Are consumer IoT devices private?

Scott Ikdea writes:

Academic research performed on 86 used Amazon Echo Dots has found that the factory reset does not truly wipe data from the devices; it can still be recovered with relatively basic forensic techniques. Echo Dots commonly contain WiFi passwords, router MAC addresses, and Amazon logins among other pieces of sensitive information.

The author quotes the following paper:

This is an interesting “hack”:

The central issue is that the devices use flash memory, something common to smart IoT devices and electronics built with a focus on portability. Flash memory is more difficult to permanently remove data from because it is designed to only allow a finite number of delete cycles (generally in the tens of thousands) before a memory block becomes inoperable. Since the storage media in these IoT devices would not last long if true deletions were being performed constantly, “deleted” data is often simply invalidated and moved to an unused page in the block (in a process called “wear leveling”). These invalidated pages, which still contain the data, remain present until a block fills up with them and a true deletion is initiated.

I wasn’t aware of this “vulnerability”, but as we push towards the wearables (and in healthcare), flash memory can be used to recover sensitive healthcare information. It is for this reason I linked the article here. Amazon has its healthcare ambitions, with Echo Dots forming the part of the consumer tech being repurposed for “enterprise healthcare”.