Convenient new world: With their introduction at the ifa fair in early September Amazon is present with the Dash Button in Germany, too. With the pre-programmed order buttons Amazon customers can now trigger a purchases and delivery of certain consumer products – such as coffee capsules, razors, toothpaste or toilet paper – if they have been assigned to the button beforehand about the Amazon platform.

But as soon as the hip new order buttons are available, opinions about it differ a lot. So complains the Verbraucherzentrale Nordrhein-Westfalen a lack of transparency in matters of pricing and the order process. Customers have to order almost blind without an overview about price development and current costs of a product when they press the order button. According to consumer advocates and legal experts Amazon‘s Dash Button is unlawful with German standards.

Away from the legal debate Amazon developed with the Dash Button one of the cheapest smart home devices that can currently be found on the market, with a price of just 5 Euro. The order button is latched into the home Wi-Fi and orders predefined goods at Amazon’s by just one click. Reason enough for the security experts at AV-TEST institute to give the Dash Buttons a security testing.

Secure access procedure

The Dash Button carries out orders to Amazon directly, after the devices is connected via Wi-Fi and an internet connection is set to an appropriate account of the online shop. For attackers certainly a worthy goal, because a successful attack on the Dash Button could lead to the Amazon account of being attacked.

But Amazon has done a good job: The programming of the Dash Button is best done with the mobile app via Bluetooth. For attacks during setup hackers would have to be right next to the victim, theoretically possible but unlikely, and therefore no serious attack scenario.

After the setup the button takes radio contact with the wireless network. From here on, the communication is secured with SSL encryption (usually RSA AES 128 bits in CBC mode), which is  what is considered to be a strong enough encryption.

External communications

In terms of “external communication” the experts had a critical view at the update behavior of the smart home appliance. The focus had been on encrypted communication and testing the security of update sources against false certificates. In addition, it is checked whether the device sets up connections with unsecure third party domains.

During the test period of one week no firmware update for the Dash Button was carried out by Amazon. Accordingly, there was no signature and checksum verification possible in our labs. Corresponding tests are rescheduled for possible firmware updates. During the reviewed order processes the tester did not observe any links to third party domains. External communications oft the Dash Button are therefore assessed as safe, till retests are made.

Alternative setups potentially unsecure

Setup and programming of the Dash Button are done with Amazons mighty app, which communicates via Bluetooth. Under iOS the smartphone alternatively can receive sound signals from the Dash Button that are converted back into configuration commands. The Android app alternatively connects to the Wi-Fi which is offered by the Dash Button with the inviting name “Amazon ConfigureMe”. This is open communcation and not encrypted, so everyone can connect to it without login. As both alternatives offer the opportunity to steal the password of home Wi-Fi, AV-TEST recommends to carry out the setup oft the Dash Button in the standard version of the device via Bluetooth.

Good protected Wi-Fi

Once the Dash Button is set up, it connects via Wi-Fi. In the labs, this connection was tested with different analysis tools like “Dark Thunder”. In this tests the button responds to attack attempts with the termination of the connection, for instance if the SSL handshake had been manipulated. The same happened while trying to break the communication between the app and the internet connection do Amazon‘s store. In difference to the Dash Button false certificates can be installed to the smartphone. Once this is done, some SSL connections can be spyed. While testing  more connections to the iOS app seemed be opened, as to her Android counterpart. External third party connections wasn‘t observed, ergo no vulnerabilities had been found in this test.

Attempts to record the log data of the app with tools like “LogCat” brought some potentially problematic data to light, but no critical data such as credentials were among them. The code of the Amazon app appeared in the test as easily accessible, code obfuscation does not take place.

Privacy-Check passed

The smartphone Android app is not available in Google’s Play Store. In order to install and use it, users first need to disable the security mechanisms of the Android operating system. But no hint for a subsequent reactivation could be found in Amazons guidelines. The app itself is very extensive and includes not only the functionality for the Dash Button, it‘s an „Amazon All-in-One app“. This also includes all the functionality for Amazon‘s App Store for Android. Therefore, the app needs a wide range of rights – too many for the Dash Button only. In Android Version 6 those rights are only claimed from the user when they are needed and so only two demands had been seen while testing. Nevertheless, considering the disabled protection functions, it would be more advisable to outsource App Store functionality in an own app and to run Dash Button functions in another.

Both apps, Android and iOS, offer potential for improvement in case of privacy protection. A starting point could be the management of passwords: When entering the app passwords are always displayed by default and and the app suggests to store the Wi-Fi’s password on Amazon servers. The same applies to the Wi-Fi password by default. In our test, after storing passwords as recomanded, the app received the password from now on via the URL “credential-locker-service.amazon.eu” whose IP should sit in Ireland, Dublin and accordingly is hosted under the privacy laws of Ireland, which aren’t to strong. The support page of Amazon informs, that you have to contact support for deleting passwords. The security experts at AV-TEST strongly advise users to store their passwords in a more secure way!

Conclusion and Review

With the Dash Button Amazon has landed the probably cheapest smart home device on the German market, which has a chance tobe used in many households. According to the importance of a solid base security, after all, it can be assumed, that the buttons opens direct communication to Amazon accounts of many users and potentially pushing the trigger will lead to valid contracts. For basic security requirements Amazon has done a good job: The Dash Button passes the technical safety check of AV-TEST with 3 of 3 possible points.

Reason for criticism, however, is the weak concept for user privacy protection, for example the procedure of storing the wireless password on Amazon’s servers.