Passwords In Amazon Echo Dots Live On Even After You Factory-Reset the Device (arstechnica.com) 22
An anonymous reader quotes a report from Ars Technica: Like most Internet-of-things (IoT) devices these days, Amazon's Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can "remove any... personal content from the applicable device(s)" before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data. Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND -- which is short for the boolean operator "NOT AND" -- stores bits of data so they can be recalled later, but whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error-correcting code.
Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn't. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners' Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process. The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory. "An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks)," the researchers wrote in a research paper. "We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset."
After extracting the flash contents from their six new devices, the researchers used the Autospy forensic tool to search embedded multimedia card images. The researchers analyzed NAND dumps manually. They found the name of the Amazon account owner multiple times, along with the complete contents of the wpa_supplicant.conf file, which stores a list of networks the devices have previously connected to, along with the encryption key they used. Recovered log files also provided lots of personal information. After dumping and analyzing the recovered data, the researchers reassembled the devices. The researchers wrote: "Our assumption was, that the device would not require an additional setup when connected at a different location and Wi-Fi access point with a different MAC address. We confirmed that the device connected successfully, and we were able to issue voice commands to the device. When asked 'Alexa, Who am I?', the device would return the previous owner's name. The re-connection to the spoofed access point did not produce a notice in the Alexa app nor a notification by email. The requests are logged under 'Activity' in the Alexa app, but they can be deleted via voice commands. We were able to control smart home devices, query package delivery dates, create orders, get music lists and use the 'drop-in' feature. If a calendar or contact list was linked to the Amazon account, it was also possible to access it. The exact amount of functionality depends on the features and skills the previous owner had used." Furthermore, the researchers were able to find the rough location of the previous owner's address by asking questions about nearby restaurants, grocery stores, and public libraries. "In a few of the experiments, locations were accurate up to 150 meters," reports Ars.
An Amazon spokeswoman said: "The security of our devices is a top priority. We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them. It is not possible to access Amazon account passwords or payment card information because that data is not stored on the device." The threats most likely apply to Fire TV, Fire Tablets, and other Amazon devices, as well as many other NAND-based devices that don't encrypt user data, including the Google Home Mini.
Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn't. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners' Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process. The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory. "An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks)," the researchers wrote in a research paper. "We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset."
After extracting the flash contents from their six new devices, the researchers used the Autospy forensic tool to search embedded multimedia card images. The researchers analyzed NAND dumps manually. They found the name of the Amazon account owner multiple times, along with the complete contents of the wpa_supplicant.conf file, which stores a list of networks the devices have previously connected to, along with the encryption key they used. Recovered log files also provided lots of personal information. After dumping and analyzing the recovered data, the researchers reassembled the devices. The researchers wrote: "Our assumption was, that the device would not require an additional setup when connected at a different location and Wi-Fi access point with a different MAC address. We confirmed that the device connected successfully, and we were able to issue voice commands to the device. When asked 'Alexa, Who am I?', the device would return the previous owner's name. The re-connection to the spoofed access point did not produce a notice in the Alexa app nor a notification by email. The requests are logged under 'Activity' in the Alexa app, but they can be deleted via voice commands. We were able to control smart home devices, query package delivery dates, create orders, get music lists and use the 'drop-in' feature. If a calendar or contact list was linked to the Amazon account, it was also possible to access it. The exact amount of functionality depends on the features and skills the previous owner had used." Furthermore, the researchers were able to find the rough location of the previous owner's address by asking questions about nearby restaurants, grocery stores, and public libraries. "In a few of the experiments, locations were accurate up to 150 meters," reports Ars.
An Amazon spokeswoman said: "The security of our devices is a top priority. We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them. It is not possible to access Amazon account passwords or payment card information because that data is not stored on the device." The threats most likely apply to Fire TV, Fire Tablets, and other Amazon devices, as well as many other NAND-based devices that don't encrypt user data, including the Google Home Mini.
I know... (Score:2)
It's too hard to de-register.
Sigh
Re: (Score:2)
Isn't the real question whether the average Joe knows it's crucial to scrub+deregister any of these information devices whether it's easy or not? Does the shopping cart include a big huge red warning when you buy it that it's dangerous to not completely scrub these things when disposing? That it's not like tossing a broken toaster in the garbage?
Obviously in this example it's not so much that your Amazon account will get hacked, unauthorized purchases can be resolved via customer service or cc chargebacks
Re: (Score:2)
Difficult to say.
I know MY devices are tied to my Amazon account and remain that way until I de-register them, meaning if they land in someone elses hands they can possible make purchases using it.
Do people know to chop up their credit cards when they dispose of them?
Re: (Score:2)
I suspect most do since credit cards have been around for a couple generations now. Which is why I suspect most don't think the same way about their information devices, they're less than a decade old and still magical mystery boxes to most. Willing to be proven wrong if there's good data out there, of course.
Re: (Score:2)
How do you propose scrubbing the device?
Need to use ... (Score:5, Funny)
Re: (Score:2)
Just stick them in the oven and do a self-cleaning cycle.
Make sure to put something underneath to catch the melted plastic, and vent the fumes.
Re: (Score:2)
Found a long time ago that three seconds in the microwave will zap the RFID in your credit card or drivers license (although 5 seconds will warp them out of usefulness). I suspect a minute or two should do fine for something like a Dot.
Re: (Score:2)
(although 5 seconds will warp them out of usefulness)
You forgot to put them between two glass measuring cups to keep them flat.
Another Amazon top priority (Score:2)
This should've been a no-brainer (Score:1)
Erasing this kind of memory should be almost trivial.
The fact that the reset command doesn't do this already is beyond comprehension.
Reset your devices before eBaying them (Score:1)
Re:Reset your devices before eBaying them (Score:5, Insightful)
How did both you and the Amazon spokesperson manage to completely fail to understand the issue?
Most "formatting" works that way (Score:5, Interesting)
No real surprise here, most times "reformatting" a storage volume tends to just write blank volume structure into place without actually erasing the actual stored data. That's why data from an accidentally-reformatted hard drive can usually be recovered. To really remove the data you need to find the option in the format program to zero out the entire volume during formatting or use a program to securely erase the volume. Factory reset _should_ properly do this to NVRAM on devices, but when the NVRAM is flash memory for a storage volume the load-leveling algorithms make that a fairly tricky process so I'm unsurprised that the firmware developers decided it was just too complicated to do it properly.
Re:Most "formatting" works that way (Score:5, Insightful)
Exactly.
Volumes that utilize Full Disk Encryption can also avoid the need to zero out all of the data on the volume by just wiping out the encryption key, making all of the rest of the data encrypted garbage. Now FDE with a password-protected key wouldn't be so useful for Echos because nobody wants to have to enter (speak?) a password when they boot it up, but even a stupid FDE with, say, a plaintext or hard-coded password would still enable the ability to do a cryptographic wipe for factory reset purposes.
Corporate double talk (Score:2)
Re: (Score:3)
They care about the security of their devices. They don't want you hacking and repurposing them, because that might reduce sales somehow. What they don't care about is your security.
Top Priorities (Score:5, Insightful)
no different (Score:2)
no different than buying a used harddrive and recovering info from it. From the steps it took and the type of specialized software needed, getting data from the dots is not something just anyone can do.
Say it isn't so (Score:2)
So wiping it doesn't really wipe it? Me so surprised!