The Internet of Poops
August 18, 2015 8:57 AM   Subscribe

How Ted Benson hacked Amazon Dash (the $5 WiFi enabled single product order button) to track baby data.
posted by Artw (68 comments total) 20 users marked this as a favorite
 
This has exponentially increased my interest in getting a dash button; hopefully they'll be the wiimotes of 2015.
posted by Going To Maine at 9:07 AM on August 18, 2015 [2 favorites]


Oh, wait, it's also a back door ad for the author’s startup. Slightly less enthused.
posted by Going To Maine at 9:09 AM on August 18, 2015 [10 favorites]


"Back door" ad, eh? Like Poopsie Blue?
posted by tonycpsu at 9:10 AM on August 18, 2015 [14 favorites]


I suspect the last "pay the bills" step that's thrown in their would be the most trivially easy to replace.

(Not that abut of it is super complicated, it's just a neat repurposing)
posted by Artw at 9:14 AM on August 18, 2015


I've been stooled.
posted by Going To Maine at 9:14 AM on August 18, 2015


My favorite part of Medium posts is wondering at what point in the article the author will promote his startup.
posted by frenetic at 9:15 AM on August 18, 2015 [42 favorites]


Have you noticed that all of Jessamyn’s medium posts are ads for libraries?
posted by Going To Maine at 9:16 AM on August 18, 2015 [16 favorites]


That's a pretty neat hack: reconceptualizing the device's existing functions rather than brute-force hacking the firmware.

I kinda wish I bought a couple when they were $0.99. I got one for $5 to try it out, and then realized that I can't actually buy what I wanted with it because they have these ridiculous brand and product restrictions. There is no reason why I should not be able to use my Tide button to buy the kind of Tide that I like or 500 hammers. I can only really see this being used for hacking.
posted by cosmic.osmo at 9:18 AM on August 18, 2015 [1 favorite]


Detailed Dash teardown (also).
posted by ryanshepard at 9:22 AM on August 18, 2015 [5 favorites]


There would be a market for a generic version of this, if someone wanted to build it. Just get it to hit a configurable URL, and see what people build.
posted by blue_beetle at 9:23 AM on August 18, 2015 [3 favorites]


I once saw a presentation from a residential special education school that had a software system that tracked toilet activity for students for whom that was a concern. Parents could log in and see data about their child's toilet usage. It was pretty cool.
posted by Bulgaroktonos at 9:29 AM on August 18, 2015 [1 favorite]


Both my kids have moved out of the age range where this is a concern but ages 0-3 there was a surprising amount of poop bureaucracy.
posted by Artw at 9:37 AM on August 18, 2015 [3 favorites]


There would be a market for a generic version of this, if someone wanted to build it. Just get it to hit a configurable URL, and see what people build.

Yeah, this. The hack in TFA is neat—but not all that practical. It relies on too many assumptions:

—that no one has completed the configuration process (lest you end up with 300 pallets full of Tide® products being delivered to your house)
—that your desktop computer is turned on at all times
—...and running the Python script at all times

Good enough for toying around, but not good enough for any serious purpose.

Given that the thing has Wi-Fi, it would be trivial to remove the intermediary (the desktop computer and the Python script) from the equation, and let the Dash ping a REST API directly.

Not sure what you'd use it for, but I'm sure someone would think of something.
posted by escape from the potato planet at 9:37 AM on August 18, 2015 [2 favorites]


Is this gonna be the CueCat all over again? Because I really hope so.
posted by griphus at 9:46 AM on August 18, 2015 [11 favorites]


Given that the thing has Wi-Fi, it would be trivial to remove the intermediary (the desktop computer and the Python script) from the equation, and let the Dash ping a REST API directly.

The cool part is he doesn't have to let the thing on his network at all; which is highly appropriate given that the only thing it's capable of doing is notifying that a button is pressed. Just sniffing the MAC and getting on with it is appropriate use of this technology.

