WEBVTT 00:00:15.001 --> 00:00:22.301 So now we come to our next talk, it's about the Amazon Dash button. 00:00:23.191 --> 00:00:30.181 Who of you knows what the Amazon Dash button is? Okay... kind of everybody. 00:00:30.641 --> 00:00:33.291 Who has a Amazon Dash button? 00:00:35.451 --> 00:00:38.502 Who has used it to buy something? 00:00:40.082 --> 00:00:45.983 Okay. [clapping and laughter] 00:00:46.703 --> 00:00:50.413 So for everybody who has never seen a Amazon Dash button you now get the chance. 00:00:50.664 --> 00:00:50.914 I brought one. 00:00:52.424 --> 00:00:53.203 It looks like this. 00:00:53.916 --> 00:00:55.403 It's a small tiny thing. 00:00:56.372 --> 00:01:00.445 You can click on it, you can order stuff, and you can order great stuff. 00:01:01.125 --> 00:01:08.264 Like... things which make sense, like dog-food, shampoo, stuff like that. 00:01:08.984 --> 00:01:11.584 But also fun things... so things you need regulary... 00:01:12.306 --> 00:01:17.476 But also fun things like Play-Doh, you know, it's the stuff for kids. 00:01:18.135 --> 00:01:23.337 I have no idea who regulary needs to buy Play-Doh... where does it go? 99:59:59.999 --> 99:59:59.999 Is it like your child eat it all up so you need new one? Or...? 99:59:59.999 --> 99:59:59.999 So this is something we perhaps won't learn in this talk, so why we need this. 99:59:59.999 --> 99:59:59.999 But we will learn how you can hack it to use for a different purpose. 99:59:59.999 --> 99:59:59.999 Some of you might say "Okay wait, I've already heard of something like that" 99:59:59.999 --> 99:59:59.999 Yes, because the first version was shipped out, there such an analysis was already done 99:59:59.999 --> 99:59:59.999 But there is a new version and like it's often with the Internet of Things 99:59:59.999 --> 99:59:59.999 stuff they tried to make it more secure. 99:59:59.999 --> 99:59:59.999 I mean that's what the 'S' stands for in "IoT". 99:59:59.999 --> 99:59:59.999 What we'll hear about is about the hardware, the software 99:59:59.999 --> 99:59:59.999 and also how the communication with the server looks like. 99:59:59.999 --> 99:59:59.999 And hanz will give us a talk about this. 99:59:59.999 --> 99:59:59.999 He is somebody hacking hardware since quite a time so... 99:59:59.999 --> 99:59:59.999 Let's give him a warm round of applause and let's learn. [clapping] 99:59:59.999 --> 99:59:59.999 Thanks, nice to see you. 99:59:59.999 --> 99:59:59.999 Let's have a closer look at the Amazon Dash button now. 99:59:59.999 --> 99:59:59.999 The Dash button is basically a Wi-Fi connected button 99:59:59.999 --> 99:59:59.999 It's been around in the US since about 2014, I think. 99:59:59.999 --> 99:59:59.999 And in Germany it's available since August of this year. 99:59:59.999 --> 99:59:59.999 There are two hardware revisions and in this talk I'll only cover revision 2 99:59:59.999 --> 99:59:59.999 because that is the current revision. 99:59:59.999 --> 99:59:59.999 I don't think you still can get the old revision. 99:59:59.999 --> 99:59:59.999 The old revision is also quite hacked already. 99:59:59.999 --> 99:59:59.999 This button can be used to order or reorder certain consumer goods 99:59:59.999 --> 99:59:59.999 like pet-food or washing supplies and stuff 99:59:59.999 --> 99:59:59.999 It's only available for certain brands and products and you can not configure 99:59:59.999 --> 99:59:59.999 it freely. 99:59:59.999 --> 99:59:59.999 It costs five Euros and you get a refund on your first button-triggered order. 99:59:59.999 --> 99:59:59.999 There is also a customizable version available, at least in the US 99:59:59.999 --> 99:59:59.999 for twenty dollars and you still can't load your own code on this button 99:59:59.999 --> 99:59:59.999 but you can use the Amazon Web Services to get the button presses. 99:59:59.999 --> 99:59:59.999 So what is interesting about this thing? 99:59:59.999 --> 99:59:59.999 Well, it has Wi-Fi and it must be some sort of a computer 99:59:59.999 --> 99:59:59.999 so it's a sort of Internet of Shit device, though it might be more useful 99:59:59.999 --> 99:59:59.999 than certain other products. 99:59:59.999 --> 99:59:59.999 One question of course is: How does it work? We just want to know. 99:59:59.999 --> 99:59:59.999 Then: What about security? If we put this thing on our network is this a security risk 99:59:59.999 --> 99:59:59.999 and can it be used for cyber, ddos and so on? 99:59:59.999 --> 99:59:59.999 Another important aspect for the hardware hackers is whether we can reprogram it 99:59:59.999 --> 99:59:59.999 for our custom Internet of Thing project. 