Many owners of smart home devices have no idea how to reset them, and many devices manufacturers make properly doing so difficult or impossible, security researcher Dennis Giese said in a presentation at the IoT Village at the DEF CON 27 hacker conference in Las Vegas this past weekend.
Giese extracted sensitive information, such as Wi-Fi credentials, maps of home interiors, Wi-Fi network names and MAC addresses (network IDs), from more than a dozen different devices, including robot vacuums and video doorbells. He could even learn where the previous owners lived by comparing the stored Wi-Fi network names to online lists of known ones.
"Do not sell or throw away your device if you cannot verify a full wipe and it may contain sensitive information," Giese said. "If you have sold or given away some of these devices, then change your Wi-Fi credentials. In the future, use a separate Wi-Fi network for iOT devices."
MORE: Best Robot Vacuums
Giese, a German national studying for a doctorate at Northeastern University in Boston, explained that unlike smartphones and computers, the data on a smart-home device is not always directly accessible by the user.
Many devices, such as robot vacuums, don't even have a user interface. It's not clear what is actually stored on the device, and even if a factory reset is performed, the reset often leaves traces of data.
"Secure, correct factory reset is hard to implement," Giese said. "There's no way to make sure a device has been wiped, and many vendors don't erase all user data."
The persistence of memory
Part of the problem, Giese said, is that smart-home devices use inexpensive flash memory to store data. Cheap flash memory has a high failure rate, and when a memory block goes bad, the data is just copied to another block while the old block is left untouched.
As a result, bits of data are duplicated all over the physical memory card, and reset and wipes can't always get them all. So if someone like Giese comes along and "dumps" (extracts the contents) of the memory using a variety of available tools, he or she can get a pretty good idea of what the previous owner put into the device.
Smartphones and modern computers also use flash memory, Giese explained, but it's more expensive, more durable, better managed and, on the latest smartphones, encrypted by default. None of that is true for most smart-home devices.
But any smart-home device, even a Wi-Fi-enabled robot vacuum, will need to store Wi-Fi credentials somewhere. Smart-home hubs store a bit more data, Giese said, since they have to connect to other devices around the home; Wi-Fi enabled security cameras store even more.
Then there are Wi-Fi routers, if they can even be considered smart-home devices, which hold tons of data about their owners' home networks and connections to internet services providers. Likewise, streaming devices such as set-top boxes or DVRs hold connection logs, caches, playlists, Wi-Fi credentials and sometimes even web-browsing histories.
Don't forget to wipe
The more sophisticated devices have better wiping procedures, Giese said, but that doesn't mean you shouldn't take precautions. He said he'd heard of someone who bought a used Sony PlayStation 3 that held "a ton of the previous owner's data."
Meanwhile, simpler smart devices sometimes only let you wipe the Wi-Fi credentials, Giese said. Or they have separate reset procedures -- one for the Wi-Fi, the other for the entire device. In any case, seven out of the eight used smart doorbells Giese tested had recoverable Wi-Fi credentials.
Giese said he'd recently bought a used Ecovacs Deebot 900 robot vacuum whose previous owner had performed a factory reset. But Giese dumped the memory and found fragments of log files, Wi-Fi credentials, room maps and, most importantly, the MAC address of the previous owner's router. Giese plugged that into the free Wi-Fi network database WiGLE (Wireless Geographic Logging Engine) and located the owner's home in Magdeburg, central Germany.
"Most of the user data still existed on the device despite the reset," Giese said. "After I reset the device three times, lots of data was still readable."
He also bought a Xiaomi Mi/Roborock Vacuum Robot that was broken. The previous owner had done only a Wi-Fi reset, perhaps unaware that a more complicated procedure existed to perform a full factory reset. As a result, the associated smartphone app showed maps of the previous owner's home, even after the device had been set up for a new user.
Even with the Wi-Fi reset, Giese dug out log files that contained the previous Wi-Fi username, password and network name, the last of which was able to reveal the owner's home location when typed into WiGLE.
Smash it up
Giese did find one robot vacuum, which he didn't name, that did everything right. User data partitions were encrypted, and the device unlocked the configurations and data upon bootup. The factory reset erased the previous owner's encryption keys and recreated the user partition.
But that was the exception. Generally, he said, you can't be certain you're not giving away a lot of your personal information when you give away a smart-home device.
"The only way to be sure," he said, "is to physically destroy the flash memory."