If I were to do this I'd run the code on the router (your favorite free open firmware will run Python) and ban the MACs from joining the network. That way you don't waste network resources on these things and don't have to have a separate computer always up and running the listener.
posted by George_Spiggott at 9:48 AM on August 18, 2015 [5 favorites]


When I write an article, I usually forget to advertise something. No wonder my marketing career's down the crapper. What's odd to me about Medium is how the articles written by professional writers and/or journalists aren't called out in any way. The advertisements from startups and the paid content from writers/thinkers/whomever look the same. I suppose that's the point but it still surprises me. I haven't quite figured out why Medium pays for content. Oops, apologies for the derail.
posted by Bella Donna at 9:58 AM on August 18, 2015


Not sure what you'd use it for, but I'm sure someone would think of something.

A doorbell that snaps a webcam picture, rings a bell and (does whatever else you feel like it doing). I've wanted to DIY something like this for ages, and a $5 wi-fi enabled doorbell is a super cheap component of that setup. I'm very intrigued.
posted by mcstayinskool at 9:59 AM on August 18, 2015 [1 favorite]



So wait, this thing has:
  • an 120 MHz 32-bit microcontroller with 128 KB RAM and 1 MB program data storage
  • an additional 16 MB of non-volatile storage
  • a 24-bit digital audio microphone/sampler with a flat response from 60 Hz - 15 kHz
  • a 802.11n wifi module
... and we're okay wasting all of that tech just to mail-order disposable fucking nappies?
We are so fucked.
posted by scruss at 10:08 AM on August 18, 2015 [26 favorites]


$5 wi-fi enabled doorbell is a super cheap component of that setup

If only Hostess Ding Dongs were a supported product.

Speaking of which, why do products have to be explicitly supported? They developed the technology, they should have a JIT production system that can produce these on demand for any product in the database. The only details that distinguish one from another are the flippin' label and the SKU. I'm embarrassed for you, Amazon. That NYT article the other day? Compared to this, that was only sorta shameful. This failure you can really hang your head about.
posted by George_Spiggott at 10:10 AM on August 18, 2015 [3 favorites]


I suspect the target products subsidizing the manufacturing costs was a requirement when they were 99c - not so sure now.
posted by Artw at 10:13 AM on August 18, 2015 [3 favorites]


... and we're okay wasting all of that tech just to mail-order disposable fucking nappies?

I think, as with the seemingly excess hardware in a Nest thermostat (e.g. internal 567mAh battery, Zigbee antenna), it may point to Amazon having other intended uses for the Dash in the future.
posted by ryanshepard at 10:19 AM on August 18, 2015 [1 favorite]


I wonder how cheaply you could make a detector that could read a number off the underside of a label -- printed in any format you like, in ink having any properties available -- conductive, capacitive, resistive or just colored. That way your JIT production system only has to print the label, and the units could be literally identical with no differences in their firmware or data.

Then somebody'd work this out and publish an article on how to hack them by extracting the label with a razor blade and modifying or making your own with an ink and a template you can make yourself...
posted by George_Spiggott at 10:20 AM on August 18, 2015 [2 favorites]


Like Uber, but for butts.
posted by Huffy Puffy at 10:27 AM on August 18, 2015


• a 24-bit digital audio microphone/sampler with a flat response from 60 Hz - 15 kHz

Holy crap, that's another reason to ban it from actually joining your network. A closed-source listening device that accesses the internet? Maybe it's the NSA subsidizing these things, not just Huggies.
posted by George_Spiggott at 10:28 AM on August 18, 2015 [9 favorites]


cosmic.osmo: "or 500 hammers"

(mashes button repeatedly)

George_Spiggott: "Speaking of which, why do products have to be explicitly supported? "

You're not the customer here. It's about vendor dollars -- Amazon's not going to give up that sweet P&G cash just because you want to order some offbrand Tide Juicy Fresh Whitening Syrup.
posted by boo_radley at 10:28 AM on August 18, 2015 [2 favorites]


A closed-source listening device that accesses the internet?