99:59:59.999 --> 99:59:59.999 It's more powerful than the common ESP8266 and the price is comparable. 99:59:59.999 --> 99:59:59.999 The next point of course is: If we can not run code on it we don't really own it. 99:59:59.999 --> 99:59:59.999 So we want to run our code on it. 99:59:59.999 --> 99:59:59.999 There is some prior research that has already been done for the old button 99:59:59.999 --> 99:59:59.999 You can get the slides from the Fahrplan and I'll refer to these two links later 99:59:59.999 --> 99:59:59.999 during the talk. So this has been done already, you can read it up. 99:59:59.999 --> 99:59:59.999 The easy way of repurposing the Dash button is to use the smartphone app 99:59:59.999 --> 99:59:59.999 and configure the Dash just normally, but you close the app 99:59:59.999 --> 99:59:59.999 once you get to choosing a product 99:59:59.999 --> 99:59:59.999 Then this prevents the Dash from ordering anything 99:59:59.999 --> 99:59:59.999 The product selection is stored server-side while the Wi-Fi configuration is stored in the button 99:59:59.999 --> 99:59:59.999 The button still contacts the server and says "I want to order something" 99:59:59.999 --> 99:59:59.999 whatever there is configured. 99:59:59.999 --> 99:59:59.999 The server says "Nope, there is nothing configured" 99:59:59.999 --> 99:59:59.999 and the button blinks red and that's it. 99:59:59.999 --> 99:59:59.999 So you don't get stuff and of course it does a lot of things to get online 99:59:59.999 --> 99:59:59.999 It connects to your Wi-Fi, it does a DHCP request, ARP Request, DNS lookup 99:59:59.999 --> 99:59:59.999 and so on 99:59:59.999 --> 99:59:59.999 So you can monitor all these things to find out when the button is activated 99:59:59.999 --> 99:59:59.999 and monitoring the DHCP logfile of course is the most easy way, I guess. 99:59:59.999 --> 99:59:59.999 Who is doing this already? 99:59:59.999 --> 99:59:59.999 Okay, a few, about three people. 99:59:59.999 --> 99:59:59.999 We'll go a lot further than this in this talk. 99:59:59.999 --> 99:59:59.999 First we'll have a look at the hardware so what's in this Dash button 99:59:59.999 --> 99:59:59.999 the communication protocol and the crypto. The firmware revision, this revision was 99:59:59.999 --> 99:59:59.999 still the most recent on 25th i checked it last 99:59:59.999 --> 99:59:59.999 and we'll run some custom code on the button without desoldering anything. 99:59:59.999 --> 99:59:59.999 I didn't analyze the Amazon smartphone apps because this is way to high-level for me 99:59:59.999 --> 99:59:59.999 Regarding the hardware... 99:59:59.999 --> 99:59:59.999 The housing is heat-sealed plastic, so you can't open a screw, you have to somehow 99:59:59.999 --> 99:59:59.999 break it open or cut it open 99:59:59.999 --> 99:59:59.999 My first attempt was with a knife, cutting along the seal 99:59:59.999 --> 99:59:59.999 but that didn't work so well. I removed some SMD components in this process and 99:59:59.999 --> 99:59:59.999 my latest attempt was using a cutting wheel from the top, because I already knew where 99:59:59.999 --> 99:59:59.999 the stuff is, where I wanna get. You can see the testpoints here. 99:59:59.999 --> 99:59:59.999 And this is the microcontroller so I simply cut it open there's some space between 99:59:59.999 --> 99:59:59.999 the plastic package and the pcb. 99:59:59.999 --> 99:59:59.999 The PCB has four layers and a lot of SMD 0201 parts, you can see those here. 99:59:59.999 --> 99:59:59.999 This is all very tiny and you can see the pads of the microcontroller 99:59:59.999 --> 99:59:59.999 here you can not because there is some black stuff poured over it. 99:59:59.999 --> 99:59:59.999 I don't know why exactly they are doing this but you can remove it carefully. 99:59:59.999 --> 99:59:59.999 It can be softened a bit with acetone, that makes things easier. 99:59:59.999 --> 99:59:59.999 The microcontroller is actually quite powerful, it's a Cortex-M4 with a 99:59:59.999 --> 99:59:59.999 floating point unit and it runs or it can be clocked at 120Mhz. 99:59:59.999 --> 99:59:59.999 It has half a MB of flash and 160 kB of RAM 99:59:59.999 --> 99:59:59.999 The downside is the package of this chip 99:59:59.999 --> 99:59:59.999 So you can not easily solder additional stuff there and.. the black stuff. 