CVE-2021-37436
low-risk
Published 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations.
Do I need to act?
-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.2/10
Medium
PHYSICAL
/ HIGH complexity
Affected Products (1)
Echo Dot Firmware
Affected Vendors
References (8)
Third Party Advisory
https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-ev...
Technical Description
https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
Third Party Advisory
https://news.ycombinator.com/item?id=27943730
Third Party Advisory
https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-priv...
Third Party Advisory
https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-ev...
Technical Description
https://dl.acm.org/doi/pdf/10.1145/3448300.3467820
Third Party Advisory
https://news.ycombinator.com/item?id=27943730
Third Party Advisory
https://www.cpomagazine.com/data-privacy/is-it-possible-to-make-iot-devices-priv...
16
/ 100
low-risk
Severity
11/34 · Low
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal