Resetting Your IoT Device Before Reselling It Isn't Enough, Researchers Find

Even if you've factory reset your device, sensitive personal information has likely been retained on it—meaning the next owner could extract it.

We may earn a commission from links on this page.
Image for article titled Resetting Your IoT Device Before Reselling It Isn't Enough, Researchers Find
Photo: Victoria Song/Gizmodo

As IoT devices like Amazon Echo become more and more popular, it isn’t unusual for users to re-sell them. Indeed, it’s increasingly common to come across them on eBay or even at the occasional yard sale. Amazon suggests that, when users are done with a product, they factory reset the device so as to erase any personal information stored within it before sending it back out into the world.

However, it would appear that simply resetting your device won’t actually expunge that data from the face of the Earth and that reselling your device could hypothetically lead to your old information getting boosted.

Researchers with Northeastern University recently spent 16 months buying and reverse engineering 86 used Amazon Echo Dot devices in an attempt to understand any security deficiencies they might have.


After nabbing them from the likes of eBay and flea markets, the academic team proceeded to take the devices apart and sort through their components, in an effort to understand how they work.

Their first discovery was perhaps the most unsurprising: a majority of Echo users who had re-sold their devices hadn’t even thought to factory reset them, the study says. Thus, a majority of their old data was still just hanging out on the device, and researchers could easily access stuff like the former owner’s wifi information, Amazon account credentials, and router MAC addresses.


Those that had reset their devices, however, hadn’t quite wiped the slate clean in the way they thought they had. Researchers found that, contrary to what Amazon says, you can actually recover a lot of sensitive personal data stored on factory reset devices. The reason for this is related to how these devices store your information using NAND flash memory—a storage medium that, due to certain processes, doesn’t actually delete the data when the device is reset.

“We show that private information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset. This is due to wear-leveling algorithms of the flash memory and lack of encryption,” researchers write. “An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks).”


Granted, said hypothetical snoopers would really have to know what they were doing—and their data thieving would entail a certain amount of expertise. The researchers themselves had to take the entire device apart and then desolder the flash memory, before subsequently using a different device to extract the flash’s contents. The whole process takes about 20 to 30 minutes if you know what you’re doing, researchers added.

In response to our request for comment, Amazon provided the following statement:

“The security of our devices is a top priority. We appreciate the work of independent researchers who help bring potential issues to our attention, and are working on additional mitigations to further secure our devices. We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them. It is not possible to retrieve Amazon account passwords or payment card information from memory, because that data is not stored on device.”


Ah, okay.

While the likelihood of a skilled security professional hijacking your personal info via your old Echo may seem far-fetched, targeting individuals as a first step into breaking into a larger network is quite common.


Still, even if it’s not a highly probable way for you to get your data looted, it’s an example of the way in which these devices—which compile such intimate personal dossiers on their users—are not exactly fortified vaults. The data’s still just sitting there and the right person with the right know-how can get at it without any great expense.