Internet of Things (IoT) devices that record copious details of the daily lives of users raise natural privacy concerns. Manufacturers include measures meant to address these concerns, such as the option of a history-clearing factory reset. But the consumer must trust that these privacy and safety measures work as advertised. It would appear that in the case of at least one high-profile smart speaker, that trust would be misplaced.
Academic research performed on 86 used Amazon Echo Dots has found that the factory reset does not truly wipe data from the devices; it can still be recovered with relatively basic forensic techniques. Echo Dots commonly contain WiFi passwords, router MAC addresses, and Amazon logins among other pieces of sensitive information.
Security issues continue to plague IoT Devices; Echo Dots have vulnerable factory reset process
Researchers from Northeastern University bought 86 used Echo Dots from eBay and flea markets over a period of 16 months, and additionally purchased six new Dots and loaded test data onto them. 61% of the secondhand devices had not even had the most basic factory reset done. But even when a factory reset had been performed, the researchers were able to use the publicly available forensic tool Autospy to access the personal data that had previously been stored.
This runs counter to Amazon’s marketing, which says that the end user can safely remove any “personal content from the applicable device(s)” by using the factory reset function. The central issue is that the devices use flash memory, something common to smart IoT devices and electronics built with a focus on portability. Flash memory is more difficult to permanently remove data from because it is designed to only allow a finite number of delete cycles (generally in the tens of thousands) before a memory block becomes inoperable. Since the storage media in these IoT devices would not last long if true deletions were being performed constantly, “deleted” data is often simply invalidated and moved to an unused page in the block (in a process called “wear leveling”). These invalidated pages, which still contain the data, remain present until a block fills up with them and a true deletion is initiated.
Accessing flash memory that has been factory reset in this way does require some amount of technical skill and specialized equipment, but nothing that is a real barrier to the average enthusiast working at home. The researchers were able to physically remove memory chips from the Echo Dots and place them in special devices designed to read them, and also to access the memory without chip removal by use of a conductive needle. Once one of these methods has been established, the memory can be read with a forensic tool such at Autospy that simplifies much of the process.
Not only could sensitive data be recovered from the devices, but they could also be made to work again after a factory reset and being reassembled. If an Echo Dot is removed from its “home network” it is supposed to require an app notification to the owner to give permission when connected to another network. However, if the factory reset had been initiated, the device could be made to work on a new network with the old data that was still stored in the invalidated blocks restored. When queried, Alexa would return the previous owner’s name and respond to voice commands. This allowed the researchers to control other IoT devices connected to the network, create Amazon orders and access contacts among many other functions. The Echo Dots would not return the user’s address, but it could be roughly estimated by asking the device to find the nearest types of facilities such as libraries and grocery stores. The key to all of this is that the authentication token needed to connect the owner’s Amazon account is not removed by the factory reset process.
Vulnerability brings security of other IoT devices into question
Though all of this research was done exclusively on Echo Dot smart speakers, the researchers believe that this vulnerability is likely to apply to other Amazon portable and IoT devices such as the Fire tablets and TV. It is possible that it applies to an even broader range of similar NAND-based flash memory IoT devices that handle data deletion and factory resets in a similar way.
The vulnerability should be of concern to Amazon IoT device users, as a stolen device might allow the thief to get into an Amazon account (and by association gain access to stored credit cards) and old devices would need to be destroyed when disposed of in a similar manner to hard drives. But the researchers believe they have identified a viable fix, which they have proposed to Amazon. It would involve pushing a firmware update that would change its IoT devices so that key personal information such as passwords, tokens and sensitive data are encrypted. It would not make the process that the researchers followed impossible to replicate, but it would add the difficult extra step of having to break the encryption on all of the data of interest. Amazon has responded to the researchers saying that they are working on mitigation measures, but did not specify exactly what those were.