99:59:59.999 --> 99:59:59.999 Then there is the Wi-Fi IC, this is this chip here, and it's 2.4 Ghz and thus 99:59:59.999 --> 99:59:59.999 up to 72 Mbit/s, does WPA1/2 of course, and there is a built-in IP-stack 99:59:59.999 --> 99:59:59.999 It works a bit like with sockets in Unix, this Wi-Fi chip basically handles all the IP-stuff 99:59:59.999 --> 99:59:59.999 and you simply open a socket from the controller and then you can communicate using this socket 99:59:59.999 --> 99:59:59.999 It does have built-in SSL and TLS support and plenty of stuff. 99:59:59.999 --> 99:59:59.999 Of course there needs to be a voltage regulator because there is a single AAA battery 99:59:59.999 --> 99:59:59.999 with 1.5V or less in the button and this needs to boosted to 3.3V so this is done 99:59:59.999 --> 99:59:59.999 with a regulator. This is actually a quite powerful regulator 99:59:59.999 --> 99:59:59.999 they could have used a cheaper one. 99:59:59.999 --> 99:59:59.999 Anyway. There is also Bluetooth Low Energy you can see this here, this is a BLE IC. 99:59:59.999 --> 99:59:59.999 I'm not sure if they are using this already, they might do with the iOS app 99:59:59.999 --> 99:59:59.999 but I haven't analyzed this. 99:59:59.999 --> 99:59:59.999 There is a 4 MB SPI flash and a microphone 99:59:59.999 --> 99:59:59.999 This is here. You can see the package removed, this happened accidentally. 99:59:59.999 --> 99:59:59.999 Then there is an LED, it can not be seen here but it's 3 LEDs actually 99:59:59.999 --> 99:59:59.999 red, green and blue. 99:59:59.999 --> 99:59:59.999 The thing is clocked from a 32KHz oscillator, this is this thing here 99:59:59.999 --> 99:59:59.999 and it generates a higher clock frequency internally using PLL. 99:59:59.999 --> 99:59:59.999 There are also some discrete semiconductors here 99:59:59.999 --> 99:59:59.999 they use them for the powering stuff. 99:59:59.999 --> 99:59:59.999 If we put it all together it looks more or less like this 99:59:59.999 --> 99:59:59.999 This is bit more simpler than reality but we have the Bluetooth connected to 99:59:59.999 --> 99:59:59.999 a UART, the Wi-Fi is connected to the SPI bus and SPI flash is also connected to 99:59:59.999 --> 99:59:59.999 another SPI bus. 99:59:59.999 --> 99:59:59.999 This interesting thing here is that there is an additional UART 99:59:59.999 --> 99:59:59.999 that is used for debugging. 99:59:59.999 --> 99:59:59.999 The voltage regulator gets started by the button press and one interesting thing is 99:59:59.999 --> 99:59:59.999 there is no other wake-up source, no real- time-clock or something like that 99:59:59.999 --> 99:59:59.999 that means the button can never wake up on it's own terms. 99:59:59.999 --> 99:59:59.999 You always have to press the button, and once it goes back to sleep it can't wake 99:59:59.999 --> 99:59:59.999 up again without the button being pressed. 99:59:59.999 --> 99:59:59.999 Power-Enable is held with an external latch, so the microcontroller simply 99:59:59.999 --> 99:59:59.999 clears this latch and goes to shutdown. 99:59:59.999 --> 99:59:59.999 The microcontroller can also measure the battery voltage using the ADC and there 99:59:59.999 --> 99:59:59.999 is an enable-signal to connect or disconnect the battery from the ADC. 99:59:59.999 --> 99:59:59.999 This value is also sent to the server, so Amazon knows when your battery 99:59:59.999 --> 99:59:59.999 is going empty. 99:59:59.999 --> 99:59:59.999 Regarding the power consumption... 99:59:59.999 --> 99:59:59.999 mpetroff already did a lot of measurements regarding this and you can see that 99:59:59.999 --> 99:59:59.999 Wi-Fi is drawing a lot of power, 400 mW. Without Wi-Fi it's down to 80 mW and 99:59:59.999 --> 99:59:59.999 with some power-saving you should be able to go down to about 50 mW. 99:59:59.999 --> 99:59:59.999 The built-in battery is about half a Wh, so that's about 75 minutes with Wi-Fi 99:59:59.999 --> 99:59:59.999 enabled, and about 10 hours with some very good power-saving 99:59:59.999 --> 99:59:59.999 Basically you could make an acoustic bug with this and listen to the microphone for 99:59:59.999 --> 99:59:59.999 some time and then transmit it via Wi-Fi, but it's still limited with this 99:59:59.999 --> 99:59:59.999 battery power. 