give us a talk about this. 26 99:59:59,999 --> 99:59:59,999 He is somebody hacking hardware since quite a time so... 27 99:59:59,999 --> 99:59:59,999 Let's give him a warm round of applause and let's learn. [clapping] 28 99:59:59,999 --> 99:59:59,999 Thanks, nice to see you. 29 99:59:59,999 --> 99:59:59,999 Let's have a closer look at the Amazon Dash button now. 30 99:59:59,999 --> 99:59:59,999 The Dash button is basically a Wi-Fi connected button 31 99:59:59,999 --> 99:59:59,999 It's been around in the US since about 2014, I think. 32 99:59:59,999 --> 99:59:59,999 And in Germany it's available since August of this year. 33 99:59:59,999 --> 99:59:59,999 There are two hardware revisions and in this talk I'll only cover revision 2 34 99:59:59,999 --> 99:59:59,999 because that is the current revision. 35 99:59:59,999 --> 99:59:59,999 I don't think you still can get the old revision. 36 99:59:59,999 --> 99:59:59,999 The old revision is also quite hacked already. 37 99:59:59,999 --> 99:59:59,999 This button can be used to order or reorder certain consumer goods 38 99:59:59,999 --> 99:59:59,999 like pet-food or washing supplies and stuff 39 99:59:59,999 --> 99:59:59,999 It's only available for certain brands and products and you can not configure 40 99:59:59,999 --> 99:59:59,999 it freely. 41 99:59:59,999 --> 99:59:59,999 It costs five Euros and you get a refund on your first button-triggered order. 42 99:59:59,999 --> 99:59:59,999 There is also a customizable version available, at least in the US 43 99:59:59,999 --> 99:59:59,999 for twenty dollars and you still can't load your own code on this button 44 99:59:59,999 --> 99:59:59,999 but you can use the Amazon Web Services to get the button presses. 45 99:59:59,999 --> 99:59:59,999 So what is interesting about this thing? 46 99:59:59,999 --> 99:59:59,999 Well, it has Wi-Fi and it must be some sort of a computer 47 99:59:59,999 --> 99:59:59,999 so it's a sort of Internet of Shit device, though it might be more useful 48 99:59:59,999 --> 99:59:59,999 than certain other products. 49 99:59:59,999 --> 99:59:59,999 One question of course is: How does it work? We just want to know. 50 99:59:59,999 --> 99:59:59,999 Then: What about security? If we put this thing on our network is this a security risk 51 99:59:59,999 --> 99:59:59,999 and can it be used for cyber, ddos and so on? 52 99:59:59,999 --> 99:59:59,999 Another important aspect for the hardware hackers is whether we can reprogram it 53 99:59:59,999 --> 99:59:59,999 for our custom Internet of Thing project. 54 99:59:59,999 --> 99:59:59,999 It's more powerful than the common ESP8266 and the price is comparable. 55 99:59:59,999 --> 99:59:59,999 The next point of course is: If we can not run code on it we don't really own it. 56 99:59:59,999 --> 99:59:59,999 So we want to run our code on it. 57 99:59:59,999 --> 99:59:59,999 There is some prior research that has already been done for the old button 58 99:59:59,999 --> 99:59:59,999 You can get the slides from the Fahrplan and I'll refer to these two links later 59 99:59:59,999 --> 99:59:59,999 during the talk. So this has been done already, you can read it up. 60 99:59:59,999 --> 99:59:59,999 The easy way of repurposing the Dash button is to use the smartphone app 61 99:59:59,999 --> 99:59:59,999 and configure the Dash just normally, but you close the app 62 99:59:59,999 --> 99:59:59,999 once you get to choosing a product 63 99:59:59,999 --> 99:59:59,999 Then this prevents the Dash from ordering anything 64 99:59:59,999 --> 99:59:59,999 The product selection is stored server-side while the Wi-Fi configuration is stored in the button 65 99:59:59,999 --> 99:59:59,999 The button still contacts the server and says "I want to order something" 66 99:59:59,999 --> 99:59:59,999 whatever there is configured. 