People like to tear apart Echos because of the privacy fear a lot of people have around them. But in this case, I'm sure many devices have the same problem. It's just a matter of not wiping the NAND memory and instead just invalidating pages. I'll bet you could get a bunch of Wifi and Netflix credentials by buying up used TVs too (another place where people have privacy fears).
Apple at least gets this right by encrypting everything in memory and then just rotating the key (and I think Android does this now too?). But that is complicated and expensive.
I guess those of us super concerned with privacy either shouldn't sell these devices used, or get a powerful magnet that can cause bit flips (or not buy these in the first place, but good luck living in a modern world without buying a device with NAND memory in it)!
I don't believe magnets cause bit flips in NAND - they're tiny little capacitors. If you're able to induce enough current with the magnetic field to scramble that, you've probably also induced enough current to fuse open an awful lot of important conductors elsewhere in the device. Which, of course, also accomplishes the goal, just without the "reuse" option.
Complicated, maybe, but expensive? Once the software is written, there should be no more cost.
> a powerful magnet
A simpler approach is, before recycling electronics, a couple blows with a hammer on the circuit board ought to take care of it. Sure, a well-funded actor may still be able to retrieve something from the memory, but unless you are a very valuable target, nobody will find it worthwhile to reconstruct a shattered circuit board.
It's why I was always amused by people worrying that an electron microscope could retrieve data from a hard disk drive rewritten 6 times. Yah, nobody's going to do that.
The trouble with using a hammer is that you'll need to break the flash chips themselves. Breaking just the board isn't enough if the contents are not encrypted. The chips are easy for an adversary to identify, but difficult for an average consumer.
I have no idea what a magnet is supposed to do to flash chips, though. I thought that only affects magnetic media like hard drives.
People buying your stuff on ebay or from the thrift store are not going to desolder the flash chip and solder it into an identical board.
They'll just move on to an easier target.
It's like locking the door on your house. Sure, someone really wanting to get in will bypass it. Opportunistic criminals, which are the vast majority, will just move on. You just have to not be the slowest guy in the herd running away from the leopard.
> Once the software is written, there should be no more cost.
You'd need to include a Secure Enclave chip or something like it in each device. That adds cost. I've worked with IOT hardware vendors before. They will argue with you over 128K of RAM because of the cost. Every extra chip, every ounce of weight hurts their profitability at scale.
> A simpler approach is, before recycling electronics, a couple blows with a hammer on the circuit board ought to take care of it.
But then you can't reuse it. The whole point is to resell it to avoid e-waste.
> It's why I was always amused by people worrying that an electron microscope could retrieve data from a hard disk drive rewritten 6 times. Yah, nobody's going to do that.
The NSA would do that to a recovered Russian or Chinese hard drive.
Yes, it could be done without a Secure Enclave. In which case the data would be vulnerable in the case of theft or resale without a reset, but would be protected if it were reset, as long as the storage of the old key was actually properly wiped.
First, put it in a heavy-duty freezer ziplock bag and then place on concrete. This allows you to nicely pulverize the chips into many tiny pieces without making a mess. A hammer works well, but a few taps with a sledge hammer is even better and somehow more satisfying.
Making sure all data access goes through an abstraction layer that transparently encrypts and decrypts data has some complex bits to it, especially the part about storing the encryption key safely and rotating it properly. It also complicates all the hardware programming because nothing gets direct access to storage anymore, which a lot of IOT devices assume they have.
> When you say expensive, do you mean computationally, dev time, or specialized hardware?
All three. Computationally it's not expensive per se, but it requires adding a few more chips and making the CPU a little more powerful to handle all of the encryption and decryption. In IOT devices, every chip and every KB of RAM counts, so adding that overhead to every device could be a deal breaker on its own. I've worked with IOT vendors and they push back on even small increases in RAM, because it hurts their profitability at scale.
Dev time of course is required to make all the software support the abstraction layer, and specialized hardware would be required to securely store the encryption key (maybe depending on how hard core you wanted to get).
WiFi credentials maybe but I can't imagine the devices hold Netflix user passwords, I've never encountered it but surely the Netflix API just negotiates an API key tied to the user?
Let me help with some metrics about "things" you can install in your house:
- However bad you think the security on them might be at some level, it's worse. A "factory reset" won't reliably clear data, the devices can be tricked into leaking all sorts of stuff, etc.
- No matter what the company selling them says, if it has hardware of some variety, Chekhov's Gun applies - at some point, that hardware will be used.
- You will be disappointed by the supported hardware life in terms of software updates. It will seem like someone has just gotten bored with updating it and doesn't care about the ewaste they're generating. That "last supported firmware" will eventually either have a massive security issue discovered (Western Digital is a recent example) or will talk to APIs that simply stop working at some point (I believe some Samsung "Smart Fridges" suffered this death).
There's no good reason to install this sort of stuff in a modern house if you care the slightest bit about privacy.
I care about privacy. I have an iphone. I've yet to hear of a leak of data after a factory reset - if there is a leak, why is the DOJ threatening Apple from time to get access to the contents of an iphone?
An iPhone is a better class of device than the typical Amazon/Google "Things" that are room mics with wifi. I don't know about Apple's version of that hardware in terms of security.
Modern iOS devices are fairly resistant to data extraction - secure enclaves and such, and I wasn't talking about them. I don't know the state of Android security at the hardware level these days. Some years back, it was quite poor.
Android continues to be poor even today because implementations are so varied and often lowest common denominator / cheapest!
That said, if you admin a group of users, a surprising number do not care about security. Turn on google's advanced protection - you will get more complaints than compliments as an example at the extra annoyances it introduces.
