Researchers have warned, with even a factory reset possibly not being enough to remove all traces of user data from old Amazon Echo devices.
A team from Northeastern University bought and examined 86 used Amazon Echo Dot products over 16 months, and found that physically dismantling them to access the flash memory allowed the researchers to access previous users’ information even on those which had been reset.
What kind of data can be retrieved?
“An adversary with physical access to such devices for example, purchasing a used one can retrieve sensitive information such as Wi-Fi credentials, the physical location of previous owners, and cyber-physical devices such as, cameras, door locks.
“Such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset. This is due to the wear-leveling algorithms of the flash memory and lack of encryption,” they said.
According to the researchers, the required tools can be acquired for around $100 USD, and data can be scraped from a device with two to three hours’ work.
What does Amazon recommend?
In a statement to Gizmodo, Amazon said the security of its devices was its “top priority” and that it was working on additional mitigations.
“We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them.”
“It is not possible to retrieve Amazon account passwords or payment card information from memory, because that data is not stored on device,” the manufacturer said.
Were there any other devices examined?
The researchers also examined devices such as the 2019 Echo Show 5 and the first-generation Google Home Mini, finding that none of the Google Home Mini devices had been factory reset at all.
