Finding Your Amazon Dash Button in 2016

Back when the Amazon Dash Button first came out my housemate and I found a post that described a way for identifying and intercepting Dash Buttons so that we could use them to do our bidding in a hacked together IoT ecoystem.

Recently we revisited our setup and sought to make some changes, but found that the old methods no longer worked. While a simple arp -an in our shells will reveal all ARP requests, I found it much easier to have a python script scanning to check for it.

First, lets take a quick look at the original script:

The issue with this script is that when checking for psrc, the packet's source IP, it is looking for 0.0.0.0. Amazon changed how the request is sent and this parameter has changed as well for some devices. We found that while one of our older Dash Buttons still had it, even after re-registering, two of them which has also previously worked with the script no longer did. The newest Amazon Dash Buttons had a completely different registration process.

If the if statement checking for the .psrc is removed you're able to see all ARP requests again, but that doesn't make identifying an Amazon one any easier.

Not being able to tell the devices apart, I decided to use WireShark to see if it revealed any more information I could use to discriminate between the requests.

Take a look at WireShark

WireShark reminded that mac-address are issued per manufacturer. As you can see from the requests with a source labeled AmazonTe which represents mac-address block.

Further investigation brought me to the IEEE which has a listing of the owners of all mac-address blocks (be careful looking at the file, the IEEE servers were very slow in relaying it to me). A block consists of the first 3 bytes of the mac-address.

With those in mind, I quickly gathered up the blocks from the listing associated with Amazon and wrote out this that finds ARP requests from Amazon manufactured devices:

This list, of course, can change. I found it interesting that we had 3 Dash Buttons purchased around the same time right after their first release and 2 newer ones, but 4 different mac-address blocks among them.