Amazon Echo customers should think carefully about reselling their old devices, researchers have warned, with even a factory reset possibly not being enough to remove all traces of user data.
A team from Northeastern University bought and examined 86 used Amazon Echo Dot products over 16 months, and found that physically dismantling them to access the flash memory allowed the researchers to access previous users’ information even on those which had been reset.
“An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks).
“Such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset. This is due to the wear-leveling algorithms of the flash memory and lack of encryption,” they said.
According to the researchers, the required tools can be acquired for around $100 USD, and data can be scraped from a device with two to three hours’ work.
In a statement to Gizmodo, Amazon said the security of its devices was its “top priority” and that it was working on additional mitigations.
“We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them.
“It is not possible to retrieve Amazon account passwords or payment card information from memory, because that data is not stored on device,” the manufacturer said.
The researchers also examined devices such as the 2019 Echo Show 5 and the first-generation Google Home Mini, finding that none of the Google Home Mini devices had been factory reset at all.