Vulnerability Details CVE-2021-37436
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.1%
CVSS Severity
CVSS v3 Score 4.2
CVSS v2 Score 1.9
References
- https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/
- https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
- https://news.ycombinator.com/item?id=27943730
- https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/
- https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/
- https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
- https://news.ycombinator.com/item?id=27943730
- https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/
Products affected by CVE-2021-37436
-
cpe:2.3:h:amazon:echo_dot:-
-
cpe:2.3:o:amazon:echo_dot_firmware:-
-
cpe:2.3:o:amazon:echo_dot_firmware:2018-04-27
-
cpe:2.3:o:amazon:echo_dot_firmware:2021-07-02