Even for me, apple is now rediculous with its prompts for permissions. I've had to say yes 10+ times to get an apple watch setup. So the twitter mob messes things up by their "outrage" attacks. There should be one button, I'm OK with my apple devices tracking me (health, heart rate, sleep, steps etc etc). I wish the twitter mob would focus less on this sort of thing and more on the real bad actors (buying a TV, then it later starts tracking you, then starts pushing ads to you on your fully paid device).
One problem is just that google / apple etc make much better outrage targets, so I think we've got this weird distortion - lots of gaping holes, and then constant attacks against Apple / Google.
23 comments
[ 3.0 ms ] story [ 68.6 ms ] threadApple at least gets this right by encrypting everything in memory and then just rotating the key (and I think Android does this now too?). But that is complicated and expensive.
I guess those of us super concerned with privacy either shouldn't sell these devices used, or get a powerful magnet that can cause bit flips (or not buy these in the first place, but good luck living in a modern world without buying a device with NAND memory in it)!
And smart light bulbs
https://www.commitstrip.com/en/2019/02/04/open-door/?
Complicated, maybe, but expensive? Once the software is written, there should be no more cost.
> a powerful magnet
A simpler approach is, before recycling electronics, a couple blows with a hammer on the circuit board ought to take care of it. Sure, a well-funded actor may still be able to retrieve something from the memory, but unless you are a very valuable target, nobody will find it worthwhile to reconstruct a shattered circuit board.
It's why I was always amused by people worrying that an electron microscope could retrieve data from a hard disk drive rewritten 6 times. Yah, nobody's going to do that.
I have no idea what a magnet is supposed to do to flash chips, though. I thought that only affects magnetic media like hard drives.
They'll just move on to an easier target.
It's like locking the door on your house. Sure, someone really wanting to get in will bypass it. Opportunistic criminals, which are the vast majority, will just move on. You just have to not be the slowest guy in the herd running away from the leopard.
You'd need to include a Secure Enclave chip or something like it in each device. That adds cost. I've worked with IOT hardware vendors before. They will argue with you over 128K of RAM because of the cost. Every extra chip, every ounce of weight hurts their profitability at scale.
> A simpler approach is, before recycling electronics, a couple blows with a hammer on the circuit board ought to take care of it.
But then you can't reuse it. The whole point is to resell it to avoid e-waste.
> It's why I was always amused by people worrying that an electron microscope could retrieve data from a hard disk drive rewritten 6 times. Yah, nobody's going to do that.
The NSA would do that to a recovered Russian or Chinese hard drive.
> a recovered Russian or Chinese hard drive
Bit by bit with an operator and an electron microscope, how long will it take to recover a 1 terabyte drive?
It just wouldn't protect against some physical attacks to an unreset device.
First, put it in a heavy-duty freezer ziplock bag and then place on concrete. This allows you to nicely pulverize the chips into many tiny pieces without making a mess. A hammer works well, but a few taps with a sledge hammer is even better and somehow more satisfying.
Could you elaborate? I'm not an expert in this area:
What makes this so complicated? As a non-expert in any moderate cryptography, it seems like it should be straightforward?
When you say expensive, do you mean computationally, dev time, or specialized hardware?
To to whoever answers for helping my curiosity.
Making sure all data access goes through an abstraction layer that transparently encrypts and decrypts data has some complex bits to it, especially the part about storing the encryption key safely and rotating it properly. It also complicates all the hardware programming because nothing gets direct access to storage anymore, which a lot of IOT devices assume they have.
> When you say expensive, do you mean computationally, dev time, or specialized hardware?
All three. Computationally it's not expensive per se, but it requires adding a few more chips and making the CPU a little more powerful to handle all of the encryption and decryption. In IOT devices, every chip and every KB of RAM counts, so adding that overhead to every device could be a deal breaker on its own. I've worked with IOT vendors and they push back on even small increases in RAM, because it hurts their profitability at scale.
Dev time of course is required to make all the software support the abstraction layer, and specialized hardware would be required to securely store the encryption key (maybe depending on how hard core you wanted to get).
- However bad you think the security on them might be at some level, it's worse. A "factory reset" won't reliably clear data, the devices can be tricked into leaking all sorts of stuff, etc.
- No matter what the company selling them says, if it has hardware of some variety, Chekhov's Gun applies - at some point, that hardware will be used.
- You will be disappointed by the supported hardware life in terms of software updates. It will seem like someone has just gotten bored with updating it and doesn't care about the ewaste they're generating. That "last supported firmware" will eventually either have a massive security issue discovered (Western Digital is a recent example) or will talk to APIs that simply stop working at some point (I believe some Samsung "Smart Fridges" suffered this death).
There's no good reason to install this sort of stuff in a modern house if you care the slightest bit about privacy.
Modern iOS devices are fairly resistant to data extraction - secure enclaves and such, and I wasn't talking about them. I don't know the state of Android security at the hardware level these days. Some years back, it was quite poor.
That said, if you admin a group of users, a surprising number do not care about security. Turn on google's advanced protection - you will get more complaints than compliments as an example at the extra annoyances it introduces.
Even for me, apple is now rediculous with its prompts for permissions. I've had to say yes 10+ times to get an apple watch setup. So the twitter mob messes things up by their "outrage" attacks. There should be one button, I'm OK with my apple devices tracking me (health, heart rate, sleep, steps etc etc). I wish the twitter mob would focus less on this sort of thing and more on the real bad actors (buying a TV, then it later starts tracking you, then starts pushing ads to you on your fully paid device).
One problem is just that google / apple etc make much better outrage targets, so I think we've got this weird distortion - lots of gaping holes, and then constant attacks against Apple / Google.