99:59:59.999 --> 99:59:59.999 The debugging interface is also there, you already saw those test-points earlier 99:59:59.999 --> 99:59:59.999 The old Dash button hat single-wire- debugging enabled and a serial console 99:59:59.999 --> 99:59:59.999 with debugging commands, you could simply dump memory using the serial console 99:59:59.999 --> 99:59:59.999 The new button has test-pads for SWD and a serial console, but SWD is disabled and 99:59:59.999 --> 99:59:59.999 the serial console is stripped down to a few boring commands 99:59:59.999 --> 99:59:59.999 We'll come to these later. 99:59:59.999 --> 99:59:59.999 Here you can see the debugging interfaces from the bottom side, you can mount a 99:59:59.999 --> 99:59:59.999 connector here. Which connector you can find on the petroff website, all of these 99:59:59.999 --> 99:59:59.999 IOs are 3.3V, the pinout is basically compatible to the old button. 99:59:59.999 --> 99:59:59.999 Here are some UART commands, you can see there are three different modes 99:59:59.999 --> 99:59:59.999 There is a test mode menu, this has a lot or more commands, they probably use this 99:59:59.999 --> 99:59:59.999 in the factory to do some calibration and testing. 99:59:59.999 --> 99:59:59.999 This is the user mode menu. You have if you open the button and connect the serial 99:59:59.999 --> 99:59:59.999 port. There's just some firmware revision you can query and you can measure the 99:59:59.999 --> 99:59:59.999 battery voltage. "immortal" prevents the automatic shutdown, it stays then on 99:59:59.999 --> 99:59:59.999 until you issue a shutdown or you switch to "mortal" again. 99:59:59.999 --> 99:59:59.999 The developer mode menu has some more interesting commands. 99:59:59.999 --> 99:59:59.999 There is still no memory access, but you can enter certain modes, configure mode, 99:59:59.999 --> 99:59:59.999 access point mode, scan for Wi-Fi, and so on. 99:59:59.999 --> 99:59:59.999 Let's have a look at the communication protocols and the crypto stuff. 99:59:59.999 --> 99:59:59.999 The communication works like this, you have the SAMG55, this is the 99:59:59.999 --> 99:59:59.999 microcontroller, then you have the Wi-Fi chip, this is this ATWINC, and this chip 99:59:59.999 --> 99:59:59.999 handles all the TLS stuff, so those two communicate in plain-text using SPI 99:59:59.999 --> 99:59:59.999 and then the Dash button uses HTTPs when connecting to the Amazon server. 99:59:59.999 --> 99:59:59.999 So you can see plain-text data here and 99:59:59.999 --> 99:59:59.999 it's clocked at 40 MHz so this is rather fast. 99:59:59.999 --> 99:59:59.999 One of the first things I did was I wanted to analyze the communication 99:59:59.999 --> 99:59:59.999 that was there because I didn't actually know if they are using TLS inside the 99:59:59.999 --> 99:59:59.999 Wi-Fi NIC or if they are doing the TLS in the microcontroller 99:59:59.999 --> 99:59:59.999 They did it in the microcontroller in the last hardware revision, and so I put an 99:59:59.999 --> 99:59:59.999 FPGA between those two things and logged all the data that came by. 99:59:59.999 --> 99:59:59.999 I did cut the bus so I could do man-in- the-middle as well, and I did this before 99:59:59.999 --> 99:59:59.999 I had the full Dash firmware, with the knowledge know this wouldn't really have 99:59:59.999 --> 99:59:59.999 been necessary. 99:59:59.999 --> 99:59:59.999 I looked like this, you can see I removed the microcontroller here and added plenty 99:59:59.999 --> 99:59:59.999 of wires, this then go to some sort of base-board where I can plug in a break- 99:59:59.999 --> 99:59:59.999 out-board for the microcontroller. 99:59:59.999 --> 99:59:59.999 The microcontroller is actually here on this board, there are some LEDs for... 99:59:59.999 --> 99:59:59.999 yea they are the RGB leds. Here I have the serial console, here I have SWD, 99:59:59.999 --> 99:59:59.999 here is the reset button, and here is the actual Dash button. 99:59:59.999 --> 99:59:59.999 This here is 3.3V supply and you can see a lot of jumpers here, these are all the 99:59:59.999 --> 99:59:59.999 connections to bluetooth and Wi-Fi, so I can simply remove the jumper and 99:59:59.999 --> 99:59:59.999 do man-in-the-middle there. 99:59:59.999 --> 99:59:59.999 This is the thing with the FPGA-board plugged in. 99:59:59.999 --> 99:59:59.999 That's how I analyzed this communication which I'm now going to present.