return icon

Tesco Hudl and other Android devices face data reset flaw

 Hiding data by using a factory reset option does little to delete potentially sensitive information, suggest researchers.

Hiding data by using a factory reset option does little to delete potentially sensitive information, suggest researchers.



Data saved to a Tesco Hudl is vulnerable to recovery thanks to a bug in its core processor


Three separate investigations of Android's data deleting systems found it was possible to recover information.

In some cases, a reset just removed the list of where data was stored and deleted nothing else.

In particular, Tesco's Hudl tablet was found to have a flaw that let attackers get at data saved to onboard memory.

All the investigations used second-hand devices sold via auction sites such as eBay.

The BBC worked with security expert Ken Munro from security firm Pen Test Partners to get 10 Hudl tablets from the auction site and see how easy it was to recover information from them.

The Hudl was vulnerable, said Mr Munro, because of a known bug in the Rockchip processor at its heart.

All modern gadgets can be flipped into a "flash mode" so the onboard firmware can be updated and data written to the device.

"There's a flaw in the firmware, which allows you to read from it as well as write," he explained.

Using a freely available software tool, Mr Munro was able to easily read data from Hudl tablets to which the factory reset facility had been applied.

Getting access was the work of minutes but reading and analysing all the data typically took a couple of hours, he said.

Via this route Mr Munro was able to extract Pin codes to unlock devices as well as wi-fi keys, cookies and other browsing data that could be used to sign in to a website and masquerade oneself as the tablet's original owner.

In response, a Tesco spokesperson said: "Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program."

The spokesperson added that any tablets returned to Tesco would have all personal data wiped. They also recommended that people get further information about how to remove personal data from smartphones via the government's Get Safe Online website.

Google said anyone selling a used gadget should follow several steps to protect information.

"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand," said a spokesman.

Data encryption systems have been available on Android for years, he added.

The next release of Android is expected to enable encryption by default. Currently it is up to owners to enable it for themselves.

Naked photos

While Hudl tablets were particularly vulnerable, other work has shown how straightforward it is to retrieve data from many Android devices.

The largest study was carried out by security company Avast, which recovered an "astonishing" amount of personal data from 20 second-hand Android phones.

The company recovered tens of thousands of images, including naked selfies as well as emails and text messages plus contact names and addresses.

"What people think is that when they hit erase or factory reset it's deleting the underlying source data but it's not," said Jude McColgan, head of mobile at Avast.

Independently, Marc Rogers, principal researcher at mobile security firm Lookout, has been cataloguing what happens to data saved on the main memory of Android phones and tablets when they are reset.

"There's an Android function to wipe data and most manufacturers are using that," he said.

"But all that does is remove the index of where data is and does not delete data at all."

A secure wipe would both remove that index and overwrite onboard memory with zeroes so it could not be recovered, he added.

"As a security professional it blows my mind that people do not do this to get rid of the data."

While it was not "completely straightforward" to recover data on those reset gadgets it was possible for a motivated attacker and the tools to do it were widely available, said Mr Rogers.

Motivation could come from the amount of cash stolen smartphones command, he explained.

Figures shared with Lookout by police forces suggest a street price for a smartphone with data on it can exceed $1,000 (£600).

The potential profit partly arises from the cache of personal, recoverable information people leave on these devices, Mr Rogers said.

In London, about 200 phones are stolen every day according to statistics from the Metropolitan police.

Apple exploit

Recent work by computer forensics expert Jonathan Zdziarski suggests that data held on Apple's iPhones is also vulnerable to recovery.

Mr Zdziarski found that some undisclosed features in the iOS operating system bypass the data encryption system running on the device. This meant, he said, that if an iPhone was caught at the right time it becomes possible to extract information.

With effort, said Mr Zdziarski, using these undocumented features would let an attacker get at "privileged personal information that the device even protects from its own users from accessing".

Mr Zdziarski's work has subsequently been independently confirmed by the security firm Stroz Friedberg.

In reaction, Apple has made changes to its mobile operating system that will be fully implemented in iOS 8. These should disable some aspects of the services he identified in order to limit their ability to export information.

Mr Zdziarski welcomed the "progress" Apple had made but said it needed to go further to fix the "significant security threat" faced.

Source: BBC


SEA Games torch carried through streets of Hanoi

Brimming with symbolism, the torch was ceremoniously lit from a small lamp that had landed on Vietnam’s soil two days prior, and had been carefully guarded at the Cambodian Embassy.

British experts discover new untouched caves in Quang Binh

Five new caves where humans have never set foot were recently discovered in Lam Hoa commune of Tuyen Hoa district in the central province of Quang Binh by experts of the British Royal Cave Association.

30 Indonesians fall victim to Malaysia human trafficking ring in Vietnam

The police in Ho Chi Minh City have busted a human trafficking ring involving Malaysian nationals that allegedly deceived 30 Indonesians for property appropriation in Vietnam.

Over 103,000 TB cases detected in Vietnam last year

Vietnam detected 103,120 tuberculosis (TB) patients in 2022, up nearly 31% year-on-year, and 1.8% against that of 2020.

Vietnam commits to cross-border water development goals: Deputy PM

Vietnam pledges to further enhance cooperation with international organisations and partners to achieve sustainable cross-border water development goals, Deputy Prime Minister Tran Hong Ha has said.

Vietnam tourism promoted in Japan

A workshop on Vietnamese tourism and carriers, co-hosted by Vietnam Airlines and travel operator Thien Minh Group (TMG), took place in Tokyo on March 24, gathering 80 travel companies and airlines from both nations.

Hanoi seeks support from UNESCO in restoration of Kinh Thien Palace

Hanoi asked for continued support from the UNESCO World Heritage Centre (WHC) for a project to restore Kinh Thien Palace in the Thang Long Imperial Citadel in Hanoi, which was recognised as a UNESCO World Heritage Site in 2010.

CAAV suggests more time for piloting biometric authentication

The Civil Aviation Authority of Vietnam (CAAV) has proposed continuing pilot application of biometric authentication (facial recognition) at airports’ check-in desks.

Netflix to set up representative legal entity in Vietnam

Netflix is carrying out procedures with the Ministry of Planning and Investment to establish its representative legal entity in Vietnam.

Vietnamese Fintech unicorn among top 10 global financial platforms

Vietnam has one representative in the Global Platforms Ranking 2023, announced by TABInsights under The Asian Banker.

Newspapers should use AI wisely

AI can help journalists recognize if they are wasting resources by creating similar press products. However, journalists should only not depend on or be controlled by artificial intelligence (AI).

Pirated games flood the market as discounts are slashed on app stores

With app stores’ decisions to reduce discounts and support from payment service providers such as credit cards and e-wallets (MoMo), pirated games of international distributors, especially Chinese games, can easily enter Vietnam.

Vietnam needs to learn lessons in developing renewable energy

Dr Le Hai Hung says renewable power plants occupy much land, but environmental concerns remain controversial, and in the next 10 years, it will not be a reliable energy source for business production and people’s daily life.

High-end real estate developers advised to develop social housing

Realtors who specialize in high-end real estate projects should think of adding social housing projects to their business strategies, because the projects ensure sustainability and stability for them.

No time to waste in building the offshore wind industry

Action on accelerating offshore wind power projects is urgently needed if the government is to meet its targets for the decade.