Thursday, May 28 2015
I bought an Amazon Dash button just when it was released. A few weekends ago I had time to play with it and here is my write up. This is not really a security write up, I was just interested in how it works. There is a decent hardware focused overview available here: Inside the Amazon 802.11b/g/n Dash Button. This overview is more on the software side!
Summary:
The Dash button connects to Wifi and sends a HTTP POST every time you press the Dash's button.
The Dash is completely shutdown until you press the button, it will switch off seconds after the HTTP request is done with a small timeout to wait for the server's reply. The HTTP connection is protected via SSL but the Dash button doesn't check the certificate and can be easily intercepted. The main part of the data exchange seems to be the Dash Serial Number (DSN).
Background
The Dash button is a simple way to reorder a specific item from Amazon.
The item that is ordered needs to be preselected at setup time, so far each button
only allows you to select from a very small list of related items.
My Cottonelle button only allows to pick one out of four Cottonelle products.
So unfortunately you cannot just order ANY Amazon item :-(
Below: my mock-up for what people actually want to use the Dash button for (beer, bacon and condoms).
Setup
The setup process is pretty straight forward. You install the Amazon app on your phone and go to My Account and select the Dash Button menu.
The app takes you through the steps and your Dash is configured.
Some interesting parts of the setup are.
Wifi setup
The Wifi is configured from the app using an audio channel. In the setup mode of the Dash
it receives the audio and demodulates it to set the Wifi network name and the password.
In addition to the audio based configuration the Dash also creates a Wifi access point named Amazon ConfigureMe. Once you connect to it you can go to http://192.168.0.1 and configure the Wifi settings via the web interface. Once you click Configure the Dash reboots. I actually didn't manage to connect the Dash after configuring it through the Wifi interface (I also didn't try that hard).
As the last part of the setup you select that product you want to reorder every time you press the Dash button.
Investigation
While playing with the Dash I discovered a number of small things.
Open Ports
The Dash opens ports 80 and 443. I was NOT able to connect to 443. Port 80 obviously provides the web interface to configure the Wifi settings (previous paragraph).
DHCP
The Dash shows up as WICED*DHCP*Client on your Wifi router host list.
Networking
All communication goes to parker-gateway-na.amazon.com on port 443.
The Dash button does NOT check the certificates so you can easily MITM it and look at the network traffic.
I used my Wifi router's DNS service to resolve parker-gateway-na.amazon.com to a local IP address running webmitm (from the dsniff package). Using the generated key/cert you can easily look at all the network traffic using ssldump or wireshark.
How to generate network traffic without ordering anything!
The one problem with the Dash is that it is only online (connected to the Wifi) for a short time when you press the button. Pressing the button will initiate an order, so playing with your Dash could end up in a lot of toilet paper showing up at your doorstep.
One easy way to avoid this is by skipping the last step of the configuration. If you skip that last step your Dash button thinks it is configured but the backend doesn't. The last step of the configuration is selecting the product you want to order. Basically you need to quit/kill the Amazon app when it asks you to select a product for your Dash button. Once you do this you can press the Dash button as often as you want without triggering an order of toilet paper. The Dash button will come online connect to your Wifi and connect back to the Amazon backend. This gives you the time to collect network traffic or port scan the Dash.
Dash network traffic
I only looked at the traffic between the Dash and the Amazon server. I didn't look at the traffic from the Amazon app to the Amazon server during setup. I should have done this but I didn't. Now I don't have the time to do it. I barely have the time for this writeup.
From what I can see the Dash sends only a few messages to the server. The first thing you see is that the messages always contain the Dash serial number (DSN) that is printed on the back of the Dash button.
All communication is carried out via HTTP POST. Content-type is set to: binary/rio. The encoding is set to chunked. The encoded data is a mix of ASCII and binary with a length fields for specific parts. I didn't have the time to reverse the message format, I just took a brief look at it. The last part of each message seems to be 20 bytes of binary data.
During setup the Dash sends some data such as RSSI values to the Amazon backend. There is a status bit field message and of course there is the message that is sent when the button has been pressed and the Dash thinks it is fully configured. If the Dash thinks it is not setup correctly pressing the button will just lead to a blinking red light.
If it thinks it is configured it will connect to the Wifi and send a specific message. The message is rather short and mainly consists of the DSN followed by the 20 bytes of binary data. The server answers to this with different messages. The only message I saw so far was the message for a not fully configured Dash button (HTTP 412 Precondition Failed). So far I was not in the mood to actually order something. I leave this exercise for other people.
Package Captures:
Message sent during setup:
Some status message:
Some message sent from the Dash to the server:
Message sent when the Dash button is pressed and the Dash thinks it is configured:
Server answer when the Dash button does not have a product associated:
Conclusion / stuff to do:
The Dash seems like a fun toy, I wish you could just configure it to order any item from Amazon.
I know the current version is just a trial and I hope in the future they will allow you to select any product.
One thing that I found strange is that there is no back communication from the server to the Dash button at setup time. The only message that is sent from the server to the Dash is after the server receives an order item message after pressing the Dash's button. This must mean that you can either modify the message and change the DSN to initiate an order for another Dash button. OR The last 20 bytes provide integrity protection for the message.
Hacking Todo List:
Sniff traffic of an actual order. Specifically the answer from the server.
Open the device and dump the firmware!
Reverse message format. What are the last 20 bytes in the message? My guess this is for integrity protection. Like an HMAC. But this is just wild speculation.
