CybersecurityA Hacker’s Treasure: IoT Data Not Trashed

Published 9 August 2019

While consumers are aware that data needs to be wiped from smart phones and computers before discarding, the proliferation of internet connected (IoT) devices poses new challenges and risks, as they too retain valuable data.

While consumers are aware that data needs to be wiped from smart phones and computers before discarding, the proliferation of internet connected (IoT) devices poses new challenges and risks, as they too retain valuable data.

The research, Privacy leaks in smart devices: Extracting data from used smart home devices,will be presented at DEF CON IoT Village in the Eldorado Room at the Flamingo Hotel on Friday, 9 August. DEF CON IoT Village is organized by security consulting and research firm Independent Security Evaluators.

These findings are the focus of a research presentation at the DEF CON 27 IoT Village by Dennis Giese, a cyber researcher and doctoral student at Northeastern University in Boston.

“Consumers seem to be tossing out their privacy and security every time they trash an IoT device,” Giese says. “Most consumers are not aware that these devices store information and with billions of IoT devices being purchased they need to understand that their trash could become a hacker’s treasure.”

Most IoT devices store information, like WiFi credentials, or user data, to operate correctly and needs to be available in plaintext. Many devices store also other information on the flash storage in the device. For example, vacuum cleaning robots store maps, cleaning histories and log files. Some cameras store short video sequences. Audio speakers save playlists.

“In my research, I purchased a number of used IoT devices and discovered that most IoT devices have a bad implementation of a factory reset, which turns out to not be as effective as necessary,” Giese says. “Even when a used device gets sold, and the previous owner invoked a factory reset of the device, I found that most of the user data and log files still remain.”

For some vendors, it is even possible to access cloud data of the previous owner. Even if the vendor implemented a working factory reset, there are technical issues which still may leak sensitive information. In particular, there are mechanisms for NAND flash to reduce wear on a single memory area by employing wear leveling. As a result, the data can be duplicated internally on the raw NAND flash and remains there even if the flash gets erased.

As part of his IoT Village presentation, Giese will demonstrate how data can be extracted from a used vacuum robot, which has been factory reset by the previous owner, and how it is possible to track down the owner using that data. One technique, for example, the BSSID, the MAC address of the WiFi access point, which often logged on the device and can be queried thru public APIs to retrieve the position of that access point.

Giese has also analyzed a used media player which contained a list of adult movies watched. In another case, he accessed a children’s drone with the recorded videos of them playing.

“Some vendors put a lot of effort into the secure reset of the devices,” Giese says. “However, for devices without an interface, it is often not obvious how to use it. Also, there are many challenges in the system design that make a secure reset difficult. It is not trivial to implement a correctly working system.”