33C3: Hunz Deconstructs the Amazon Dash Button

The Amazon Dash button is now in its second hardware revision, and in a talk at the 33rd Chaos Communications Congress, [Hunz] not only tears it apart and illuminates the differences with the first version, but he also manages to reverse engineer it enough to get his own code running. This opens up a whole raft of possibilities that go beyond the simple “intercept the IP traffic” style hacks that we’ve seen.

dash_block_diagramJust getting into the Dash is a bit of work, so buy two: one to cut apart and locate the parts that you have to avoid next time. Once you get in, everything is tiny! There are a lot of 0201 SMD parts. Hidden underneath a plastic blob (acetone!) is an Atmel ATSAMG55, a 120 MHz ARM Cortex-M4 with FPU, and a beefy CPU all around. There is also a 2.4 GHz radio with a built-in IP stack that handles all the WiFi, with built-in TLS support. Other parts include a boost voltage converter, a BTLE chipset, an LED, a microphone, and some SPI flash.

The strangest part of the device is the sleep mode. The voltage regulator is turned on by user button press and held on using a GPIO pin on the CPU. Once the microcontroller lets go of the power supply, all power is off until the button is pressed again. It’s hard to use any less power when sleeping. Even so, the microcontroller monitors the battery voltage and presumably phones home when it gets low.

dash-mitm[Hunz] looked at the communication stream, finding HTTP data over SPI between the microcontroller and the WiFi radio chip, and TLS-encrypted HTTPS from there on out. So he soldered in an FPGA to man-in-the-middle attack the hardware, making a beautiful hacker’s development kit out of the $5 gadget.

The old Dash buttons had SWD debugging enabled and a serial console, and the new firmware has it disabled except for a few commands, so it’s not easy to dump. So [Hunz] desoldered the SPI flash and read it externally. That gave him the firmware, minus the bootloader and some configuration storage. Next came a great trick: he wrote the same firmware to a fresh SAMG55, and the firmware worked. The chip he flashed it to had SWD debugging running, however, so he was able to work in a much more friendly environment with developer console and everything. (Brilliant!)

With a firmware dump and a running version of the system under debugging, he eventually found a hole in the audio configuration protocol — which is used to configure the device through an audio file played into the microphone like an updated version of an old-school modem. The input in the audio protocol, unfortunately for Amazon, wasn’t checked for length. Buffer overflow and a complete flash dump ensue. The video of him hacking the button with an earbud is classic.

Amazon will patch this hole sometime soon, of course, but they can’t do so if the button can’t connect to their servers. [Hunz] has said he’s not going to work on it much more, but here’s his GitHub. Have at it!

19 thoughts on “33C3: Hunz Deconstructs the Amazon Dash Button

  1. This is a great write-up, and a great hack all around. I like the “sleep mode”, may implement something like it in a future project that need ultra-low power. Also the attack vector is awesome. I’m gonna buy a couple of these before they patch this “vulnerability.” I always wanted a find-my-phone button

    1. Yup, I’ve done it before. Run your device’s battery through a relay. Power button bridges the relay’s contacts, supplying power to the circuit. The circuit energises the relay’s coil through a GPIO and driver transistor. Then when you want to switch off, drop the GPIO.

      Depending on your choice of relay, it means more power use while it’s on, but zero when it’s off. Mine was a toy I was making for a friend’s kid, I figured it would be off most of the time. Ran off AA batteries, so this way keeps it simple.

      You could use a transistor instead of a relay I suppose. I was going for simplicity.

  2. Amazon: “We need this gadget thing. Make it good and cheap, Mr. Productmanager!”
    Productmanager: “Hey top-of-the-line Developer, do this!”
    Top-of-the-line Developer: “OK, I can bill you 3 hours now, I will add all kinds of bells n whistles, so I can bill you 10.”
    Simple products done right – loving it (although the product itself is about as useful as a rectangular wheel (unless you are driving on a sinusoidal road))…

  3. I’m new into the hardware hacking scene and those grey grabber things with the wires attached look like exactly what I want!! I’ve been using aligator clips which seem to destroy the boards I’m clipping them to (and the metal clips touch and short things out). Can anyone give me the technical name for the “grey grabber thingies”?

      1. In this case, battery life is going to limit it. It’s got a nice powerful processor, but even if you have it monitoring the mic constantly for keywords, and only starting the Wifi connection on that trigger, you’d wipe out the battery in a couple of days. That’s assuming voice-rec of the necessary quality is possible without an online Google-farm available.

        This particular device I don’t think would make a good bug. But that doesn’t matter, cellphones make fantastic ones, and they’re all over the place.

  4. This is a great start. Who is going to work on a way to flash a new firmware without opening the case? And to update the firmware on the PRoC over UART as well so it can be a Bluetooth or WiFi button.

  5. I would love to see an exploit to download custom firmware. I know that the generation 1 dash buttons does not really check the server cert (I can use self-signed cert to fool it, as long as it pretends to be from parker-gateway-na.amazon.com). I wonder if the generation 1 is capable of firmware download? I can definitely set the POST requests through my fake server.

    The tough part is getting my hands on the previous generation Dash. Among the dozens of dash buttons I bought, only 1 is the previous generation dash button.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s