Cheapest tablets pose biggest security risks

The super-cheap Android tablets everyone bought on Black Friday and Cyber Monday could pose problems for enterprises when they arrive at the workplace after the holidays.

“A lot of them are shipping with known vulnerabilities or open back doors,” Andrew Blaich, lead security analyst at San Francisco, CA-based Bluebox Security, told CSO Online.

The lowest-scoring device was the $49.99 Zeki, from Kohl’s, which had USB debugging turned on by default; a security backdoor pre-installed; and four major security vulnerabilities — Masterkey, FakeID, Heartbleed and Futex — and it doesn’t include Google Play.

Not having access to the official app store means that the device probably didn’t go through Google’s security certification, and also forces users to get their apps through less trustworthy third-party app stores.

“This was the worst tablet encountered out of the entire lineup,” said Blaich, who authored a report summarizing the results.

Manufacturers might be trying to cut corners with these devices, he suggested, shipping them with old versions of Android, with unpatched vulnerabilities in place.

They may have also enabled “root” access on the devices to make it easier for them to pre-install apps — and then never fixed the problem before shipping.

Other devices that scored low enough to put them in the suspicious category were the Worryfree Zeepad from Walmart, and the Polaroid from Walgreens, both selling for under $50.

BestBuy’s DigiLand tablet, at $49.99, had so many discrepancies and never-encountered-before issues that the company couldn’t accurately score it. The device makes it easy for an attacker to create a Trojan system update, has root privileges on its USB debugging connection, and is vulnerable to the Futex bug.

Several other tablets priced at $39 to $69 were rated as “semi-trustable” for having known vulnerabilities. They included the Nextbook, the Pioneer 7″, the Ematic, and the RCA 9″, all available from Walmart, the RCA Mercury 7″ from Target, the Mach Speed Xtreme Play from Kmart, the Mach Speed Jlab Pro from Staples, and the Craig 7″ from Fred’s.

A user could easily pick up an infection with one of these devices while surfing the web, or downloading applications with malware in them from third-party app stores, Blaich said.

Then, when users bring the devices to work, or use them to access corporate systems, they could expose their employers to potential problems.

“Applications on the device could be stealing corporate data,” Blaich said. “Your email could be vulnerable.”

He recommends that users install and run anti-malware applications from their official sources. A number of vendors make such apps, he said, including AVG AntiVirus and Lookout.

In addition, Bluebox Security offers its own app, Trustable, which was the app used to score these devices.

“Within that application we give some steps that the user can take to increase their score and resolve some of the security problems,” said Blaitch.

Not all sub-$100 tablets scored poorly, however.

The $99 Samsung Galaxy Tab 3 Lite, available from multiple stores, got a clean bill of health, despite running a relatively older version of Android — 4.2.2.

The latest Android devices on the market are running Android 5.

By comparison, some of the “semi-trustable” devices were running Android 4.4.2 and two of the “suspicious” tablets were running 4.1.1.

“Despite it having a somewhat older OS version, it had the highest Trust Score of all reviewed tablets, no known vulnerabilities, and no security misconfigurations,” Blaich said in the report. “Which goes to show: pay a little more for a reputable brand, and you’ll get a better experience.”