67 99:59:59,999 --> 99:59:59,999 The server says "Nope, there is nothing configured" 68 99:59:59,999 --> 99:59:59,999 and the button blinks red and that's it. 69 99:59:59,999 --> 99:59:59,999 So you don't get stuff and of course it does a lot of things to get online 70 99:59:59,999 --> 99:59:59,999 It connects to your Wi-Fi, it does a DHCP request, ARP Request, DNS lookup 71 99:59:59,999 --> 99:59:59,999 and so on 72 99:59:59,999 --> 99:59:59,999 So you can monitor all these things to find out when the button is activated 73 99:59:59,999 --> 99:59:59,999 and monitoring the DHCP logfile of course is the most easy way, I guess. 74 99:59:59,999 --> 99:59:59,999 Who is doing this already? 75 99:59:59,999 --> 99:59:59,999 Okay, a few, about three people. 76 99:59:59,999 --> 99:59:59,999 We'll go a lot further than this in this talk. 77 99:59:59,999 --> 99:59:59,999 First we'll have a look at the hardware so what's in this Dash button 78 99:59:59,999 --> 99:59:59,999 the communication protocol and the crypto. The firmware revision, this revision was 79 99:59:59,999 --> 99:59:59,999 still the most recent on 25th i checked it last 80 99:59:59,999 --> 99:59:59,999 and we'll run some custom code on the button without desoldering anything. 81 99:59:59,999 --> 99:59:59,999 I didn't analyze the Amazon smartphone apps because this is way to high-level for me 82 99:59:59,999 --> 99:59:59,999 Regarding the hardware... 83 99:59:59,999 --> 99:59:59,999 The housing is heat-sealed plastic, so you can't open a screw, you have to somehow 84 99:59:59,999 --> 99:59:59,999 break it open or cut it open 85 99:59:59,999 --> 99:59:59,999 My first attempt was with a knife, cutting along the seal 86 99:59:59,999 --> 99:59:59,999 but that didn't work so well. I removed some SMD components in this process and 87 99:59:59,999 --> 99:59:59,999 my latest attempt was using a cutting wheel from the top, because I already knew where 88 99:59:59,999 --> 99:59:59,999 the stuff is, where I wanna get. You can see the testpoints here. 89 99:59:59,999 --> 99:59:59,999 And this is the microcontroller so I simply cut it open there's some space between 90 99:59:59,999 --> 99:59:59,999 the plastic package and the pcb. 91 99:59:59,999 --> 99:59:59,999 The PCB has four layers and a lot of SMD 0201 parts, you can see those here. 92 99:59:59,999 --> 99:59:59,999 This is all very tiny and you can see the pads of the microcontroller 93 99:59:59,999 --> 99:59:59,999 here you can not because there is some black stuff poured over it. 94 99:59:59,999 --> 99:59:59,999 I don't know why exactly they are doing this but you can remove it carefully. 95 99:59:59,999 --> 99:59:59,999 It can be softened a bit with acetone, that makes things easier. 96 99:59:59,999 --> 99:59:59,999 The microcontroller is actually quite powerful, it's a Cortex-M4 with a 97 99:59:59,999 --> 99:59:59,999 floating point unit and it runs or it can be clocked at 120Mhz. 98 99:59:59,999 --> 99:59:59,999 It has half a MB of flash and 160 kB of RAM 99 99:59:59,999 --> 99:59:59,999 The downside is the package of this chip 100 99:59:59,999 --> 99:59:59,999 So you can not easily solder additional stuff there and.. the black stuff. 101 99:59:59,999 --> 99:59:59,999 Then there is the Wi-Fi IC, this is this chip here, and it's 2.4 Ghz and thus 102 99:59:59,999 --> 99:59:59,999 up to 72 Mbit/s, does WPA1/2 of course, and there is a built-in IP-stack 103 99:59:59,999 --> 99:59:59,999 It works a bit like with sockets in Unix, this Wi-Fi chip basically handles all the IP-stuff 104 99:59:59,999 --> 99:59:59,999 and you simply open a socket from the controller and then you can communicate using this socket 105 99:59:59,999 --> 99:59:59,999 It does have built-in SSL and TLS support and plenty of stuff. 106 99:59:59,999 --> 99:59:59,999 Of course there needs to be a voltage regulator because there is a single AAA battery 107 99:59:59,999 --> 99:59:59,999 with 1.5V or less in the button and this needs to boosted to 3.3V so this is done 108 99:59:59,999 --> 99:59:59,999 with a regulator. This is actually a quite powerful regulator 109 99:59:59,999 --> 99:59:59,999 they could have used a cheaper one. 110 99:59:59,999 --> 99:59:59,999 Anyway. There is also Bluetooth Low Energy you can see this here, this is a BLE IC. 111 99:59:59,999 --> 99:59:59,999 I'm not sure if they are using this already, they might do with the iOS app 112 99:59:59,999 --> 99:59:59,999 but I haven't analyzed this. 113 99:59:59,999 --> 99:59:59,999 There is a 4 MB SPI flash and a microphone 114 99:59:59,999 --> 99:59:59,999 This is here. You can see the package removed, this happened accidentally. 