A lot of the private information of users are stored by Internet of Things (IoT) devices, and so, it’s rather obvious that users will be concerned, and for good reason too. While factory resets have for long been cited as the natural answer to these concerns, it is only up to the consumers to trust if such measures actually work. And turns out, the trust has been misplaced, if not broken, by one well-known maker. An academic research carried out on Amazon Echo Dot has found that factory resets are not satisfactory in wiping data from such devices. In fact, it was noted that simple forensic procedures can be sufficient in restoring the data deleted through factory resets on Internet of Things (IoT) devices like Amazon Echo Dot.
This can prove to be worrisome, especially because of the fact that Echo Dot holds a copious amount of user data, from WiFi passwords and Amazon logic credentials, to router MAC addresses, among other sensitive information.
The Study and its Findings
The study was carried out on 86 used models of the Amazon Echo Dot, which were purchased from eBay and flea markets, by a group of researchers from Northeastern University. Additionally, six new Echo Dots were also included in the study. The results of the study showed that 61% of the used models had not had any previous factory reset done on them, and even after the group carried out a factory reset, they were able to easily access the previously stored data, simply by making use of forensic tool Autospy.
This is in direct contravention of Amazon’s own claims, which make users believe that they can safely remove all their data from “applicable devices” by performing a factory reset.
Where the Problem Stems From
The main issue at hand is that most smart IoT devices often come equipped with flash memory, and since this kind of memory allows only a finite number of deletion cycles, it becomes more difficult to get rid of the data stored on it. This is because the stored data actually becomes inoperable only after a finite number of delete cycles (which can range among thousands) have been carried out. As such, the data which is deleted is actually just made invalid, and moved to an unused page, from where it can rather easily be brought back.
In order to once again gain access to the deleted data files, all that the researchers had to do was physically move the memory chips into devices built especially for reading them, followed by Autospy scanning. Apart from retrieving deleted data, the scientists also succeeded in making the devices work on the same network that they had previously used.
While so far, the only proof about the unreliability of IoT device factory resets has come through the above study, it does serve to create additional questions as to whether other smart IoT devices suffer from the same problems or not.
Source: CPO Magazine