This year’s Black Friday offered some amazing deals for tablet shoppers. Even outside bargain season, there are a number of tablets that retail for under $100, but on the most recent Friday after Thanksgiving, you could — if you were able to beat the crowds to the shelves — pick up a tablet for under $50. On one level, that’s nothing short of amazing: you’re getting the power of a laptop computer from a couple of years ago for about the same cost as a family of four to go to the movies. On another level, it’s frightening, because cheap tablets have a nasty little secret.
The good thing and bad thing about Android devices is that just about any manufacturer can build and sell them. The good thing is that this approach has created a large ecosystem of devices at all price points, from top-tier models like HTC’s Nexus 9 and Samsung’s Galaxy Tab S to a wide array of cheap tablets that you can get via Amazon, Walmart or even your neighborhood drug store for under $100. The bad thing is that it’s resulting in a market of products at all levels of quality, from best-in-class to nightmarishly horrible. In order to sell tablets to the lower end of the market, something’s got to give, and more often than not, that “something” is quality control.
While poor hardware quality control is more likely to affect the owners of devices who bring them to work, it’s poor software quality control that businesses who allow the use of personal devices for work have to watch out for. The problem isn’t with the Android operating system itself, but in the way that vendors install the operating system and modify it to work with their devices, as well as the add-ons and applications that they install on their devices to differentiate themselves from the others. You’re generally safe with the more expensive tablets from “name” vendors like Samsung and HTC, but once you go into off-brand cut-rate territory, you’ll encounter things like:
- operating systems that haven’t been patched for vulnerabilities,
- operating systems with modifications that either bypass or weaken the built-in security measures,
- misconfigured security settings, and
- malicious software and intentional security holes designed to allow unauthorized parties to access and take control of the device.
Now imagine giving these compromised devices access to your corporate systems. Each cheap, poorly-secured device on your network adds to the “attack surface” — the total of all the different points where an attacker can use for unauthorized entry — that malicious parties can use to access your data and resources.
How vulnerable are cheap tablets?
The short answer: Very. The long answer is below.
The San Francisco-based mobile data security company Bluebox decided to test the security of a number of tablets — a couple of premium ones (the HTC Nexus 9 and Samsung Galaxy Tab 3 Lite) as well as a variety of sub-$100 tablets that were hyped in this year’s Black Friday sales — by running their new app, Trustable, on them to see what it would report. The app is available for free on the Google Play store, and running it on an Android device generates a trust score ranging from 0 to 10 (with 10 being the most trustworthy) that factors in such things as:
- Known system vulnerabilities on the device,
- insecure configurations that are the fault of the device vendor,
- insecure configurations that are the fault of the device user, and
- number of applications installed on the device, both by the vendor and the user.
As you can see in the table below, the Nexus 9 and Galaxy Tab 3 Lite were rated as “trustworthy” by Trustable. The cheaper tablets didn’t do as well on their security tests:
| Device | Black Friday Price | Trust score | Notes |
|---|---|---|---|
| HTC Nexus 9 | $399.99 | 10 (trustable) | No known vulnerabilities, security back doors, potential to have its data stolen via USB, or security misconfigurations that are the vendor’s fault. |
| Samsung Galaxy Tab 3 Lite | $99.99 | 8.6 (trustable) | No known vulnerabilities, security back doors, potential to have its data stolen via USB, or security misconfigurations that are the vendor’s fault. |
| Nextbook (Walmart) | $49.00 | 7 (semi-trustable) | Ships with the FakeID and Towelroot vulnerabilities. |
| RCA 7 Mercury (Target) | $39.99 | 6.9 (semi-trustable) | Ships with the FakeID and Towelroot vulnerabilities. |
| Mach Speed Xtreme Play (Kmart) | $39.99 | 6.5 (semi-trustable) | Ships with the FakeID and Towelroot vulnerabilities. |
| Pioneer 7″ (Walmart) | $49.99 | 6.4 (semi-trustable) | Ships with the Master Key and FakeID vulnerabilities. |
