Northeastern University researchers found that Echo Dots, Amazon’s smart devices, retain user data even after it is reset, including passwords, locations, authentication tokens and more. According to the team, third parties who master the technique and have the necessary equipment can retrieve information from a used device.
In short, NAND chips, present in devices, organize records into plans, blocks and pages. Because they have exclusion limitations, from 10,000 to 100,000 actions of the type, components only invalidate most of the data, an action that extends the life of the storage.
Eventually, information is erased, but only if a significant portion of a set is compromised. That’s where the danger lies, according to experts.
Over the course of 16 months, scientists bought 86 used Echo Dots on eBay. Of these, 61% were unformatted and delivered everything they contained in a relatively simple way, something that surprised them. In any case, by delving deeper into their analysis, experts saw that anyone with physical access to a device on the line could retrieve a lot of sensitive data.
NAND chips do not actually erase all data.Source: Reproduction/Brian Dorey
Among the approaches they used, the researchers highlighted three, which were also applied to six new Echo Dots. With them, they tested fictitious accounts in different geographic locations and multiple Wi-Fi hotspots for weeks, as well as linked them to various home devices via Bluetooth.
The first method was the so-called chip-off, which involves disassembling the device, removing flash memory and extracting data with external equipment. The second one, in-system programming, grants access to the chip without its removal. Finally, the team turned to a third, hybrid, which causes less damage to the parts, considered the most interesting for smart devices.
So, they decided to extract the contents of the products and, using the forensic tool Autopsy, searched for images of the embedded multimedia cards. The solution allowed you to view the “invented” owner’s name multiple times, as well as the entire file wpa_supplicant.conf — responsible for keeping detailed records and cryptographic storage keys. Then, with these guides and knowing exactly what to look for, they extended the action to other devices.
“When asked ‘Alexa, who am I?’ the device would return the name of the previous owner. Reconnecting to the spoofed hotspot did not generate a warning in the Alexa app or an email notification. package delivery dates, place orders [na loja virtual], get playlists and use the ‘drop-in’ feature,” they explained.
Devices “reveal” sensitive information with the appropriate method.Source: Reproduction/Crist/CNET
Dennis Giese, one of the researchers involved in the study, believes Amazon is dedicated to improving its security features, but for now, there is no alternative to avoiding potential threats other than destroying NAND chips. Still, the expert argues that resetting Echo Dots makes accessing information much more difficult and recommends moving.
“Generally, and for all IoT devices, it’s a good idea to rethink whether it’s really worth reselling such items. But obviously this may not be the best for the environment,” he concludes.