-
So now we come to our next talk,
it's about the Amazon Dash button.
-
Who of you knows what the Amazon Dash
button is? Okay... kind of everybody.
-
Who has a Amazon Dash button?
-
Who has used it to buy something?
-
Okay. [clapping and laughter]
-
So for everybody who has never seen a
Amazon Dash button you now get the chance.
-
I brought one.
-
It looks like this.
-
It's a small tiny thing.
-
You can click on it, you can order stuff,
and you can order great stuff.
-
Like... things which make sense, like
dog-food, shampoo, stuff like that.
-
But also fun things... so things you need
regulary...
-
But also fun things like Play-Doh,
you know, it's the stuff for kids.
-
I have no idea who regulary needs to buy
Play-Doh... where does it go?
-
Not Synced
Is it like your child eat it all up so you
need new one? Or...?
-
Not Synced
So this is something we perhaps won't
learn in this talk, so why we need this.
-
Not Synced
But we will learn how you can hack
it to use for a different purpose.
-
Not Synced
Some of you might say "Okay wait, I've
already heard of something like that"
-
Not Synced
Yes, because the first version was shipped
out, there such an analysis was already done
-
Not Synced
But there is a new version and like
it's often with the Internet of Things
-
Not Synced
stuff they tried to make it more
secure.
-
Not Synced
I mean that's what the 'S' stands
for in "IoT".
-
Not Synced
What we'll hear about is about
the hardware, the software
-
Not Synced
and also how the communication with
the server looks like.
-
Not Synced
And hanz will give us a talk
about this.
-
Not Synced
He is somebody hacking hardware
since quite a time so...
-
Not Synced
Let's give him a warm round of
applause and let's learn. [clapping]
-
Not Synced
Thanks, nice to see you.
-
Not Synced
Let's have a closer look at
the Amazon Dash button now.
-
Not Synced
The Dash button is basically a
Wi-Fi connected button
-
Not Synced
It's been around in the US since
about 2014, I think.
-
Not Synced
And in Germany it's available
since August of this year.
-
Not Synced
There are two hardware revisions and
in this talk I'll only cover revision 2
-
Not Synced
because that is the current revision.
-
Not Synced
I don't think you still can get
the old revision.
-
Not Synced
The old revision is also quite
hacked already.
-
Not Synced
This button can be used to order
or reorder certain consumer goods
-
Not Synced
like pet-food or washing supplies
and stuff
-
Not Synced
It's only available for certain brands
and products and you can not configure
-
Not Synced
it freely.
-
Not Synced
It costs five Euros and you get a refund
on your first button-triggered order.
-
Not Synced
There is also a customizable version
available, at least in the US
-
Not Synced
for twenty dollars and you still
can't load your own code on this button
-
Not Synced
but you can use the Amazon Web Services
to get the button presses.
-
Not Synced
So what is interesting about this thing?
-
Not Synced
Well, it has Wi-Fi and it must be some
sort of a computer
-
Not Synced
so it's a sort of Internet of Shit
device, though it might be more useful
-
Not Synced
than certain other products.
-
Not Synced
One question of course is: How does it work?
We just want to know.
-
Not Synced
Then: What about security? If we put this
thing on our network is this a security risk
-
Not Synced
and can it be used for cyber, ddos and so on?
-
Not Synced
Another important aspect for the hardware
hackers is whether we can reprogram it
-
Not Synced
for our custom Internet of Thing project.
-
Not Synced
It's more powerful than the common ESP8266
and the price is comparable.
-
Not Synced
The next point of course is: If we can
not run code on it we don't really own it.
-
Not Synced
So we want to run our code on it.
-
Not Synced
There is some prior research that
has already been done for the old button
-
Not Synced
You can get the slides from the Fahrplan
and I'll refer to these two links later
-
Not Synced
during the talk. So this has been done
already, you can read it up.
-
Not Synced
The easy way of repurposing the Dash button
is to use the smartphone app
-
Not Synced
and configure the Dash just normally,
but you close the app
-
Not Synced
once you get to choosing a product
-
Not Synced
Then this prevents the Dash from ordering
anything
-
Not Synced
The product selection is stored server-side
while the Wi-Fi configuration is stored in the button
-
Not Synced
The button still contacts the server
and says "I want to order something"
-
Not Synced
whatever there is configured.
-
Not Synced
The server says "Nope, there is
nothing configured"
-
Not Synced
and the button blinks red and that's it.
