Like most Internet things devices, Amazon’s Echo Dot gives users a way to perform a factory reset so that, as a corporate behemoth says, users may “remove any … personal content from the relevant devices” before selling or discarding them. But researchers are recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a multitude of sensitive data, including passwords, locations, authentication tokens, and other things.
Most IoT devices,, Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND – short for logical “not and” – stores bits of data so that they can be recalled later. But while hard drives write data to magnetic boards, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it creates essential errors that must be corrected using error correction code.
NAND is usually organized in planes, blocks, and sides. This design allows for a limited number of erase cycles, typically close to 10,000 to 100,000 times per block. To extend the life of the chip, the blocks in which deleted data is stored are often canceled rather than deleted. True deletion usually only happens when most pages in the block are disabled. This procedure is known as wear smoothing.
Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over 16 months. They first inspected the purchased devices to determine which ones were reset to factory settings and which ones were not. First surprise: 61 percent of them were not reset. Without a reset, recovering Wi-Fi passwords from previous owners, router MAC addresses, Amazon account credentials, and connected device information was relatively easy.
The next surprise came when researchers dismantled the devices and forensically reviewed the content stored in their memory.
“An adversary with physical access to such devices (eg, buying a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (eg, cameras, door locks),” the researchers wrote in research work. “We show that such information, including all previous passwords and tokens, remains in flash memory, even after resetting to factory settings.”
Used Echo Dots and other Amazon devices can be found in various states. One condition is that the device remains available, as was 61 percent of Echo Dots purchased. Devices can be reset while connected to the previous owner’s Wi-Fi network, reset while not connected to the Wi-Fi network, either with or without deleting the device from the owner’s Alexa app.
Depending on the type of NAND flash and the condition of the device previously owned, the researchers used several techniques to extract the stored data. There is a process known as chip-off to reset the device, which involves disassembling the device and desoldering the flash memory. The researchers then use an external device to access and extract Flash content. This method requires a fair amount of equipment, skill and time.
A different process called system programming allows researchers to access the flash without detaching. It works by scratching the scratch layer of the solder mask off the printed circuit board and attaching the conductive needle to the exposed piece of copper to tuck into signal trace, which connects the flash to the CPU.
The researchers also created a hybrid chipping method that causes less damage and heat stress on the PCB and the built-in multi-chip package. These failures can cause a short circuit and breakage of the PCB pads. The hybrid technique uses a multi-chip RAM donor package and a built-in part of a multimedia card from the original multi-chip package. This method is mostly of interest to researchers who want to analyze IoT devices.
In addition to the 86 devices used, the researchers purchased six new Echo Dot devices and, over the course of a few weeks, provided them with test accounts at different geographic locations and different Wi-Fi access points. The researchers paired the paired devices with various smart homes and Bluetooth devices. The researchers then extracted Flash content from these still-provided devices using the techniques described above.