It's for configuring the button.
posted by Nonsteroidal Anti-Inflammatory Drug at 10:39 AM on August 18, 2015 [1 favorite]


Seems like it would be easier, assuming you have a router that runs DD-WRT, Tomato, OpenWRT or whatever other open source firmware or use a full blown PC as a router and/or DHCP server, to have the DHCP server run a script when the Dash requests a lease.

That would eliminate the sniffing step and the second computer, and the necessity of having a switch that actually allows you to sniff the traffic.
posted by wierdo at 10:39 AM on August 18, 2015


There would be a market for a generic version of this, if someone wanted to build it. Just get it to hit a configurable URL, and see what people build.

The Flic "wireless smart button" seems to be heading towards that, but it's only available for pre-order.
posted by ndfine at 11:00 AM on August 18, 2015 [1 favorite]


I wonder how cheaply you could make a detector that could read a number off the underside of a label

It would need a camera, maybe a screen to line it up. Internet connectivity would need to be built in.

We could call this thing a phone. Everyone could carry them in their pockets or purses or way they carry other things around. No, wait, I know that seems like a tall order but man, for tracking poops people would totally do it.

TL/DR: make an app for that, save yourself $5 and another piece of crap (ar ar, threadshitponestyerical) in your life. Like all hacks we should take it for its artistic statement and not its logical purpose.
posted by Ogre Lawless at 11:01 AM on August 18, 2015 [2 favorites]


It's for configuring the button.

Oh sure, that's just, like, the pretext, man. That's what they want you to think.

Seriously, though, what? The thing has WiFi and you need a smartphone and their app to program it. There are implicit and explicit control channels already there up the wazoo. I'm really finding it difficult to believe that building in a whole separate audio-based subsystem just to set it up makes any kind of sense.
posted by George_Spiggott at 11:07 AM on August 18, 2015 [2 favorites]


Came for CueCat mention, was not disappointed.

As someone who comes from a long line of bargain-shoppers, the idea that I would reorder the same thing without checking prices every time and maybe switching brands is just ridiculous. I mean, for example we eat a lot of cheese sticks in our house, but I would not want a Cheese Sticks button. Because someone would develop a dairy allergy, or decide to go on a diet, and now I've got this useless button. Or a new brand would come out that was better and we would switch, same result.

Also, many brands use the Shrink Ray on things without telling you, and suddenly, you have 1/3 less cheese sticks for the same price.
posted by emjaybee at 11:08 AM on August 18, 2015 [4 favorites]


So wait, this thing has:
an 120 MHz 32-bit microcontroller with 128 KB RAM and 1 MB program data storage
an additional 16 MB of non-volatile storage
a 24-bit digital audio microphone/sampler with a flat response from 60 Hz - 15 kHz
a 802.11n wifi module


And the BOM cost for all this is like $5 or something. Probably less. Insane that it's more than cheap enough to give away to sell more stuff.

Anyway, this hack is neat, but not what I expected at all. He basically have a network monitor that eats ARP requests from this thing to trigger other actions, which is clever, but I had hoped for a firmware dump or a flash tool or somesuch.
posted by GuyZero at 11:09 AM on August 18, 2015


There would be a market for a generic version of this, if someone wanted to build it.

There was some discussion on this in a previous askMe.

Note that the "hack" this guy describes involves no modification of the button itself, which has been torn down but the firmware inside is still an unknown. The Dash button learns about the home's wifi network through a set of audio codes chirped by a smartphone app you install.
posted by JoeZydeco at 11:09 AM on August 18, 2015 [1 favorite]


I think, as with the seemingly excess hardware in a Nest thermostat (e.g. internal 567mAh battery, Zigbee antenna), it may point to Amazon having other intended uses for the Dash in the future.

