Personal Information Exposure in Amazon Echo Dot Devices by Amazon
CVE-2021-37436

4.2MEDIUM

Key Information:

Vendor

Amazon

Status
Echo Dot Firmware
Vendor
CVE Published:
24 July 2021

What is CVE-2021-37436?

Amazon Echo Dot devices are susceptible to a vulnerability that allows attackers with physical access to retrieve sensitive information even after a factory reset. This occurs through sophisticated hardware and software methods, indicating that the factory reset does not effectively purge personal content as suggested. Reports have emerged highlighting inconsistencies in vendor claims regarding the security of removed data, causing concern over the privacy of users. Amazon is currently addressing mitigations for this issue.

References

https://arstechnica.com/gadgets/2021/07/passwords-in-amaz...
x_refsource_MISC
https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
x_refsource_MISC
https://news.ycombinator.com/item?id=27943730
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.