Back in July, Amazon launched their Dash Button, a novel way to reorder specific household products (not to be confused with Amazon’s Dash for AmazonFresh).
The Dash Button’s shape is like a pill with a flat front and back. On the front there’s dished button, a tiny hole for the microphone (which is used to set up the Dash Button) and an LED, while on the back there’s an adhesive pad so you can stick it where it will be useful, for example, if yours is a Tide button, then you’ll probably stick it on your washing machine. The Dash also comes with a removable black frame that provides a loop so you can hang it up if you prefer.
Amazon Here’s what the Dash Button does: When you press the button, the Dash Button connects, via your local area network, to Amazon and places an order for you to be shipped a new box of Tide washing powder or whatever it is your button is configured to order. The Dash Button costs $4.99 and, currently, you can only buy one for each product type.
Amazon Now, what’s going on under the hood is interesting and, you may not be surprised to find, hackable. In fact, Matthew Petroff published an excellent post of the teardown of an Amazon Dash Button.
The first article I found about hacking the Dash Button was published in August by Ted Benson and titled How I Hacked Amazon’s $5 WiFi Button to track Baby Data. What triggered Ted’s interest in hacking the Dash Button was an IQ (Infant Quantification) problem:
My wife and I tried a few baby-tracker apps, but they tend to be single-purpose, while your baby’s needs keep changing. And using your smart phone at night disrupts sleep. I want a simple button I can stick to the wall and push to record poops today but wake-ups tomorrow. Lucky for me, Amazon just started shipping their new Dash Buttons, which you can transform into exactly that with just a few minutes.
What Ted realized was that when you push the button on a configured Dash Button, it fires up and enables its WiFi transceiver (the Dash Button is asleep until you push the button), requests an IP address via DHCP, and, as is required, sends an ARP probe to make sure that no other device is using its assigned IP address before it tries to talk to Amazon to, in theory, place your order. This ARP request includes the media access control address (MAC address) of the button so if you have a program that watches for ARP probes you can watch for a specific Dash Button being pressed … provided you know its MAC address which isn’t printed on or in the device case.
So, first thing you need to do is introduce your Dash Button to your network which requires using the Amazon Shopping app (available for iOS version 7.0+, Android version 4.0+, and Fire OS 3.6+) but not completing the configuration process.
Earlier I mentioned that the Dash Button has a microphone and the setup procedure is where this comes in. This procedure requires you locate your Dash Button near to the smartphone’s speaker where it’s configured via sound; according to Matthew Petroff:
I have not reverse engineered the audio protocol, but the data seems to be transmitted using audio frequency-shift keying around 18–19 kHz. The app transmits this message 20 times before giving up. Although not mentioned in the documentation, the Dash Button creates a Wi-Fi hotspot when placed in configuration mode, Amazon ConfigureMe, which is used by the Android version of the Amazon Shopping app. Once connected to this hotspot, a web page is accessible at 192.168.0.1 via HTTP, which allows for configuring the Button’s Wi-Fi connection settings. However, the Amazon App is still required to finish setting up the Button. When connecting via HTTPS, a certificate signed by the Amazon.com Internal Root Certificate Authority and issued to Amazon.com Infosec CA G2 is presented, which expires 2016-06-22. However, I was not able to successfully connect even after bypassing the certificate error, so it might be using a different protocol over TLS. The Button’s firmware version, v0.9.119, can be gleaned from the source of this page. By monitoring the Button’s network traffic, I was able to determine that the Button communicates with parker-gateway-na.amazon.com via TLS.2 Additionally, it always uses 8.8.8.8 for DNS. Due to the use of ultrasound instead of Wi-Fi in the iOS version, I assume iOS doesn’t allow Amazon access to the Wi-Fi settings they want. The MAC address vendor prefix is 74-75-48 for my Tide Button when triggered; it is 6C-0B-84 when in configuration mode.
You should follow Amazon’s setup procedure to the end of step 4 and then stop otherwise you’re going to be ordering a lot of Tide.
Now you have a Dash Button that can talk to your network but that’s it and it’s in the buttons’s process of acquiring an IP address that we can detect the button push for a specific button. We can do this because each button has a unique MAC address so all we have to do is watch the network traffic for an ARP probe from the button, check the MAC address, and then, if we detect it, do something.
In the next part of this post, I’ll explain how to detect the ARP request using Ted’s code and what you’ll have to do to make the code work.
