Tesco Hudl: and other Android devices face data reset flaw
Hiding data by using a factory reset option does little to delete
potentially sensitive information, suggest researchers.
Three separate investigations of Android's data deleting systems
found it was possible to recover information.
In some cases, a reset just removed the list of where data was stored
and deleted nothing else.
In particular, Tesco's Hudl tablet was found to have a flaw that let
attackers get at data saved to on-board memory.
All the investigations used second-hand devices sold via auction
sites such as eBay.
The BBC worked with security expert Ken Munro from security firm Pen
Test Partners to get 10 Hudl tablets from the auction site and see how
easy it was to recover information from them.
The Hudl was vulnerable, said Mr Munro, because of a known bug in the
Rockchip processor at its heart.
All modern gadgets can be flipped into a "flash mode" so the on-board
firmware can be updated and data written to the device.
"There's a flaw in the firmware, which allows you to read from it as
well as write," he said.
Using a freely available software tool, Mr Munro was able to easily
read data from Hudl tablets to which the factory reset facility had been
applied.
Getting access was the work of minutes but reading and analysing all
the data typically took a couple of hours, he said.
Via this route Mr Munro was able to extract Pin codes to unlock
devices as well as wi-fi keys, cookies and other browsing data that
could be used to sign in to a website and masquerade oneself as the
tablet's original owner.
In response, a Tesco spokesperson said: "Customers should always
ensure all personal information is removed prior to giving away or
selling any mobile device. To guarantee this, customers should use a
data wipe program."
The spokesperson added that any tablets returned to Tesco would have
all personal data wiped. They also recommended that people get further
information about how to remove personal data from smartphones via the
government's Get Safe Online website.
Google said anyone selling a used gadget should follow several steps
to protect information.
"If you sell or dispose of your device, we recommend you enable
encryption on your device and apply a factory reset beforehand," said a
spokesman.
Data encryption systems have been available on Android for years, he
said.
The next release of Android is expected to enable encryption by
default. Currently it is up to owners to enable it for themselves.
Naked photos
While Hudl tablets were particularly vulnerable, other work has shown
how straightforward it is to retrieve data from many Android devices.
The largest study was carried out by security company Avast, which
recovered an "astonishing" amount of personal data from 20 second-hand
Android phones.
The company recovered tens of thousands of images, including naked
selfies as well as emails and text messages plus contact names and
addresses. "What people think is that when they hit erase or factory
reset it's deleting the underlying source data but it's not," said Jude
McColgan, head of mobile at Avast. Independently, Marc Rogers, principal
researcher at mobile security firm Lookout, has been cataloguing what
happens to data saved on the main memory of Android phones and tablets
when they are reset.
"There's an Android function to wipe data and most manufacturers are
using that," he said.
"But all that does is remove the index of where data is and does not
delete data at all." A secure wipe would both remove that index and
overwrite on-board memory with zeroes so it could not be recovered, he
said. "As a security professional it blows my mind that people do not do
this to get rid of the data."
While it was not "completely straightforward" to recover data on
those reset gadgets it was possible for a motivated attacker and the
tools to do it were widely available, said Mr Rogers.
Motivation could come from the amount of cash stolen smartphones
command, he said.Figures shared with Lookout by police forces suggest a
street price for a smartphone with data on it can exceed $1,000 (£600).
The potential profit partly arises from the cache of personal,
recoverable information people leave on these devices, Mr Rogers said.
In London, about 200 phones are stolen every day according to
statistics from the Metropolitan police.
Apple exploit
Recent work by computer forensics expert Jonathan Zdziarski suggests
that data held on Apple's iPhones is also vulnerable to recovery.
Mr Zdziarski found that some undisclosed features in the iOS
operating system bypass the data encryption system running on the
device.
This meant, he said, that if an iPhone was caught at the right time
it becomes possible to extract information.
With effort, said Mr Zdziarski, using these undocumented features
would let an attacker get at "privileged personal information that the
device even protects from its own users from accessing".
Mr Zdziarski's work has subsequently been independently confirmed by
the security firm Stroz Friedberg.
In reaction, Apple has made changes to its mobile operating system
that will be fully implemented in iOS 8. These should disable some
aspects of the services he identified in order to limit their ability to
export information.
Mr Zdziarski welcomed the "progress" Apple had made but said it
needed to go further to fix the "significant security threat" faced.
Courtesy: BBC |