image credit: Pixabay

The Hidden Secrets in IoT Devices: Amazon Echo Does Not Erase Personal Data Even After Resetting to Factory Settings

July 30, 2021


The smart devices we use at home or at the office don’t always work as expected, and we often find that our gadgets don’t quite protect our personal data, such as addresses, passwords, and search/browsing history. One such example would be the Amazon Echo smart speaker. A recently published study demonstrates that even after factory reset, these devices don’t completely erase users’ data. This obviously runs counter to Amazon’s marketing, which says that the end-user can safely remove any “personal content from the applicable device(s)” by using the factory reset function. 

Accessing the Personal Data Previously Stored on the Device

It is easy to understand why IoT (Internet of Things) devices can be a target for cybercriminals, as they record massive amounts of data. Normally, users would prefer to put their trust in the manufacturer’s claims of security and extensive customization options, but a group of researchers from Northeastern University in Boston is urging us to rethink the situation.

The academic study called “Amazon Echo Dot or the Reverberating Secrets of IoT Devices” has brought forward many vulnerabilities, during a relatively simple experiment. Over 16 months, researchers purchased no fewer than 86 Amazon Echo Dot speakers and six brand-new Echo Dots from eBay and second-hand stores. All of these were loaded with a data-testing program. 61% of the second-hand devices had not even gone through the basic return to factory settings process. The fascinating part is what happens after the full factory-reset process is performed: even though the Amazon Echo was virtually pristine, the publicly available Autospy software managed to extract quite a bit of data from them, data that should have been permanently deleted.

According to the paper, when asked “Alexa, who am I?”, the devices told researchers the names of their previous owners. The researchers also were able to get the previous owner’s Wi-Fi password, MAC address, Amazon account info, and connected devices. If you think a factory reset would solve the issue, you’re in for a surprise: the study proves the opposite of the giant’s claims about completely and securely wiping information from its gadgets.

The Possible Cause of This Problem

In general, electronic devices, including IoT, incorporate flash memory as the data storage medium, because they are built with the primary goal of combining functionality and portability. Complete erasure of flash memory is a more difficult process because it allows for a finite number of erase cycles (usually tens of thousands) until a block of memory becomes inoperable.

Since IoT storage (as we’ve seen with Amazon Echo) would suffer if full erasures were performed constantly, the “erased” data is instead transferred to an unused portion of the memory block. The process is called “wear leveling”, and this data remains in that space until the excess accumulation triggers the real permanent erasure.

In theory, it’s not terribly complicated to access flash memory that is supposed to have been reset. It requires a modicum of proper equipment and the knowledge to do so. But how did the researchers manage to extract the information from the Amazon Echo?

The researchers extracted the memory chips from Echo Dots and placed them in a device specifically designed to read them, but they were able to access the data even without having to literally extract it from Amazon Echoes. Once the process is complete, anyone can access the data stored via a clever software called Autospy.

The result? Important data could be recovered and, more importantly, could be recovered even after the factory reset and device reassembly. In addition, the test showed that the Amazon Echo was able to connect to another network using data from the previous network, data stored in that above-mentioned memory block.

Moreover, Alexa would respond to user commands using the former owner’s name, which gave researchers expanded access to a whole range of information: contact lists, networks, Amazon orders, and more.

What About Other Smart Speakers

While the study was mostly based on Amazon Echo Dot speakers, the researchers also studied other smart speakers. This included the Amazon Echo Show 5, which also let them extract browser data. The study sampled Google Home Mini, third-gen Amazon FireTV, and Xiaomi Smart AI Speaker with a display. While researchers could gather a lot of data from reset devices in working condition, they could gather traces of data even from broken devices.

As IoT devices record copious details of daily lives, the discovery made by Northeastern University’s researchers should give all users of such devices something to think about. Their data could easily be recovered and used. If someone finds it for sale on eBay, that someone might be perhaps too passionate about cracking device security. At the end of the day, it’s not just Amazon fans who should be more careful, but all those who use IoT devices regularly, at home or at the office.