-
Not Synced
So you don't get stuff and of course
it does a lot of things to get online
-
Not Synced
It connects to your Wi-Fi, it does
a DHCP request, ARP Request, DNS lookup
-
Not Synced
and so on
-
Not Synced
So you can monitor all these things
to find out when the button is activated
-
Not Synced
and monitoring the DHCP logfile of course
is the most easy way, I guess.
-
Not Synced
Who is doing this already?
-
Not Synced
Okay, a few, about three people.
-
Not Synced
We'll go a lot further than this in
this talk.
-
Not Synced
First we'll have a look at the hardware
so what's in this Dash button
-
Not Synced
the communication protocol and the crypto.
The firmware revision, this revision was
-
Not Synced
still the most recent on 25th i checked it last
-
Not Synced
and we'll run some custom code on the button
without desoldering anything.
-
Not Synced
I didn't analyze the Amazon smartphone
apps because this is way to high-level for me
-
Not Synced
Regarding the hardware...
-
Not Synced
The housing is heat-sealed plastic, so you
can't open a screw, you have to somehow
-
Not Synced
break it open or cut it open
-
Not Synced
My first attempt was with a knife,
cutting along the seal
-
Not Synced
but that didn't work so well. I removed
some SMD components in this process and
-
Not Synced
my latest attempt was using a cutting wheel
from the top, because I already knew where
-
Not Synced
the stuff is, where I wanna get.
You can see the testpoints here.
-
Not Synced
And this is the microcontroller so I simply
cut it open there's some space between
-
Not Synced
the plastic package and the pcb.
-
Not Synced
The PCB has four layers and a lot of
SMD 0201 parts, you can see those here.
-
Not Synced
This is all very tiny and you can
see the pads of the microcontroller
-
Not Synced
here you can not because there is some
black stuff poured over it.
-
Not Synced
I don't know why exactly they are doing this
but you can remove it carefully.
-
Not Synced
It can be softened a bit with acetone,
that makes things easier.
-
Not Synced
The microcontroller is actually quite
powerful, it's a Cortex-M4 with a
-
Not Synced
floating point unit and it runs or it can
be clocked at 120Mhz.
-
Not Synced
It has half a MB of flash and 160 kB of RAM
-
Not Synced
The downside is the package of this chip
-
Not Synced
So you can not easily solder additional
stuff there and.. the black stuff.
-
Not Synced
Then there is the Wi-Fi IC, this is this
chip here, and it's 2.4 Ghz and thus
-
Not Synced
up to 72 Mbit/s, does WPA1/2 of course,
and there is a built-in IP-stack
-
Not Synced
It works a bit like with sockets in Unix,
this Wi-Fi chip basically handles all the IP-stuff
-
Not Synced
and you simply open a socket from the controller
and then you can communicate using this socket
-
Not Synced
It does have built-in SSL and TLS support
and plenty of stuff.
-
Not Synced
Of course there needs to be a voltage regulator
because there is a single AAA battery
-
Not Synced
with 1.5V or less in the button and this
needs to boosted to 3.3V so this is done
-
Not Synced
with a regulator. This is actually
a quite powerful regulator
-
Not Synced
they could have used a cheaper one.
-
Not Synced
Anyway. There is also Bluetooth Low Energy
you can see this here, this is a BLE IC.
-
Not Synced
I'm not sure if they are using this
already, they might do with the iOS app
-
Not Synced
but I haven't analyzed this.
-
Not Synced
There is a 4 MB SPI flash and a microphone
-
Not Synced
This is here. You can see the package
removed, this happened accidentally.
-
Not Synced
Then there is an LED, it can not be seen
here but it's 3 LEDs actually
-
Not Synced
red, green and blue.
-
Not Synced
The thing is clocked from a 32KHz
oscillator, this is this thing here
-
Not Synced
and it generates a higher clock frequency
internally using PLL.
-
Not Synced
There are also some discrete
semiconductors here
-
Not Synced
they use them for the powering stuff.
-
Not Synced
If we put it all together it looks more or
less like this
-
Not Synced
This is bit more simpler than reality but
we have the Bluetooth connected to
-
Not Synced
a UART, the Wi-Fi is connected to the SPI
bus and SPI flash is also connected to
-
Not Synced
another SPI bus.
-
Not Synced
This interesting thing here is that there
is an additional UART
-
Not Synced
that is used for debugging.
-
Not Synced
The voltage regulator gets started by the
button press and one interesting thing is
-
Not Synced
there is no other wake-up source, no real-
time-clock or something like that
-
Not Synced
that means the button can never wake up
on it's own terms.
-
Not Synced
You always have to press the button, and
once it goes back to sleep it can't wake
-
Not Synced
up again without the button being pressed.