115 99:59:59,999 --> 99:59:59,999 Then there is an LED, it can not be seen here but it's 3 LEDs actually 116 99:59:59,999 --> 99:59:59,999 red, green and blue. 117 99:59:59,999 --> 99:59:59,999 The thing is clocked from a 32KHz oscillator, this is this thing here 118 99:59:59,999 --> 99:59:59,999 and it generates a higher clock frequency internally using PLL. 119 99:59:59,999 --> 99:59:59,999 There are also some discrete semiconductors here 120 99:59:59,999 --> 99:59:59,999 they use them for the powering stuff. 121 99:59:59,999 --> 99:59:59,999 If we put it all together it looks more or less like this 122 99:59:59,999 --> 99:59:59,999 This is bit more simpler than reality but we have the Bluetooth connected to 123 99:59:59,999 --> 99:59:59,999 a UART, the Wi-Fi is connected to the SPI bus and SPI flash is also connected to 124 99:59:59,999 --> 99:59:59,999 another SPI bus. 125 99:59:59,999 --> 99:59:59,999 This interesting thing here is that there is an additional UART 126 99:59:59,999 --> 99:59:59,999 that is used for debugging. 127 99:59:59,999 --> 99:59:59,999 The voltage regulator gets started by the button press and one interesting thing is 128 99:59:59,999 --> 99:59:59,999 there is no other wake-up source, no real- time-clock or something like that 129 99:59:59,999 --> 99:59:59,999 that means the button can never wake up on it's own terms. 130 99:59:59,999 --> 99:59:59,999 You always have to press the button, and once it goes back to sleep it can't wake 131 99:59:59,999 --> 99:59:59,999 up again without the button being pressed. 132 99:59:59,999 --> 99:59:59,999 Power-Enable is held with an external latch, so the microcontroller simply 133 99:59:59,999 --> 99:59:59,999 clears this latch and goes to shutdown. 134 99:59:59,999 --> 99:59:59,999 The microcontroller can also measure the battery voltage using the ADC and there 135 99:59:59,999 --> 99:59:59,999 is an enable-signal to connect or disconnect the battery from the ADC. 136 99:59:59,999 --> 99:59:59,999 This value is also sent to the server, so Amazon knows when your battery 137 99:59:59,999 --> 99:59:59,999 is going empty. 138 99:59:59,999 --> 99:59:59,999 Regarding the power consumption... 139 99:59:59,999 --> 99:59:59,999 mpetroff already did a lot of measurements regarding this and you can see that 140 99:59:59,999 --> 99:59:59,999 Wi-Fi is drawing a lot of power, 400 mW. Without Wi-Fi it's down to 80 mW and 141 99:59:59,999 --> 99:59:59,999 with some power-saving you should be able to go down to about 50 mW. 142 99:59:59,999 --> 99:59:59,999 The built-in battery is about half a Wh, so that's about 75 minutes with Wi-Fi 143 99:59:59,999 --> 99:59:59,999 enabled, and about 10 hours with some very good power-saving 144 99:59:59,999 --> 99:59:59,999 Basically you could make an acoustic bug with this and listen to the microphone for 145 99:59:59,999 --> 99:59:59,999 some time and then transmit it via Wi-Fi, but it's still limited with this 146 99:59:59,999 --> 99:59:59,999 battery power. 147 99:59:59,999 --> 99:59:59,999 The debugging interface is also there, you already saw those test-points earlier 148 99:59:59,999 --> 99:59:59,999 The old Dash button hat single-wire- debugging enabled and a serial console 149 99:59:59,999 --> 99:59:59,999 with debugging commands, you could simply dump memory using the serial console 150 99:59:59,999 --> 99:59:59,999 The new button has test-pads for SWD and a serial console, but SWD is disabled and 151 99:59:59,999 --> 99:59:59,999 the serial console is stripped down to a few boring commands 152 99:59:59,999 --> 99:59:59,999 We'll come to these later. 