Never resell your Amazon Echo devices; they store Amazon account details, WiFi passwords and other confidential data even after resetting

Nowadays users can do a factory reset on their Internet of Things (IoT) devices in a very simple way to remove from the system any record that has been stored by the device, something especially recommended if the user will sell or give away their old equipment. However, specialists report that Amazon Echo Dot devices do not completely remove digital bits after reboot, making it possible to recover a large amount of sensitive information, including passwords, location details, and other data.

Researchers at Northeastern University mention that, like most IoT devices, the Echo Dot employs NAND-based flash memory, which stores bits of data for later retrieval thanks to its silicon chips. NAND is less stable than hard drives because reading and writing to this system produces frequent bit errors that must be corrected using specific code.

On the other hand, NAND implementations are generally organized into blueprints, blocks, and pages, allowing for a limited number of erase cycles, typically between 10,000 and 100,000 times per block. To extend the life of the chip, blocks that store deleted data are often invalidated rather than erased.

The researchers bought 86 used IoT devices and analyzed them for nearly two years, discovering that most of these devices are sold without a factory reset, allowing the old user’s WiFi network passwords to be recovered, as well as extracting data from Accounts on Amazon and other device details.

The researchers then randomly opened some devices and concluded that a threat actor with physical access could retrieve multiple sensitive logs, including location data, WiFi passwords, and information from other devices linked to the Amazon Echo Dot: “We have shown that these logs remain in flash memory, even after a factory reset.”

Finally, the experts mentioned that these devices could also be sold in a “provisioned state,” meaning that the devices can be reset while connected to the previous owner’s WiFi network or without any WiFi connection at all, either by removing or leaving the devices installed from the owner’s Alexa app.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.