-
Not Synced
Power-Enable is held with an external
latch, so the microcontroller simply
-
Not Synced
clears this latch and goes to shutdown.
-
Not Synced
The microcontroller can also measure the
battery voltage using the ADC and there
-
Not Synced
is an enable-signal to connect or
disconnect the battery from the ADC.
-
Not Synced
This value is also sent to the server, so
Amazon knows when your battery
-
Not Synced
is going empty.
-
Not Synced
Regarding the power consumption...
-
Not Synced
mpetroff already did a lot of measurements
regarding this and you can see that
-
Not Synced
Wi-Fi is drawing a lot of power, 400 mW.
Without Wi-Fi it's down to 80 mW and
-
Not Synced
with some power-saving you should be
able to go down to about 50 mW.
-
Not Synced
The built-in battery is about half a Wh,
so that's about 75 minutes with Wi-Fi
-
Not Synced
enabled, and about 10 hours with some
very good power-saving
-
Not Synced
Basically you could make an acoustic bug
with this and listen to the microphone for
-
Not Synced
some time and then transmit it via Wi-Fi,
but it's still limited with this
-
Not Synced
battery power.
-
Not Synced
The debugging interface is also there, you
already saw those test-points earlier
-
Not Synced
The old Dash button hat single-wire-
debugging enabled and a serial console
-
Not Synced
with debugging commands, you could simply
dump memory using the serial console
-
Not Synced
The new button has test-pads for SWD and
a serial console, but SWD is disabled and
-
Not Synced
the serial console is stripped down to a
few boring commands
-
Not Synced
We'll come to these later.
-
Not Synced
Here you can see the debugging interfaces
from the bottom side, you can mount a
-
Not Synced
connector here. Which connector you can
find on the petroff website, all of these
-
Not Synced
IOs are 3.3V, the pinout is basically
compatible to the old button.
-
Not Synced
Here are some UART commands, you can see
there are three different modes
-
Not Synced
There is a test mode menu, this has a lot
or more commands, they probably use this
-
Not Synced
in the factory to do some calibration and
testing.
-
Not Synced
This is the user mode menu. You have if
you open the button and connect the serial
-
Not Synced
port. There's just some firmware revision
you can query and you can measure the
-
Not Synced
battery voltage. "immortal" prevents the
automatic shutdown, it stays then on
-
Not Synced
until you issue a shutdown or you switch
to "mortal" again.
-
Not Synced
The developer mode menu has some more
interesting commands.
-
Not Synced
There is still no memory access, but you
can enter certain modes, configure mode,
-
Not Synced
access point mode, scan for Wi-Fi, and so
on.
-
Not Synced
Let's have a look at the communication
protocols and the crypto stuff.
-
Not Synced
The communication works like this, you
have the SAMG55, this is the
-
Not Synced
microcontroller, then you have the Wi-Fi
chip, this is this ATWINC, and this chip
-
Not Synced
handles all the TLS stuff, so those two
communicate in plain-text using SPI
-
Not Synced
and then the Dash button uses HTTPs
when connecting to the Amazon server.
-
Not Synced
So you can see plain-text data here and
-
Not Synced
it's clocked at 40 MHz so this is rather
fast.
-
Not Synced
One of the first things I did was I wanted
to analyze the communication
-
Not Synced
that was there because I didn't actually
know if they are using TLS inside the
-
Not Synced
Wi-Fi NIC or if they are doing the TLS in
the microcontroller
-
Not Synced
They did it in the microcontroller in the
last hardware revision, and so I put an
-
Not Synced
FPGA between those two things and logged
all the data that came by.
-
Not Synced
I did cut the bus so I could do man-in-
the-middle as well, and I did this before
-
Not Synced
I had the full Dash firmware, with the
knowledge know this wouldn't really have
-
Not Synced
been necessary.
-
Not Synced
I looked like this, you can see I removed
the microcontroller here and added plenty
-
Not Synced
of wires, this then go to some sort of
base-board where I can plug in a break-
-
Not Synced
out-board for the microcontroller.
-
Not Synced
The microcontroller is actually here on
this board, there are some LEDs for...
-
Not Synced
yea they are the RGB leds. Here I have
the serial console, here I have SWD,
-
Not Synced
here is the reset button, and here is the
actual Dash button.
-
Not Synced
This here is 3.3V supply and you can see
a lot of jumpers here, these are all the
-
Not Synced
connections to bluetooth and Wi-Fi, so I
can simply remove the jumper and
-
Not Synced
do man-in-the-middle there.
-
Not Synced
This is the thing with the FPGA-board
plugged in.
-
Not Synced
That's how I analyzed this communication
which I'm now going to present.
