Why it's a bad idea to sell your child's cheap tablet on eBay

http://www.theguardian.com/technology/2014/sep/17/sell-childs-tablet-ebay-privacy

Version 0 of 1.

Parents understandably don’t want to spend excessive amounts of money on tablets for their children. Many choose to buy relatively low-cost Android devices from the supermarket, such as Tesco’s Hudl or Aldi’s Lifetab.

Once the kids are done with the tablet, mums and dads often flog them on eBay to recover some of the expense. But researchers have warned this could be a privacy nightmare in waiting, as wiping functions on these devices have been known to fail, leaving data accessible to their buyers.

Ken Munro, from security firm Pen Test Partners, told the Guardian that the Hudl, Lifetab and the Moshi Monsters-branded tablet all failed to properly delete information when using Android’s wipe feature.

After buying 20 devices from eBay, all of which cost less than £20 each, Munro discovered he was able to extract information including passwords for social networks, private photos and browsing history of minors. By looking at the apps, internet searches and passwords found across the 20 devices, the researchers determined six had been used by children.

Amongst the data recovered from the tablets were photos of children. There were also passwords to Twitter, Amazon and Steam accounts, as well as login tokens to Gmail, Google Play, Google Plus and YouTube accounts, meaning these accounts could have been compromised.

Parents would be horrified to learn their child’s data could be accessed so easily, Munro said. “Our most significant concern is that predators could buy cheap, used tablets from online auction sites and other sources. Using simple tools, they could recover children’s data and passwords,” he said.

“This could allow the predator to access their social networks directly, making for terrifying cyber-stalking from inside their social network account. They would have access to your child’s account.”

The problem lies in tablets with a range of Rockchip processors, which remain vulnerable today, though the manufacturer is planning to release a fix.

The flaw allowed anyone who acquired an affected tablet to read data that wasn’t successfully deleted by the factory reset option in Android settings. Munro’s team of researchers used the freely available ‘rkflashtool’ to get at memory in the chips on the device and read the data.

Whilst some blame lies with Rockchip, the vendors “should have been through an assurance process”, Munro added. “Given the tools have been around for 18 months, then you expect things to improve.”

Tesco recognised the issues earlier this year, saying it was able to wipe Hudl devices of all information if returned to them. “Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program,” a spokesperson told The Guardian.

Mind Candy, the creator of Moshi Monsters, said its device was no longer being made, but directed the Guardian’s enquiry on to Ingo, which made the tablet and creates various devices for children.

It had not provided comment at the time of the publication. Neither Rockchip nor Aldi had offered comment either.

“Rockchip is working on a fix right now,” noted Munro. “We’ve seen some code which suggests the new firmware will work correctly and fix the bug. Deploying it to the installed user base is another matter though.”

A spokesperson for the National Crime Agency, which runs the Child Exploitation and Online Protection Centre (CEOP), added: “Parents, carers and young people should be vigilant about the digital trail of information left behind when buying or selling a refurbished or second-hand device.

“As demonstrated in this example, it may still be very difficult to be sure that information is secure despite taking these precautions, as such it is also advisable to change passwords on social media profiles, accounts, games and apps.”

There are a number of steps concerned parents can take to ensure data is properly wiped. Here are Munro’s top tips: