Like most Internet-of-things devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so that, as the corporate behemoth says, users can “remove any … personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other things.
Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND—which is short for the boolean operator “not and”—stores bits of data so they can be recalled later. But whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error-correcting code.
NAND is usually organized in planes, blocks, and pages. This design allows for a limited number of erase cycles, usually in the neighborhood of 10,000 to 100,000 times per block. To extend the life of the chip, blocks storing deleted data are often invalidated rather than wiped. True deletions usually happen only when most of the pages in a block are invalidated. This process is known as wear-leveling.
Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn’t. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners’ Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was relatively easy.
The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory.
“An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks),” the researchers wrote in a research paper. “We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset.”
Used Echo Dots and other Amazon devices can come in a variety of states. One state is the device remains provisioned, as the 61 percent of purchased Echo Dots were. The devices can be reset while they are connected to the previous owner’s Wi-Fi network, reset while disconnected from Wi-Fi, either with or without deleting the device from the owner’s Alexa app.
Depending on the type of NAND flash and the state of the previously owned device, the researchers used several techniques to extract the stored data. For reset devices, there’s a process known as chip-off, which involves disassembling the device and desoldering the flash memory. The researchers then use an external device to access and extract the flash contents. This method requires a fair amount of equipment, skill, and time.
A different process called in-system programming allows the researchers to access the flash without desoldering it. It works by scratching some of the solder mask coating off of the printed circuit board and attaching a conductive needle to an exposed piece of copper to tap into the signal trace, which connects the flash to the CPU.
The researchers also created a hybrid chip-off method that causes less damage and thermal stress to the PCB and the embedded multi-chip package. These defects can cause short circuiting and breakage of PCB pads. The hybrid technique uses a donor multi-chip package for the RAM and the embedded multi media card portion of the original multi-chip package externally. This method is mostly interesting to researchers who want to analyze IoT devices.
In addition to the 86 used devices, the researchers bought six new Echo Dot devices and, over a span of several weeks, provisioned them with test accounts at different geographic locations and different Wi-Fi access points. The researchers paired the provisioned devices to different smart home and Bluetooth devices. The researchers then extracted the flash contents from these still-provisioned devices using the techniques described earlier.