Orphaned Amazon Dash Buttons Ripe For Hacking

Amazon Dash buttons were the ultimate single purpose networked device; it really can’t get much simpler than a push button that sends a single message to a fixed endpoint. It was an experiment in ultimate convenience, an entry point to a connected home, and a target for critics of consumerism excess and technological overkill.

But soon they’ll be little more than a footnote in the history of online shopping, as CNet reports Amazon will take the order system offline at the end of the month. With the loss of their original intended usage, there’s nothing to stop us from hacking any Dash buttons we can get our hands on.

Of course, this decision should come as little surprise. Amazon’s in-home retail point of sale has graduated from these very limited $5 buttons to Alexa-powered voice controlled devices. Many people also carry a cell phone at all times capable of submitting Amazon orders. While there are many good reasons to be skeptical of internet connected appliances, they’re undeniably finding a niche in the market and some have integrated their own version of a Dash button to re-order household supplies.

But are hackers still interested in hacking Dash buttons? Over the lifespan of Amazon Dash buttons, our project landscape has shifted as well. We’re certainly still interested in the guts an Echo Dot. But if we wanted to build a simple networked button, we can use devices like an ESP8266 which are almost as cheap and far easier to use. Using something intended for integration means we don’t have headaches like determining which generation hardware we have.

Despite those barriers, we’ve had many Dash button hacks on these pages. A to-do list updater was the most recent and we doubt it will be the last, especially as Amazon’s deactivation should mean a whole new flood of these buttons will become available for hacking.

[via Ars Technica]

28 thoughts on “Orphaned Amazon Dash Buttons Ripe For Hacking

  1. Dash buttons are great. The problem with hacking them is that when the Amazon app will no longer offer the initial Dash setup, we won’t be able to get them to connect to WiFi. Then only the flashing of custom firmware (which does not exist at this point?) might resurrect them. I also wonder what will happen to the ones we hacked and are currently using – will they get an OTA that bricks them?

    1. There are some great articles out there that are addressing this very issue. Someone did a technical breakdown (acoustical) that basically reverse engineered some of how the app is able to connect to the button and send the credentials to the device. Once the one-time setup is completed, the credentials are saved….so if you change passwords or SSID names, it could break the connectivity of the button itself, but as far as I know, if you run ARP packet sniffers to find the MAC address of the device, the button itself would be independent of the Amazon ecosystem after that point. I assume that it will probably reach out to a generic AWS endpoint that will be taken offline at some point, but the hope is that with the articles and research already out in the community, that when Amazon makes them go dark, there will be a backup in place to register new devices.

  2. If they appear cheap in the market now, there are some nice uses for them in cases where a simple, physical interface is useful. Of course, provided there is enough information to reprogram and repurpose them.

    It would be nice if Amazon would release some technical information after their system is shutdown.

  3. I’d love to have one of these connected to an Octoprint plugin. I have couple of 3d prints that I do somewhat often, and it would be really cool to have one at work that I can just press to start a print when I’m at work, I know my printer is unoccupied, and I need the print attached to the button.

  4. They also released a generic IoT version that was about 4.5x the price of the original dash buttons. I wonder if these are scheduled to die too? If not, I wonder if the cheaper versions can be updated to the IoT versions firmware?

    1. Didn’t someone at Adafruit write a contributed blog on the subject of changing the firmware on a dash that clearly wasn’t one of the IoT buttons to start with. I have two here, and so far all they do is confirm to my ‘droid phone R2D2 that they are still here.

    1. Most certainly if we can figure out how to dump the firmware. Or, the other option is doing a MitM (man in the middle) attack and capturing the traffic if it’s not SSL or maybe get a button with a firmware download so we can start reversing the file.

  5. Curious if anybody knows if Amazon can push a firmware and brick them all. I’ve repurposed one as a “form feed” button (remember those?) for my laser printer, handy for kids. Would be a bummer if it stopped working.

    1. Based on my experience, the short answer is probably, if they want to be jerks about it. I’m planning to block all my buttons in my firewall soon. I’ve observed that if you delete a dash button from your amazon account, the next time that button gets pressed and talks to amazon’s servers, it will revert into setup mode and forget your WiFi info. So you’d need to run through the new button setup procedure to get it working again, which should no longer be available once they pull the plug on the buttons. For currently set up buttons, the uncertainty that remains is once amazon kills the buttons, when a button gets pressed, is there still a server listening for it, ready to send the button into setup mode?

      1. Another line of thought, what is that first step (I guess second step after actually pressing the button on a non configured device) look like? Does it spawn a non broadcasting access point (the client would need to do something with your phones WiFi radio) or is it something else all together? If it’s the first with the Access point, then just establish something that monitors (inb4 airmen-ng/ pythons scapy) for that and then action accordingly.

  6. I’m not surprised they are planning on shutting down the things. I have here one for Nerf darts that I have not configured. Especially since I still have all of the ones I bought from Target, plus the two the gun came with.

  7. Sorry to be ‘that guy’ but really, Amazon should pay for the recycling costs of every dash button ever produced, it was a moronic idea when they started it, they already had voice assistants when this bs was released, and we all had a smartphone aswell, this product was never ever needed and a perfect example of how American companies always take things a step to far. On one hand im glad to hear they’re gonna stop this nonsense now, on the other hand, thats just stupid, what about all the electronic crap they make obsolete with this move? thats all gonna go to landfills now, and these days the landfills are in your own country ;)

    Take note of what happend here, and the next time a company starts mass producing a throw-away piece of electronics please dont even buy it, its hard enough trying to care about the environment when the US official gives zero f*cks about it, we really dont need you people to make things even worse, thanks.

