Amazon Dash Button Hacked, Lets You Do More Than Buy Stuff
When Amazon debuted its Dash buttons earlier this year, the e-commerce world was all abuzz. Dash lets you order common household products at the push of physical buttons. But it didn’t take long for a hacker to find a way to use Dash buttons to do more than order products.
Amazon, for example, rolled out a Tide-branded Dash button you can adhere to your washing machine. When the detergent is almost gone, you just hit the button and a new bottle is automatically delivered to your doorstep.
Ted Benson, co-founder and CTO of spreadsheet tool Cloudstitch, hacked Amazon’s $5 Wi-Fi button to track baby data. Benson’s hack never started with malicious intent. He and his wife tried a few baby-tracker apps but they didn’t meet the changing needs of parents with a growing baby. He was looking for a simple button he could stick to the wall and push to record data about poops today and wake-ups tomorrow.
As it turned out, Amazon offered an “easy way” for Benson to write a program that sniffs his Wi-Fi network for evidence the button was pushed, then records the data point, he said.
“Dash buttons are turned off most of the time to preserve the battery inside. They only turn on when you push them,” Benson wrote in Medium.com. “And that means they have to re-connect to your Wi-Fi network every time they are pushed. That’s easy to detect.” He rigged his Dash button to send data to spreadsheet software.
“A lot of people made fun of Dash buttons when Amazon launched them on the day before April Fool’s Day,” Benson said. “But regardless of what you think about Dash as a consumer product, it’s an undeniably compelling prototype of what the Internet of Things is going to look like.”
Could This Get Malicious?
We turned to Tim Erlin, director of IT security and risk strategy for advanced threat protection firm Tripwire, to get his take on the hack. Erlin told us Benson hasn't actually altered the behavior of the Dash button.
“He's simply recording activity on his home network. While he may not be doing so for malicious purposes, others may be able to use that information in ways that are less laudable,” Erlin said. “Human beings are tool users and problem solvers, so it's no surprise that given a new set of tools, people will 'solve' problems in new ways."
Chris Conacher, security development manager at Tripwire, told us tech savvy consumer will always be looking at ways to “improve” Internet of Things (IoT) products even if these “improvements” void their warranties. This is a double-edged sword for IoT vendors, he said.
“Companies that want to restrict this behavior may be penalized by the market missing out on an opportunity to develop community tie ins to products even it was not the original intent,” Conacher said. “This market will be consumer-driven purchasing at its purest. In the meantime, consumers that want to 'improve' IoT devices should beware of the implications of these changes, especially those that affect purchasing capability, otherwise you may find a lot of diapers on your doorstep."
Posted: 2015-08-19 @ 4:30pm PT
What I would like to know is what the risk is of having to hand over your Wi-Fi password to Amazon in order to allow the Button to purchase the products that you have programmed into it? I just got three Buttons today, but haven't set any of them up yet because of this concern. What could they do with that information?