I think it's simply difficult to buy a smaller SoC these days. This is the cheapest thing you can buy in quantity and it's still got a ton of power.
posted by GuyZero at 11:10 AM on August 18, 2015 [1 favorite]


clever, but I had hoped for a firmware dump or a flash tool or somesuch.

Well, this is on medium.com, not arstechnica or even gizmodo or something, which puts it into the area of *cough* "life hacks", not actual hacks.
posted by George_Spiggott at 11:21 AM on August 18, 2015


Dash will be the next Cue Cat!
posted by miyabo at 11:26 AM on August 18, 2015 [1 favorite]


Eh, the most famous hack of all time was done with a whistle.
posted by Artw at 11:29 AM on August 18, 2015 [5 favorites]


For those of you saying that this is just NOT GOOD ENOUGH, you need to reprogram the Dash... well here's the current state of what the Internet knows about the internals of the Dash: how to reprogram it, and how to turn on its LED.

For a tired dad who just wants to keep track of baby poops... this quick hack is more than good enough. And hey, finally a use for that RasPi sitting around gathering dust! Run this script forever!
posted by egypturnash at 11:36 AM on August 18, 2015 [5 favorites]


Seriously, and as at least one commenter points out, this is a straightforward way to get a $5 equivalent to Flic or bttn, which cost respectively $35 and €69. I'm not bashing on it at all. In fact I'm really tempted to buy a few (products chosen at random or for beardy ironicular humor) to apply to certain routine commands that I now have to grab a tablet or open a terminal to do.
posted by George_Spiggott at 11:45 AM on August 18, 2015


> Seriously, though, what? The thing has WiFi and you need a smartphone and their app to program it. There are implicit and explicit control channels already there up the wazoo. I'm really finding it difficult to believe that building in a whole separate audio-based subsystem just to set it up makes any kind of sense.

The button can't access WiFi until its been programmed, so it needs to get the information from the phone somehow. Pretty much all other products I've seen use Bluetooth (including Amazon Echo), so not sure why they went the audio route. Could be that they had a sweet deal on the DAC/mic from the Echo, actually.
posted by ReadEvalPost at 12:00 PM on August 18, 2015


The button can't access WiFi until its been programmed, so it needs to get the information from the phone somehow. Pretty much all other products I've seen use Bluetooth (including Amazon Echo), so not sure why they went the audio route. Could be that they had a sweet deal on the DAC/mic from the Echo, actually.

The Amazon Dash (as distinct from the Amazon Dash Button) does have audio functionality, allowing you can say stuff you want added to your cart. That might have something to do with it.
posted by Bulgaroktonos at 12:12 PM on August 18, 2015


Wow. I have now seen the ugly looking thing that is the Amazon Dash (not button) - that makes the button and the echo look much saner.
posted by Artw at 12:22 PM on August 18, 2015


I once saw a presentation from a residential special education school that had a software system that tracked toilet activity for students for whom that was a concern. Parents could log in and see data about their child's toilet usage. It was pretty cool.

SMART PIPE. Lyme disease detected. Contacting local authorities.

Smart Pipe Inc. is a registered sex offender.
posted by FatherDagon at 12:59 PM on August 18, 2015 [2 favorites]


I'm really finding it difficult to believe that building in a whole separate audio-based subsystem just to set it up makes any kind of sense

Having worked with a number of these Wifi radio modules, this actually is genius. It's a chicken-and-egg problem....you should see how other systems setup/provision the radio system.

TI's CC3000 uses a system that, get this, listens to the encrypted traffic from it's smartphone app and gathers the SSID and password out of the length bytes of each packet in sequence since that's not part of the encrypted payload.

More sane systems run the module in an access-point mode first, then you log in with a web browser and set up the SSID/PW. That's another customer support nightmare.

