CVE-2021-37436 - OpenCVE

Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations.

No CVSS v4.0

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Echo Dot Echo Dot Firmware

Configuration 1 [-]

AND

cpe:2.3:h:amazon:echo_dot:-:*:*:*:*:*:*:*

cpe:2.3:o:amazon:echo_dot_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/
https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
https://news.ycombinator.com/item?id=27943730
https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-07-24T22:46:21

Updated: 2024-08-04T01:16:04.038Z

Reserved: 2021-07-24T00:00:00

Link: CVE-2021-37436

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-07-24T23:15:07.130

Modified: 2021-08-09T17:26:13.990

Link: CVE-2021-37436

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-24T22:46:21", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/"}, {"tags": ["x_refsource_MISC"], "url": "https://dl.acm.org/doi/pdf/10.1145/3448300.3467820"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=27943730"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-37436", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/", "refsource": "MISC", "url": "https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/"}, {"name": "https://dl.acm.org/doi/pdf/10.1145/3448300.3467820", "refsource": "MISC", "url": "https://dl.acm.org/doi/pdf/10.1145/3448300.3467820"}, {"name": "https://news.ycombinator.com/item?id=27943730", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=27943730"}, {"name": "https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/", "refsource": "MISC", "url": "https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:16:04.038Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://dl.acm.org/doi/pdf/10.1145/3448300.3467820"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://news.ycombinator.com/item?id=27943730"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-37436", "datePublished": "2021-07-24T22:46:21", "dateReserved": "2021-07-24T00:00:00", "dateUpdated": "2024-08-04T01:16:04.038Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:amazon:echo_dot:-:*:*:*:*:*:*:*", "matchCriteriaId": "AB26F1B2-337C-4C76-8A5D-0DA2A2BED079", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:amazon:echo_dot_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC555BAC-B2FC-432A-8299-F1EEFFE7982D", "versionEndIncluding": "2021-07-02", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations."}, {"lang": "es", "value": "Unos dispositivos Amazon Echo Dot versiones hasta 02-07-2021 a veces permiten a atacantes, que tienen acceso f\u00edsico a un dispositivo despu\u00e9s de un restablecimiento de f\u00e1brica, obtener informaci\u00f3n confidencial por medio de una serie de complejos ataques de hardware y software. NOTA: seg\u00fan se informa, hubo declaraciones de marketing del proveedor sobre la eliminaci\u00f3n segura de contenido personal por medio de un restablecimiento de f\u00e1brica. Adem\u00e1s, el proveedor ha reportado que est\u00e1 trabajando en la mitigaci\u00f3n"}], "id": "CVE-2021-37436", "lastModified": "2021-08-09T17:26:13.990", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-24T23:15:07.130", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://dl.acm.org/doi/pdf/10.1145/3448300.3467820"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=27943730"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-private-amazon-echo-dot-does-not-wipe-personal-content-after-factory-reset/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}