Northeastern University researchers showed that factory resetting an Amazon Echo Dot isn’t enough to protect your personal information from someone with physical access to the device.
The researchers said anyone with that physical access could “retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks)” from an Amazon Echo Dot even after it’s been factory reset.
They also said these devices reveal that data as well as “all previous passwords and tokens” after a reset “due to the wear-leveling algorithms of the flash memory and lack of encryption.” Put simply: Factory resetting a device’s storage doesn’t do what many people think it does.
Not that many soon-to-be-former Amazon Echo Dot owners appeared to be concerned about the safety of their information. The researchers said they purchased 86 used Amazon Echo Dots as part of this study, and of those, 61 percent weren’t factory reset before they were resold.
The researchers also found that many people selling broken Amazon Echo Dots, most of which couldn’t be powered on, skipped the factory reset process before passing them on to their new owners. It seems many were unaware of the risk of selling used Internet of Things devices.
Unfortunately it doesn’t seem the ability to retrieve Wi-Fi credentials, the owner’s physical location, and other information is top-of-mind for Amazon. Instead it seems more focused on the claim that account and payment information can’t be gleaned from factory reset devices.
“The security of our devices is a top priority,” the company said in a statement to Gizmodo. “We appreciate the work of independent researchers who help bring potential issues to our attention, and are working on additional mitigations to further secure our devices. We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them. It is not possible to retrieve Amazon account passwords or payment card information from memory, because that data is not stored on device.”