Budget products come with the risk of insecurity

Nov 26, 2014 08:42 GMT  ·  By
Security issues found by Bluebox in Black Friday - Cyber Monday deals for tablets
6 photos
   Security issues found by Bluebox in Black Friday - Cyber Monday deals for tablets

Cheap tablets offered with a discount to Black Friday and Cyber Monday shoppers have been analyzed by a mobile security firm to discover that most of them were delivered with worrisome security problems.

The company purchased 13 electronic devices available during the two days of large discounts, with a price tag under the $100 / €80 mark, in most cases costing the shopper even less than $50 / €40.

Reputable products are more expensive and more secure

Conducted by Bluebox and using Trustable, the study revealed that six out of the 13 devices analyzed had at least one security issue, one of them having so many that no classification could be given.

The only trustable discounted product found by the researchers at Bluebox was Samsung Galaxy Tab 3 Lite (discounted to $99 / €80). It did not run the latest Android version, but they say that it had no known vulnerability and discovered no security backdoor or misconfiguration of the security settings.

It may come as a surprise, but most of the risky products came with modified versions of the operating system that had security features taken out or disabled by default.

AOSP test key used commercially

The most insecure tablet assessed by the experts was Zeki 7’’, which was found to be vulnerable to major vulnerabilities such as Masterkey, FakeID, Heartbleed and Futex.

Apart from this, the product had USB debugging enabled by default, included a built-in security backdoor, it was signed with the AOSP (Android Open Source Project) test key and did not have the official Google Play app installed, which allows users to download apps from a trustable repository.

Another tablet analyzed with the AOSP test key was DigiLand 7’’. “The DigiLand tablet had so many discrepancies and never-encountered-before security issues, that the current Trustable by Bluebox app couldn’t accurately score the device,” says the Bluebox report.

The AOSP test key is not intended for signing firmware of commercial devices because a threat actor can create a malicious system update to infect devices.

Security features removed, device already rooted

In the case of Mach Speed JLab Pro-7, the researchers say that the Android powering the tablet had been customized and security features had been removed. They refer to the ADB (Android Debug Bridge) service, which requires authorizing an ADB connection on the device.

It seems that this feature was not present on the product equipped with Android 4.4.2, although Google implemented it in version 4.2.2 of the mobile operating system. The risk consists in stealing information using a USB connection.

On the other hand, the Mach Speed Extreme Play device has been found by the Bluebox researchers to be semi-trustable, with only one security flaw preventing it from gaining the “trustable” label: data theft via a USB connection.

On Worryfree Zeepad, security was also not at the expected standards, as the operating system on the tablet included two serious vulnerabilities (FakeID and Futex), it had the USB debugging feature turned on, and the device was pre-rooted, allowing administrator privileges for the system files by default.

Some retailers pulled the insecure device from their online offer

The tablets have been purchased in advance by Bluebox based on the Black Friday bargain offers from retailers like Best Buy, Walmart, Target, Kmart, Kohl’s, and Staples. The company says that, in the cases described above, the same models offered to shoppers were tested.

When it comes to electronics, security measures count just as much as the hardware components building the device. With low-budget products sometimes corners are cut to make an appealing offer and the impact is on the end-user.

We’ve noticed that some of the retailers offering the vulnerable products have already taken measures and no longer have them in their online store.

Budget tablets are insecure (6 Images)

Security issues found by Bluebox in Black Friday - Cyber Monday deals for tablets
Discounted Zeki 7in tabletWorryfree Zeepad 7DRK tablet
+3more