| Ematic (Walmart) | $39.99 | 6.3 (semi-trustable) | Ships with the Master Key, FakeID and Towelroot vulnerabilities. |
| Mach Speed Jlab Pro (Staples) | $49.99 | 6.1 (semi-trustable) | Ships with the FakeID and Towelroot vulnerabilities, as well as vulnerability to data theft via USB. |
| RCA 9 Gemini (Walmart) | $69.00 | 5.8 (semi-trustable) | Ships with the Master Key, FakeID and Towelroot vulnerabilities. |
| Craig 7″ (Fred’s) | $49.99 | 5.5 (semi-trustable) | Ships with the Master Key, FakeID and Towelroot vulnerabilities. |
| Worryfree Zeepad (Walmart) | $47.32 | 4.4 (suspicious) | Ships with the FakeID and Towelroot vulnerabilities, a security back door, vulnerability to data theft via USB, and security misconfigurations that are the vendor’s fault. |
| Polaroid (Walgreens) | $49.99 | 2.7 (suspicious) | Ships with the Heartbleed, Master Key, FakeID and Towelroot vulnerabilities, a security back door, and security misconfigurations that are the vendor’s fault. |
| Zeki (Kohl’s) | $49.99 | 2.1 (damned suspicious) | Ships with the FakeID and Towelroot vulnerabilities, a security back door, vulnerability to data theft via USB, and security misconfigurations that are the vendor’s fault. |
| Digiland (Best Buy) | $49.99 | Too insecure to measure | Ships with the Towelroot vulnerability, a security back door, and security misconfigurations that are the vendor’s fault. |
The folks at Bluebox discovered that:
- Almost all the cheap tablets had two vulnerabilities — weak points in the operating system that have been discovered and used by malicious parties — called “FakeID” and “Towelroot” (the folks at Bluebox call it by another name, “Futex”). FakedID is a weakness that allows a program to pretend that it’s a trusted program and thereby gain privileges that an untrusted program wouldn’t otherwise have, and Towelroot can give an unauthorized program “root” or administrative privileges, allowing it complete control of the device, These vulnerabilities are the product of operating systems being so complex that it’s all too easy to unintentionally leave a weak point in them that someone motivated enough to do so will eventually find them. Google, the people behind Android, regularly make “patches” — fixes for these errors — available, but it’s up to the vendors to incorporate them into devices that they’re manufacturing, and to push these updates to their devices “in the wild”. The bigger, pricier tablet vendors are pretty good about this, but the off-brand purveyors of bargain-bin tablets? Not so much.
- Many of the cheap tablets also shipped with the “Master Key” vulnerability, which makes it possible for a maliciously-modified app to pose as the original. The folks at Bluebox figured this out, and responsibly disclosed it to Google. Google has posted a fix for this problem, but it’s up to Android device vendors to make sure that they use this fix. Once again, the high-end vendors have done so, while the cheaper ones may get around to it someday.
- Some of the cheaper devices came “out of the box” with less-secure security configurations. These settings allow the user to install apps from sources other than Google Play, which also allows the installation of apps from malicious sources.
- A few of the devices came pre-installed with “back door” software. Back door applications are software specifically designed to run without the user’s knowledge or approval and allow certain malicious parties who know how to access them gain entry into a system. The cheapest of the cheap tablets had these installed and lying in wait.
Don’t let people use their Black Friday bargain tablets for work!
People are starting coming back to work from the holidays, and some of them may want to use the bargain tablets they picked up for themselves or got as a gift for work. Don’t let them!
If you do allow the use of personal devices at work, make sure that you:
- Have a policy that clearly specifies platforms and devices that are approved for work use, and make sure that bargain mobile devices are clearly disallowed. They’re often more vulnerable thanks to cut-rate quality control,
- Explain the risks involved in using cheap devices to access corporate resources, whether at the office, on the go, or at home,
- Use mobile device management to ensure that mobile devices used for work are configured properly, and
- Take advantage of security software like Bluebox’s Trustable (once again, it’s free) to see how trustworthy your mobile devices are.
