Memory Echo speakers still contains passwords even after reset

Researchers at Northeastern University have discovered that the Amazon Echo Dot speakers can still contain passwords even after a reset. This is apparent from a study into second-hand Echo speakers.

In a research report, the researchers describe how they examined 86 Amazon Echo Dot speakers. In order to read the data from the nand-flash memory, the memory had to be removed from the speaker. The memory was then read with another device. In this way, researchers were able to retrieve information about the previous owner’s Wi-Fi network, as well as passwords, name and account information.

According to the researchers, this is because the data is not erased, but is made unreadable for the speaker. When the memory is subsequently disassembled and read with an external device, the data is accessible.

This applies to Echo speakers that are reset when they are disposed of by the owner, but that does not always happen. 61 percent of the devices surveyed had not been reset by the owner before they were sold. This allowed the researchers to access sensitive data without having to disassemble the memory from the pcb.

The researcher also tried to find out the address on second-hand speakers by means of voice commands, but that proved impossible. However, they were able to get a good idea where the speaker had been previously by asking for nearby locations such as supermarkets and restaurants.

According to the researchers, this problem is easy to fix. The partition containing user data could be encrypted, making it much more difficult to access sensitive data.