In recent years, more and more smart speakers have found their way into private households. It is therefore not surprising that the used equipment market is very voluminous. Almost everyone is now able to get started with the smart home cheaply, but sellers have to worry about their data. Because a reset echo can be quickly restored.
Researchers at Northeastern University have now demonstrated this. They bought over 86 echo dots in 16 months, and six new devices were purchased and fed with test data. The problem was often not the simple restoration at all, 61 percent of the devices were not reset at all. Accessing the data was so extremely easy.
On the other hand, restoring devices wasn’t magic either. A forensic tool called Autospy was sufficient. The reason for the simple process is the way in which the echo stores data. Because the devices use flash memory, which would quickly break if there were too many write accesses. Therefore, deleted data is only marked as “invalid” and moved to an unused memory block.
A deletion only happens when new data is written to the memory block. So the researchers read out the memory and made deleted blocks readable again. After resetting to the factory settings, the data of the previous owners could be accessed even in a new network.
Alexa then replied with the name of the user, orders could be placed via Amazon and a lot of other information read out. The approximate place of residence of the previous owner could also be found out, a question about the nearest shopping centers, pharmacies, etc. narrowed the search down further and further.
The researchers reported the vulnerability to Amazon and made an initial proposal for a solution. Information should be stored on the device in encrypted form, making it much more difficult to restore data. Amazon says it is already working on a solution, when it will be rolled out is still unclear.
Via CPO Magazine