Cheapest tablets pose biggest security risks

The super-cheap Android tablets everyone bought on Black Friday and Cyber Monday could pose problems for enterprises when they arrive at the workplace after the holidays.

"A lot of them are shipping with known vulnerabilities or open back doors," Andrew Blaich, lead security analyst at San Francisco, CA-based Bluebox Security, told CSO Online.

The lowest-scoring device was the $49.99 Zeki, from Kohl's, which had USB debugging turned on by default; a security backdoor pre-installed; and four major security vulnerabilities -- Masterkey, FakeID, Heartbleed and Futex -- and it doesn't include Google Play.

Not having access to the official app store means that the device probably didn't go through Google's security certification, and also forces users to get their apps through less trustworthy third-party app stores.

"This was the worst tablet encountered out of the entire lineup," said Blaich, who authored a report summarizing the results.

Manufacturers might be trying to cut corners with these devices, he suggested, shipping them with old versions of Android, with unpatched vulnerabilities in place.

They may have also enabled "root" access on the devices to make it easier for them to pre-install apps -- and then never fixed the problem before shipping.

Other devices that scored low enough to put them in the suspicious category were the Worryfree Zeepad from Walmart, and the Polaroid from Walgreens, both selling for under $50.

BestBuy's DigiLand tablet, at $49.99, had so many discrepancies and never-encountered-before issues that the company couldn't accurately score it. The device makes it easy for an attacker to create a Trojan system update, has root privileges on its USB debugging connection, and is vulnerable to the Futex bug.

Several other tablets priced at $39 to $69 were rated as "semi-trustable" for having known vulnerabilities. They included the Nextbook, the Pioneer 7", the Ematic, and the RCA 9", all available from Walmart, the RCA Mercury 7" from Target, the Mach Speed Xtreme Play from Kmart, the Mach Speed Jlab Pro from Staples, and the Craig 7" from Fred's.

A user could easily pick up an infection with one of these devices while surfing the web, or downloading applications with malware in them from third-party app stores, Blaich said.

Then, when users bring the devices to work, or use them to access corporate systems, they could expose their employers to potential problems.

"Applications on the device could be stealing corporate data," Blaich said. "Your email could be vulnerable."

He recommends that users install and run anti-malware applications from their official sources. A number of vendors make such apps, he said, including AVG AntiVirus and Lookout.

In addition, Bluebox Security offers its own app, Trustable, which was the app used to score these devices.

"Within that application we give some steps that the user can take to increase their score and resolve some of the security problems," said Blaitch.

Not all sub-$100 tablets scored poorly, however.

The $99 Samsung Galaxy Tab 3 Lite, available from multiple stores, got a clean bill of health, despite running a relatively older version of Android -- 4.2.2.

The latest Android devices on the market are running Android 5.

By comparison, some of the "semi-trustable" devices were running Android 4.4.2 and two of the "suspicious" tablets were running 4.1.1.

"Despite it having a somewhat older OS version, it had the highest Trust Score of all reviewed tablets, no known vulnerabilities, and no security misconfigurations," Blaich said in the report. "Which goes to show: pay a little more for a reputable brand, and you'll get a better experience."

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesWalgreensoperating system securityGooglesecurityAndroid securityWalMartCSOExploits / vulnerabilities

More about CSOFredFred'sGalaxyGooglePioneerPolaroidRCASamsungSpeedStaples

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place