Many IoT devices collect a lot of data and log files. Of course, most of this data is sent to the Cloud. However, often this data is also stored locally on the device and never deleted in the lifetime of those devices, not even on a factory reset (in contrast to Smart Phones nowadays). This might surprise many people, and especially end users might not be aware of that. Due to the design of IoT devices, there is usually no real way, like for notebooks or PCs, for end users to clean the devices before they sell them on eBay or discard them. The devices may hold sensitive information like Wi-Fi credentials, nearby access points, cloud communication log files, maps, or audio samples.
In this talk I will show some examples of interesting IoT devices from various vendors and how to extract the corresponding information. We will use software methods (rooting) and hardware methods (flash dumping). Using this information, I will show how I am able to find the original owner of the device. Also I discuss various challenges and tricks of the methods, and how to prevent this kind of data leakage for yourself.