Home
Tesco Hudl and other Android devices face data reset flaw
Data saved to a Tesco Hudl is vulnerable to recovery thanks to a bug in its core processor
Hiding data by using a factory reset option does little to delete potentially sensitive information, suggest researchers.
Three separate investigations of Android's data deleting systems found it was possible to recover information.
In some cases, a reset just removed the list of where data was stored and deleted nothing else.
In particular, Tesco's Hudl tablet was found to have a flaw that let attackers get at data saved to onboard memory.
All the investigations used second-hand devices sold via auction sites such as eBay.
The BBC worked with security expert Ken Munro from security firm Pen Test Partners to get 10 Hudl tablets from the auction site and see how easy it was to recover information from them.
The Hudl was vulnerable, said Mr Munro, because of a known bug in the Rockchip processor at its heart.
All modern gadgets can be flipped into a "flash mode" so the onboard firmware can be updated and data written to the device.
"There's a flaw in the firmware, which allows you to read from it as well as write," he explained.
Using a freely available software tool, Mr Munro was able to easily read data from Hudl tablets to which the factory reset facility had been applied
Getting access was the work of minutes but reading and analysing all the data typically took a couple of hours, he said.
Via this route Mr Munro was able to extract Pin codes to unlock devices as well as wi-fi keys, cookies and other browsing data that could be used to sign in to a website and masquerade oneself as the tablet's original owner.
In response, a Tesco spokesperson said: "Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program."
The spokesperson added that any tablets returned to Tesco would have all personal data wiped. They also recommended that people get further information about how to remove personal data from smartphones via the government's Get Safe Online website.
Google said anyone selling a used gadget should follow several steps to protect information.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand," said a spokesman.
Data encryption systems have been available on Android for years, he added.
The next release of Android is expected to enable encryption by default. Currently it is up to owners to enable it for themselves.
Data saved to a Tesco Hudl is vulnerable to recovery thanks to a bug in its core processor
Hiding data by using a factory reset option does little to delete potentially sensitive information, suggest researchers.
Three separate investigations of Android's data deleting systems found it was possible to recover information.
In some cases, a reset just removed the list of where data was stored and deleted nothing else.
In particular, Tesco's Hudl tablet was found to have a flaw that let attackers get at data saved to onboard memory.
All the investigations used second-hand devices sold via auction sites such as eBay.
The BBC worked with security expert Ken Munro from security firm Pen Test Partners to get 10 Hudl tablets from the auction site and see how easy it was to recover information from them.
The Hudl was vulnerable, said Mr Munro, because of a known bug in the Rockchip processor at its heart.
All modern gadgets can be flipped into a "flash mode" so the onboard firmware can be updated and data written to the device.
"There's a flaw in the firmware, which allows you to read from it as well as write," he explained.
Using a freely available software tool, Mr Munro was able to easily read data from Hudl tablets to which the factory reset facility had been applied
Getting access was the work of minutes but reading and analysing all the data typically took a couple of hours, he said.
Via this route Mr Munro was able to extract Pin codes to unlock devices as well as wi-fi keys, cookies and other browsing data that could be used to sign in to a website and masquerade oneself as the tablet's original owner.
In response, a Tesco spokesperson said: "Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program."
The spokesperson added that any tablets returned to Tesco would have all personal data wiped. They also recommended that people get further information about how to remove personal data from smartphones via the government's Get Safe Online website.
Google said anyone selling a used gadget should follow several steps to protect information.
"If you sell or dispose of your device, we recommend you enable encryption on your device and apply a factory reset beforehand," said a spokesman.
Data encryption systems have been available on Android for years, he added.
The next release of Android is expected to enable encryption by default. Currently it is up to owners to enable it for themselves.