An optical receiver would have been my first choice, but not every smartphone has a flash on it. Audio is pretty universal. I honestly don't believe the SoC has the horsepower to decode or upload speech, however. But you never know.
posted by JoeZydeco at 1:03 PM on August 18, 2015 [8 favorites]


The audio part is interesting in light of Amazon's new product idea of a device that is specifically designed to sit in your home, record what you say, and send it to them.
posted by Poldo at 1:04 PM on August 18, 2015 [1 favorite]


JoeZydeco: " get this, listens to the encrypted traffic from it's smartphone app and gathers the SSID and password out of the length bytes of each packet in sequence"

WHAT.
posted by boo_radley at 1:06 PM on August 18, 2015 [4 favorites]


The Echo has seven microphones, clearly in an attempt to outdo the five cameras on the Fire.
posted by Artw at 1:06 PM on August 18, 2015


WHAT

Yup.
posted by JoeZydeco at 1:18 PM on August 18, 2015 [9 favorites]


JoeZydeco, that is AMAZING.
posted by GuyZero at 1:23 PM on August 18, 2015 [1 favorite]


Actually if they built in an optical receiver to the Dash button, you could just use the screen as the optical out from an app on the phone. This isn't just conjecture on my part either, as it's already been patented by Electric Imp. Making a wifi button from their hardware that hits a custom endpoint is quite easy, unfortunately it will cost you quite a bit more than $5.
posted by fragmede at 1:31 PM on August 18, 2015


hmm, fragmede, that Electric Imp BlinkUp patent looks like it might have some prior art in the Timex Datalink (or whatever that watch was that you could program by holding it up to the screen) or even the old 1980s BASICODE programs transmitted by a flashing pixel in the corner of the TV screen. But they've probably said something specific like "programming network parameters via smartphone screen".
posted by scruss at 1:45 PM on August 18, 2015 [2 favorites]


Never underestimate the ability of parents to be bullshit and ruin everything.
posted by Artw at 1:51 PM on August 18, 2015 [1 favorite]


JoeZydeco... wow. Just when you think you've seen everything.


Wireless authentication has lots of real UI issues, especially when your UI is a single button (if there's a UI at all). Ideally, you want the user to take the gizmo out of the box, turn it on and have it all just work. But you don't want the bad guy next door to link his gizmos to your metwork in the same way. I've seen solutions where you have an app on your smartphone that says "tap your button once NOW" or actually pick up the sound of the gizmo being tapped on the smartphone, and then connect to the gizmo (I guess through a mutually-known SSID) to finish the job.

Personally, I think that if everyone knew morse, we wouldn't have a problem.
posted by Devonian at 1:53 PM on August 18, 2015 [1 favorite]


Uh can anyone describe why the CC3000 thing is amazing, preferably using metaphors like on Star Trek?
posted by griphus at 1:56 PM on August 18, 2015


I don't think "amazing" is the word everyone is thinking of.
posted by fragmede at 2:00 PM on August 18, 2015 [2 favorites]


It cracks your password with its ears.
posted by Going To Maine at 2:01 PM on August 18, 2015


Uh can anyone describe why the CC3000 thing is amazing, preferably using metaphors like on Star Trek?

Think of the Dash logic as a little bird chirping in the meadow, and the CC3000 logic as a wreath of pretty flowers which smell bad.

(The CC3000 logic involves the app leaking authentication data in unencrypted form on a wifi channel that anyone can monitor. The audio trick that the Dash performs may be a little wack but ultrasound doesn't penetrate walls very well and it seems at least possible that it's encrypted.)
posted by George_Spiggott at 2:07 PM on August 18, 2015


The CC3000 is using traffic analysis, which is a technique beloved of the NSA and likeminded friends. It says that even if you can't understand a message, you can tell a lot by how it looks, who's sending it and where it's going. In this case, the stuff that's designed to stay secret - the wifi network name and password - is being deliberately transmitted in the clear by a loophole in the underlying secure wireless protocol. That masks nearly all the information inside packets, but doesn't change the length of the packets.

