Think Twice Before Selling Your Smart Device, It May Leak Personal Data

Buyers of smart devices sometimes get more than they bargained for when the gadget retains information from the previous owner. This is not always the fault of the original user but of the storage elements included in the IoT system, which may keep data even after a reset to factory defaults has been performed.

The problem is notable with used hard disks, as highlighted by a study this year revealing that out of 159 used drives purchased through eBay almost half still had sensitive data. On phones that had not been encrypted and reset to default before selling, this information could include images, messages, credentials, or call lists.

If solutions exist for hard drives and smartphone, IoT systems are a different breed of computer systems that do not allow direct access to data and the success of a factory reset is difficult to verify. Furthermore, the lack of standards allows manufacturers to implement the factory reset the way they see fit.

Dennis Giese, a Ph.D. student at Northeastern University in Boston, researched the efficiency of factory resetting in IoT devices and noticed that traces of data remained after the operation; in some cases, he could access all the data. He found that performant systems with a higher number of functions and larger storage contained the most data.

While analyzing the storage inside several smart gadgets from various categories, he was able to extract sensitive information that ranged from connection logs and user IDs to cached snapshots, videos, credentials, and browsing history. All this data was from smart vacuum cleaners, media players, routers, smart home hubs, toys, and cameras.

There is more than one reason for this data to remain stored on the used devices, and sometimes it is not because the user failed to reset the device to its factory configuration. At the DEF CON hacker conference this year, the researcher explained that the information continues to exist on the flash storage used by IoT gadgets because of a feature called wear-leveling.

Flash memory deprecates in time. To ensure a balanced wear level, when the stored information changes, it is not deleted. Instead, the block that stores it is marked as unavailable and the changes are copied to a new block. At some point, e.g. when you run out of space, the unusable blocks are emptied and become usable again.

Every time you change data, that data is written to a new block. By this logic, at some point data that is frequently changed will have more copies available, creating a history. Giese gave WiFi credentials as an example, which would have a history of changes if you set up new passwords often.

This means that even when you restore the device to its initial state chances are fragments of data are still present. However, Giese found that the availability of the information on used smart devices mainly depends on the previous owner, who may not know how to reset it; in this case, all the data is still present.

Sometimes, the operation could not be performed because the gadget was broken in some way. Some Amazon Echo Dot personal assistants Giese purchased last year had the USB connector broken and after fixing them the devices became fully functional and had all the info from their previous owners.

Restoring the firmware to its factory state is the better option before selling your IoT device but if there is no way to verify a full wipe and you know there are sensitive details on it, Giese recommends not throwing away or selling the device. WiFi configuration files and usage logs, for instance, can be used to locate the owner and get a general idea of when they’re home.

Although extracting the data does require technical knowledge, the risk lingers. In a recent tweet, a hacker shared a concerning view regarding electronic recycling centers that malicious hackers could set up specifically to harvest personal data and documents from storage elements in connected gadgets.

If you still want to sell a smart device after reading this, changing the WiFi password and name is also a good practice. If there is an account associated with the gadgets, it would be a good idea to set new credentials for it, too.

Image credit: geralt