IoT Devices Contain User Data That's Accessible Even After a Reset, Says Report
Connected devices retain valuable data that could be extracted after they’re discarded, said research firm Independent Security Evaluators Monday, announcing a presentation on the topic Friday at DEF CON IoT Village in Las Vegas by Northeastern University cyber researcher and…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
doctoral student Dennis Giese. “While consumers are aware that data needs to be wiped from smart phones and computers before discarding,” IoT devices pose “new challenges and risks, as they too retain valuable data,” said Giese. With billions of IoT devices being purchased, consumers “need to understand that their trash could become a hacker’s treasure,” said the researcher. Most IoT devices store information, like Wi-Fi credentials, or user data, to operate correctly and the data needs to be available in unencrypted plaintext. Many devices also store other information on flash storage in the device: for example, robot vacuums store maps, cleaning histories and log files, he said. Some cameras store short video sequences, and audio speakers save playlists. In his research, Giese found most IoT devices have a “bad implementation of a factory reset." He found that with used devices he purchased -- even when the previous owner set a factory reset -- “most of the user data and log files still remain.” As part of the Friday presentation, Giese plans to demonstrate how data can be extracted from a used robot vacuum, which was reset by the previous owner, and how it’s possible to use that data to track down the previous owner. ISE encourages manufacturers to “make it more obvious and easier to find and reset a device,” a spokesperson said.