So, the CC3000, which is inside the secure network and knows the name/password, just sends special 'empty' packets that are encrypted, but where the length of each packet is changed to match the characters and symbols in that name/password set. The thing that's being configured knows how to spot these packets, and doesn't need to decode them - it just notes the lengths, and thus learns the secret.

It's clever, because it means the user doesn't have to do anything, and uses an obscure side-effect of an otherwise well-designed system. (Geeks enjoy and rate such things, even if in the service of merely making things easier for users). It smells like a two-week-dead buffalo in the summer sun because it is deliberately circumventing an important security feature, and an evil-minded attacker could easily eavesdrop.

If this was an episode of Star Trek, it would be like Kirk knowing the exact moment to attack the Klingon vessel because Bones had whipped up a vial of Klingon Botty Virus and Scotty had beamed it in, and Spock spotting when the Klingon captain was on the kharzi with the squits (despite the kharzi itself being screened from scanning) because of the pattern of valves opening in the Klingon plumbing and waste disposal system that ran around the hull. (This is not an exact analogy, nor is it canon.)
posted by Devonian at 2:20 PM on August 18, 2015 [12 favorites]


Man, Wrath of Khan is really different than I remember.
posted by Artw at 3:15 PM on August 18, 2015 [1 favorite]


Eh, the most famous hack of all time was done with a whistle.

Lauren Bacall hacking the male libido? Not that that's difficult. Yeah, 2600, I know.
posted by BrotherCaine at 3:22 PM on August 18, 2015


So wait, this thing has:
an 120 MHz 32-bit microcontroller with 128 KB RAM and 1 MB program data storage
an additional 16 MB of non-volatile storage
a 24-bit digital audio microphone/sampler with a flat response from 60 Hz - 15 kHz
a 802.11n wifi module


"Watch this young wizkid run Doom on the dongle thing his mum uses to order Quest bars."
posted by turbid dahlia at 3:43 PM on August 18, 2015


Though Mhz across architectures is a bit of a apples/oranges comparison, Doom targeted Intel's 386, which had a clock speed from 12 to 40 MHz, though it did have 4 MB of ram.
posted by fragmede at 7:47 PM on August 18, 2015


So, the CC3000, which is inside the secure network and knows the name/password...

In the interest of keeping the players straight, the CC3000 wifi chip isn't leaking any SSIDs or passwords. It's the SmartConfig app that TI designed that is the problem. It runs on a phone or PC from inside the private network and leaks the information out using a loophole, which the CC3000 (who is sitting on the outside) happily sniffs out of the air and then uses to log into the private network.

The CC3000 can be set up using more normal means, such as sending the provisioning information over the internal signal lines. It doesn't have to be enabled in this SmartConfig mode. The SmartConfig thing was a somewhat clever way to get a customer device set up easily, but TI's desire that the method would stay secret is just wishful thinking.
posted by JoeZydeco at 7:55 PM on August 18, 2015 [3 favorites]


So, when I first heard about the Dash Button, this was precisely what I thought I could use it for.
posted by destrius at 11:24 PM on August 18, 2015


When I was a younger man, believing that your light switches were probably spying on you was a clear sign of mental illness. Now it's just a sign of being well-informed.
posted by flabdablet at 6:26 AM on August 19, 2015 [3 favorites]


Doom targeted Intel's 386

These days you can run it in the microcontroller that runs your printer. Or better still, somebody else's printer.
posted by flabdablet at 9:11 AM on August 19, 2015 [1 favorite]



These days you can run it in the microcontroller that runs your printer. Or better still, somebody else's printer.


Wouldn't the frame rate leave a lot to be desired, though?
posted by acb at 9:15 AM on August 19, 2015 [2 favorites]


Doesn't look too bad in the video embedded on that page.
posted by flabdablet at 9:21 AM on August 19, 2015


« Older First Female Rangers Set to Graduate   |   Inflatable Space Elevator to 20 kilometers Newer »


This thread has been archived and is closed to new comments