Researchers from Northeastern University recently conducted a study on Amazon's Echo Dot, finding that even after a full factory reset, some sensitive user data remains on the device. Amazon itself claims the best way to prep a device for resell is to factory reset it. In fact, that has always been the trusted technique for ridding devices of personal data.
IoT devices, like the Echo Dot, are at the forefront of user data. As they are often used to control different functions of a smart home and even Google things for the user on occasion, they pass around data constantly. The security of these devices is not often thought of, since the Echo Dot doesn't have an advanced user interface, rather is voice-controlled with LED feedback. However, while it may look like a vapid piece of technology, the Echo Dot has access to a lot of personal information.
The Northeastern University researchers who discovered the issue spent over one year scouring marketplaces like eBay and flea markets to find these devices listed for resale. All in all, they were able to retrieve 86 Amazon Echo Dot devices, with the sole intent of taking them apart and figuring out how the security is lacking. The team found these 86 devices in multiple different states, ranging from never reset or deleted from the cloud to completely reset and the cloud binding had been deleted. In order to complete a full reset, a user would need to not only delete the device from the Amazon Alexa app but also factory reset the device. Some users reset the device but didn't delete the connection in the app or vice versa.
Digging For Personal Data
After establishing these states, and sorting the devices accordingly, the team started working to retrieve certain information. Unsurprisingly, the devices whose owners didn't reset them properly were picked apart for information like the owner's Wi-Fi info, MAC address, and even their Amazon account information. This was done with voice commands and indirect questions in order for the researchers to pinpoint information about the previous owner. However, even devices that had been reset proved able to provide personal information to the team. The reason for this is that the device uses NAND flash to store some information. Due to the nature of how this memory works, when the device is reset, the information contained remains accessible. "Such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset. This is due to the wear-leveling algorithms of the flash memory and lack of encryption," the researchers said. In a statement to Gizmodo, Amazon explained, "It is not possible to retrieve Amazon account passwords or payment card information from memory, because that data is not stored on device.”
The fact that this information is technically there, can be scary. In order for this information to be accessed, however, someone with a high level of knowledge about the inner workings of IoT devices would be needed. The chance of that happening to the user's information is slim, but the fact that 61-percent of devices in the study were never reset is a little unnerving. Users should always reset their Amazon Echo Dot or any other IoT devices, even if that data may still be accessible.