    1. I’m sorry but: +1
      I really hope somebody will hack these things so at least some can have another life. Else it will be even more electronic waste and wasted ressources. :-(

    2. I agree on some parts, but let me point out that in some niche cases, dash buttons were amazing. I’ll provide my experience as one of those cases…

      I’m a busy SAHM of two, but also a tech nerd (before I had to devote all my time to mommy-hood, I actually got a lot of use out of my B.S. in 3D), but I personally found the dash buttons to be wonderfully convenient. We jumped on it right away. I have them all over the house – tp, food, detergents, cleaners, paper products, pet products. I have them hidden in drawers, under cabinets, next to paper towel holders, and more. Needless to say, I was pissed when they said they were ending the physical button program.

      Why did I prefer the physical buttons? Let me count the ways:

      -Half the time, I have no idea where my phone is. I’m busy running around the house and sadly, the clothing companies still don’t seem to think women need sizable pockets, if any at all. Virtual buttons are completely useless for me.

      – My voice assistant devices can’t always hear me – a product of a large, mostly hardwood house and screaming kids in the background. Plus, I prefer GA, as I think Alexa sucks upon comparing them both (sorry, not sorry, lol. You just don’t get me, Alexa.)

      -My brain is completely scrambled. I timed it one time out of curiosity; my 3 yr old interrupts on average every 90sec. When I’m trying to clean up pee for the countless time this week, and realize I’m out of Swiffer pads, I have maybe a 60 second window to remember to order some right then on the spot, where I store the pads… before my brain is mush again. I could push the button the moment I remembered, instead of telling myself I needed to track down my phone and push the virtual butto—- “You’re hungry again? You just ate! No, we aren’t watching YouTube right now. I said no. No, get off that right now! You said your were hungry, so eat this. No? Well, then clearly you aren’t that hungry. Ugh, no, don’t throw it away. I’ll eat it if you don’t want it! ” (you get the idea, lol)

      However, I think you make a great point, too. How many techie stay at home parents are there out there? Probably not a ton. Probably not enough to make it worth it for Amazon as a business.

      It just sucks that they left so little behind. If you don’t want to support it or add more or add future updates, fine, but couldn’t you just leave the infrastructure alone? Why shut the whole thing down completely? I’m assuming it’s likely due to either security risks, consumer legal risks, or too high of maintenance costs to even do the bare minimum. Maybe all of the above.

      I guess this is what’s the risk, though, as an early adopter, so I try to take it in stride.

      In the meantime, I’m trying to figure out what’s possible. I’d love to find a way to make something at home that would work in a similar way, although it’s looking like hacking the Dash isn’t gonna be feasible, either. :(

  8. So, at the simplest level, the technical description of what one of these buttons does is this: you push the button, and it spews some http over wifi. If we can hack the content of the http, then I’d make it commands to my Philips Hue bulb setup. Several Dash Buttons, each programmed to send commands for a specific color lighting scheme. A couple buttons by the TV-watching couch, a few in the bedroom, one or two by the main door. I’ve been looking for a no-brainer way for anyone to set the lights w/o using a smartphone or desktop app.

  9. I hope to be proved wrong, but I think were dead in the water. Sometime during the last few weeks Amazon removed the capability to initialize a new Dash button in their app. Without that, there’s no way to get the button on your local wifi. The buttons contain a non-rechargeable AAA battery, which will eventually run down. At that point, there is no way to replace the button with a new one. (New buttons can no longer be initialized, and my experience is that even buttons which have been in service need to be reinitialized after the battery is replaced).

    Like I said, I hope there are some clever hackers out there that can prove me wrong!

    1. It’s not as cheap as the “good old days,” but if you have an application using a dash button and don’t want to give it up (as I do), there is a alternative. I purchased an “AWS IoT Enterprise” button. (These are still available from Amazon: https://www.amazon.com/All-New-AWS-IoT-Enterprise-Button/dp/B075FPHHGG/) My understanding is that using it the “correct” way requires a monthly fee, but you can play the same trick that was used with the free buttons: Go through the setup process just far enough to get it connected to the WiFi network. Now, when I press the button, it connects to the network and generates an ARP request, so I can use it with my system just like one o fhe “old” buttons.

      1. Don’t do this. Please.

        You already have an example of what Amazon thinks of it’s users using their buttons for something other than what they designed it for. They pushed out firmware patches to stop hacks and took down their server which probably cost them like 2$ a month to run so that nobody can use their buttons anymore. It’s just a matter of time until they do the same thing with the IOT buttons. The IOT buttons are $20 a pop and it’s just not worth it.

        Do some research for Zwave or Zigbee buttons. You will need a hub, but the buttons are WAY less expensive than the IOT button and they will work forever. They are not tied to any closed source server for activation and will not just stop working one day because the company stops wanting to support them.

        I have 30 amazon dash buttons that i use around my house for automation with conjunction with a raspberry-pi and, even though they cost me about $2 a pop on ebay, i’m still extremely disapointed that Amazon is going to force disable all of them with a firmware path in december. I’m going to have to spend a bunch of money to redo my house because amazon won’t release any details about how to keep buttons activated or reactivate them, even though there are thousands of them out there that are going to go straight to the dump now that amazon has discontinued support. It’s insanely wasteful.

        1. The zwave buttons sound interesting, as I have a zwave hub. Do have any suggestions on what to get? The only things I can find are pretty expensive, and I’m reluctant to order anything without knowing if it will work.

Leave a Reply to bluecat57 Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.