Amazon Echo Dot or the Reverberating Secrets of IoT Devices

Dennis Giese, Guevara Noubir

Published in: ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM Wisec 2021)

Date: 2021/06/30

* Best paper award runner-up *


Smart speakers, such as the Amazon Echo Dot, are very popular and routinely trusted with private and sensitive information. Yet, little is known about their security and potential attack vectors. We develop and synthesize a set of IoT forensics techniques, apply them to reverse engineer the hardware and software of the Amazon Echo Dot, and demonstrate its lacking protections of private user data. An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks). We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset. This is due to the wear-leveling algorithms of the flash memory and lack of encryption. We identify and discuss the design flaws in the storage of sensitive information and the process of de-provisioning used devices. We demonstrate the practical feasibility of such attacks on 86 used devices purchased on eBay and flea markets. Finally, we propose secure design alternatives and mitigation techniques.

Paper hosted at (PDF)
High-Res version of the paper (PDF)
Recording of presentation on Youtube
Recording of Best paper award runner-up
Link to official event website
Ars Technica article: Thinking about selling your Echo Dot—or any IoT device? Read this first

<-- Back to my homepage