Sniff communication between Amazon App and server during Dash setup.
Happy further hacking!
Monday, May 18 2015
Conferences
SourceBoston Mat 2015: A Swift Teardown by Jared Carlson; iOS App Analytics VS Privacy: An analysis of the use of analytics by Guillaume Ross. (they still have TBD slots)
ReCon Montreal, Canada (June): Building a Better Bluetooth Attack Framework by Chris Weedon
Black Hat USA ADVENTURES IN FEMTOLAND: 350 YUAN FOR INVALUABLE FUN by Alexey Osipov & Alexander Zaitsev; ATTACKING YOUR TRUSTED CORE: EXPLOITING TRUSTZONE ON ANDROID by Di Shen; CERTIFI-GATE: FRONT-DOOR ACCESS TO PWNING MILLIONS OF ANDROIDS by Ohad Bobrov & Avi Bashan; FAUX DISK ENCRYPTION: REALITIES OF SECURE STORAGE ON MOBILE DEVICES by Daniel Mayer & Drew Suarez; HACKING INTO SMARTPHONES AND CARS WITH A SIM CARD by Matt Spisak; STAGEFRIGHT: SCARY CODE IN THE HEART OF ANDROID by Joshua Drake; TRUSTKIT: CODE INJECTION ON IOS 8 FOR THE GREATER GOOD by Alban Diquet & Eric Castro
CONFidence Krakow: iOS Hacking: Advanced Pentest & Forensic Techniques by Omer S. Coskun; Abusing apns for profit by Karol Wiesek
Defcon Extracting the Painful (blue)tooth by Matteo Beccaro and Matteo Collura; Build a free cellular traffic capture tool with a vxworks based femoto by Yuwei Zheng and Haoqi Shan
Android Security Symposium Vienna, Austria, from 9-11 September 2015. Only Android security talks!
Some of the upcoming conferences I covered in earlier month (e.g. HITB Amsterdam).
CFPs
Breakpoint Melbourne, Australia, October 22th-23th
SEC-T Stockholm 17-18:th of September 2015
44con
The Chaos Communication Camp cfp just closed yesterday.
iPhone: I bought an iPhone 5c (as a tryout device) like two weeks ago. I used to have a iPhone 3G back in 2009. I'm pretty happy with it, usability is great and the radio/antenna seems way better then the one in the Nexus 5. One thing I noticed is that most major apps are much better on the iPhone. There are exceptions like Dropbox. The Dropbox client is missing features compared with the android version. I'm missing the text editor! Also inter-app communication is really a weakness of iOS and a strength of Android.
Other annoying stuff: I can't set Chrome to be the default browser. I can't have Signal as the default SMS app. One of the most annoying things are notifications. Many apps don't support privacy friendly notifications on the lock screen. I want to see if there are new emails in an account but I don't want the sender, subject, or content to be shown. The same is true with a lot of apps. It is either no notification or notification with content. Not happy with this! But I'm a big fan of handover.
I total I'm still happy with my tryout iPhone 5c. Let's see how long.
Mobile Killswitch: The mobile killswitch now has it's first possibility for abuse: So this killswitch tech in mobile phones now, kinda scary, especially when I can lock you out from your phone from an app w/ no root by @jcase.
Links
Wednesday, May 06 2015
This is actually a delayed April update!
Conferences
CircleCityCon Indianapolis. ZitMo NoM - Clientless Android Malware Control by David Schwartzberg. Making Android's Bootable Recovery Work For You by Drew Suarez. Hacking the Jolla: An Intro to Assessing A Mobile Device by Vitaly McLain and Drew Suarez.
ShakaCon Hawaii. Making Android's Bootable Recovery Work for You by Drew Suarez.
PhDays Moscow. Fighting Payment Fraud Within Mobile NetworksTech by Denis Gorchakov and Nikolai Goncharov. GSM Signal Interception ProtectionFast Track by Sergey Kharkov and Artyom Poltorzhitsky. RFID/NFC for the MassesHands-on Labs by Nahuel Grisolia. iOS Application Exploitation by Prateek Gianchandani.
In the last weeks I went to RSA Conference to hangout with a few people. I met the good guys from NowSecure and Zimperium as well as the fellows of DuoSecurity.
The week after I attended Qualcomm Mobile Security Summit 2015. Again this was a super interesting mobile security focused event, most likely the best one of the year. Good talks and good people. There is no general posting of slides but some presenters published their slide deck. Tim and jcase posted their slides here: Android APP Protection. It was good to meet some guys from @K33nTeam. Their presentation was pretty good too.
If you are interested in learning about Android security take Jduck's and Zach's training at DerbyCon. They know what they are talking about.
This picture is sadly very true. I really dislike the trend going towards big smartphones or phablets.
Nexus 5 issue after a long and painful struggle including factory resetting my Nexus 5 and downgrading it to Android 5.0.1 I gave up and determined that it must be a hardware fault. Most likely the power button. I also found out (via @mweissbacher) that the warranty of our Nexus 5 devices ran out in January :-(
I determined that the only decent device to buy right now is a Moto X in the Pure Edition. The pure edition is basically AOSP like shipped with the Nexus devices. So if you are looking for a normal sized smartphone that runs stock Android this might be a device for you. Motorola even states on their site that the pure edition receives more regular updates then carrier branded devices. Most likely also more frequent updates then devices that run a heavily modified Android version (shipped by most other manufacturers).
News and Links