Supermarket tablets often offer a factory reset wipe option, but this often leaves personally identifiable information behind.
Speaking at 44CON in London, Ken Munro, partner at Pen Test Partners said that end-users do not realise that tablets are small computers and everything that goes into it gets cached and stored locally. People do not understand how much content is on them – they are cheap and given to kids and if they break, they are disposable.
As a result, Pen Test Partners bought a number of used tablets and found that while there are options to do a remote wipe or restore to factory settings, these are not always effective. He said: “We found that users are not resetting it and cannot do a wipe or personally fix it as they don’t know how to. These are sold on eBay and it is amazing how cheap they are second hand.”
He claimed that tablets have “mass market appeal” and users are not going to pay for security for them, and unless someone charitably says that they will wipe it for you, there is no other way for this to go forward. “A lot can do over the air firmware upgrades and supermarkets are rolling out better security,” he said.
“What bothers me is the public as a whole are considering these to be secure but what we really need is for them to be encrypting their devices. Rockchip offers a 15 minute factory wipe. There are poorly-built cheap tablets but some are good, and the new version of Android will include encryption by default. If you cannot wipe it, then maybe do not sell it. It seems end-users don’t understand the significance.”
Talking to IT Security Guru, Pen Test Partners’ David Lodge said that a clue that the factory reset had not worked was because it was “too quick” to remove 16GB of data, and that was the clue to it not wiping.
Asked how the message could be better broadcast to users by the supermarkets and retailers, Munro said that now, some places are saying that if a device is broken it can be returned as it has no value with a broken screen, and these trashed.
He said: “I think all of the supermarkets have got to realise that they have got to deploy better security for these devices, but the problem is you have a massive installed base and how do you get them to upgrade?
“The problem is that tablets are given to kids and they take photos and the whole child protection thing is completely missed out. That is how you bring the end-user round to the threat. I think it would be really cool if Tesco turned around and said when Hudl 2 is released, they offer you a £10 discount when you trade in your Hudl 1, because then they have them back.”