Giving Away a Smart Home Device? Don’t Do It—Here’s Why

Giving Away a Smart Home Device? Don't Do It—Here's Why

(Image credit: Shutterstock) You know how to wipe a hard drive before you sell or give away an old PC. You know how to factory-reset a smartphone . But do you know how to factory-reset a smart home device ? Many owners of smart home devices have no idea how to reset them, and many devices manufacturers make properly doing so difficult or impossible, security researcher Dennis Giese said in a presentation at the IoT Village at the DEF CON 27 hacker conference in Las Vegas this past weekend. Giese extracted sensitive information, such as Wi-Fi credentials, maps of home interiors, Wi-Fi network names and MAC addresses (network IDs), from more than a dozen different devices, including robot vacuums and video doorbells . He could even learn where the previous owners lived by comparing the stored Wi-Fi network names to online lists of known ones. “Do not sell or throw away your device if you cannot verify a full wipe and it may contain sensitive information,” Giese said. “If you have sold or given away some of these devices, then change your Wi-Fi credentials. In the future, use a separate Wi-Fi network for iOT devices.” MORE: Best Robot Vacuums Giese, a German national studying for a doctorate at Northeastern University in Boston, explained that unlike smartphones and computers, the data on a smart-home device is not always directly accessible by the user. Many devices, such as robot vacuums, don’t even have a user interface. It’s not clear what is actually stored on the device, and even if a factory reset is performed, the reset often leaves traces of data. “Secure, correct factory reset is hard to implement,” Giese said. “There’s no way to make sure a device has been wiped, and many vendors don’t erase all user data.” The persistence of memory Part of the problem, Giese said, is that smart-home devices use inexpensive flash memory to store data. Cheap flash memory has a high failure rate, and when a memory block goes bad, the data is just copied to another block while the old block is left untouched. As a result, bits of data are duplicated all over the physical memory card, and reset and wipes can’t always get them all. So if someone like Giese comes along and “dumps” (extracts the contents) of the memory using a variety of available tools, he or she can get a pretty good idea of what the previous owner put into the device. Smartphones and modern computers also use flash memory, Giese explained, but it’s more expensive, more durable, better managed and, on the latest smartphones, encrypted by default. None of that is true for most smart-home devices. But any smart-home device, even a Wi-Fi-enabled robot vacuum, will need to store Wi-Fi credentials somewhere. Smart-home hubs store a bit more data, Giese said, since they have to connect to other devices around the home; Wi-Fi enabled security cameras store even more. Then there are Wi-Fi routers , if they can even […]

Full article on original web page…

Leave a Reply