Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
dash-button-probe
Advanced tools
Detect when an Amazon Dash Button is pressed using probe request frames.
Detect when an Amazon Dash Button is pressed, offline.
This package works by detecting which network your Dash Button attempts to connect to, and triggering an event when it finds the one you configured. By configuring your Dash Button onto a uniquely-named hotspot, and then turning off that hotspot, you can use the Dash Button offline without it ever connecting to Amazon's servers.
Requires a Wi-Fi adapter supporting monitor mode. In particular, this means that the Raspberry Pi 3's built-in Wi-Fi is not supported, and you will need an external USB Wi-Fi adapter with monitor mode support (such as this one). Some laptops, including most MacBooks, do have monitor mode support and will work without an external adapter.
First, you'll need to temporarily create a hotspot with an SSID that's different from all other Wi-Fi hotspots around you. This package will detect an event whenever any device tries to connect to a network with that name, so you need a network that nothing else will use. This network is only needed during setup. The easiest way to do this is to enable hotspot/tethering on a smartphone with a new SSID.
Follow this guide to configure your Dash Button on that network you just set up. Once you reach the product selection screen, close the Amazon app and disable the hotspot. The hotspot is no longer needed after this point.
Before running your script, you'll need to configure your Wi-Fi adapter into monitor mode. On Linux, you can use the following commands:
sudo ifconfig INTERFACE down
sudo iwconfig INTERFACE mode monitor
sudo ifconfig INTERFACE up
substituting INTERFACE for the name of your Wi-Fi hardware interface (e.g. wlan0
).
Install this package:
npm install dash-button-probe
Then, use the following snippet to detect button presses:
var dash_button = require('dash-button-probe');
var dash = dash_button(INTERFACE, SSID);
dash_button.on('press', function () {
console.log('button pressed');
});
where INTERFACE
is the name of your Wi-Fi hardware interface and SSID
is the unique network name you used during setup.
This package uses probe request frames instead of the ARP/UDP packet detection method used by most Dash Button packages (such as node-dash-button, which inspired this package). These are packets transmitted by a device to connect to a network with a particular SSID. In our case, the Dash Button never finishes the connection since the network doesn't exist anymore, but these packets are still detectable. This has the benefit of working without an active Wi-Fi network, as well as working across different networks. It also works in dense environments (dorms, offices, etc.) where networks with the same SSID may exist on multiple Wi-Fi channels. However, it does require monitor mode support in order to detect the probe requests.
FAQs
Detect when an Amazon Dash Button is pressed using probe request frames.
The npm package dash-button-probe receives a total of 0 weekly downloads. As such, dash-button-probe popularity was classified as not popular.
We found that dash-button-probe demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.