Sign In

Communications of the ACM

ACM TechNews

Resetting Your IoT Device Before Reselling It Isn't Enough, Researchers Find


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
An Amazon Echo Dot.

Researchers at Northeastern University spent 16 months buying and reverse-engineering 86 used Amazon Echo Dot devices in an attempt to understand any security deficiencies they might have.

Credit: Victoria Song/Gizmodo

A study by Northeastern University researchers suggests that Amazon's recommendation that users factory reset their Internet of Things (IoT) devices, like the Amazon Echo, to erase personal information before reselling them may not be sufficient.

The researchers bought and reverse-engineered 86 used Amazon Echo Dot devices, finding that a majority of the users who resold their devices had not factory reset them.

This meant the researchers could easily access the former owner's Wi-Fi information, Amazon account credentials, and router MAC addresses, among other things.

Moreover, the researchers found that they could recover sensitive personal data stored on devices that previous owners actually had factory reset.

The researchers said, "Private information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset. This is due to wear-leveling algorithms of the flash memory and lack of encryption."

From Gizmodo
View Full Article

 

Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA


 

No entries found