153 99:59:59,999 --> 99:59:59,999 Here you can see the debugging interfaces from the bottom side, you can mount a 154 99:59:59,999 --> 99:59:59,999 connector here. Which connector you can find on the petroff website, all of these 155 99:59:59,999 --> 99:59:59,999 IOs are 3.3V, the pinout is basically compatible to the old button. 156 99:59:59,999 --> 99:59:59,999 Here are some UART commands, you can see there are three different modes 157 99:59:59,999 --> 99:59:59,999 There is a test mode menu, this has a lot or more commands, they probably use this 158 99:59:59,999 --> 99:59:59,999 in the factory to do some calibration and testing. 159 99:59:59,999 --> 99:59:59,999 This is the user mode menu. You have if you open the button and connect the serial 160 99:59:59,999 --> 99:59:59,999 port. There's just some firmware revision you can query and you can measure the 161 99:59:59,999 --> 99:59:59,999 battery voltage. "immortal" prevents the automatic shutdown, it stays then on 162 99:59:59,999 --> 99:59:59,999 until you issue a shutdown or you switch to "mortal" again. 163 99:59:59,999 --> 99:59:59,999 The developer mode menu has some more interesting commands. 164 99:59:59,999 --> 99:59:59,999 There is still no memory access, but you can enter certain modes, configure mode, 165 99:59:59,999 --> 99:59:59,999 access point mode, scan for Wi-Fi, and so on. 166 99:59:59,999 --> 99:59:59,999 Let's have a look at the communication protocols and the crypto stuff. 167 99:59:59,999 --> 99:59:59,999 The communication works like this, you have the SAMG55, this is the 168 99:59:59,999 --> 99:59:59,999 microcontroller, then you have the Wi-Fi chip, this is this ATWINC, and this chip 169 99:59:59,999 --> 99:59:59,999 handles all the TLS stuff, so those two communicate in plain-text using SPI 170 99:59:59,999 --> 99:59:59,999 and then the Dash button uses HTTPs when connecting to the Amazon server. 171 99:59:59,999 --> 99:59:59,999 So you can see plain-text data here and 172 99:59:59,999 --> 99:59:59,999 it's clocked at 40 MHz so this is rather fast. 173 99:59:59,999 --> 99:59:59,999 One of the first things I did was I wanted to analyze the communication 174 99:59:59,999 --> 99:59:59,999 that was there because I didn't actually know if they are using TLS inside the 175 99:59:59,999 --> 99:59:59,999 Wi-Fi NIC or if they are doing the TLS in the microcontroller 176 99:59:59,999 --> 99:59:59,999 They did it in the microcontroller in the last hardware revision, and so I put an 177 99:59:59,999 --> 99:59:59,999 FPGA between those two things and logged all the data that came by. 178 99:59:59,999 --> 99:59:59,999 I did cut the bus so I could do man-in- the-middle as well, and I did this before 179 99:59:59,999 --> 99:59:59,999 I had the full Dash firmware, with the knowledge know this wouldn't really have 180 99:59:59,999 --> 99:59:59,999 been necessary. 181 99:59:59,999 --> 99:59:59,999 I looked like this, you can see I removed the microcontroller here and added plenty 182 99:59:59,999 --> 99:59:59,999 of wires, this then go to some sort of base-board where I can plug in a break- 183 99:59:59,999 --> 99:59:59,999 out-board for the microcontroller. 184 99:59:59,999 --> 99:59:59,999 The microcontroller is actually here on this board, there are some LEDs for... 185 99:59:59,999 --> 99:59:59,999 yea they are the RGB leds. Here I have the serial console, here I have SWD, 186 99:59:59,999 --> 99:59:59,999 here is the reset button, and here is the actual Dash button. 187 99:59:59,999 --> 99:59:59,999 This here is 3.3V supply and you can see a lot of jumpers here, these are all the 188 99:59:59,999 --> 99:59:59,999 connections to bluetooth and Wi-Fi, so I can simply remove the jumper and 189 99:59:59,999 --> 99:59:59,999 do man-in-the-middle there. 190 99:59:59,999 --> 99:59:59,999 This is the thing with the FPGA-board plugged in. 191 99:59:59,999 --> 99:59:59,999 That's how I analyzed this communication which I'm now going to present.