Kohl's special deal includes a backdoor and four vulnerabilities Credit: Thinkstock The super-cheap Android tablets everyone bought on Black Friday and Cyber Monday could pose problems for enterprises when they arrive at the workplace after the holidays.“A lot of them are shipping with known vulnerabilities or open back doors,” Andrew Blaich, lead security analyst at San Francisco, CA-based Bluebox Security, told CSO Online.The lowest-scoring device was the $49.99 Zeki, from Kohl’s, which had USB debugging turned on by default; a security backdoor pre-installed; and four major security vulnerabilities — Masterkey, FakeID, Heartbleed and Futex — and it doesn’t include Google Play.Not having access to the official app store means that the device probably didn’t go through Google’s security certification, and also forces users to get their apps through less trustworthy third-party app stores. “This was the worst tablet encountered out of the entire lineup,” said Blaich, who authored a report summarizing the results.Manufacturers might be trying to cut corners with these devices, he suggested, shipping them with old versions of Android, with unpatched vulnerabilities in place. They may have also enabled “root” access on the devices to make it easier for them to pre-install apps — and then never fixed the problem before shipping.Other devices that scored low enough to put them in the suspicious category were the Worryfree Zeepad from Walmart, and the Polaroid from Walgreens, both selling for under $50.BestBuy’s DigiLand tablet, at $49.99, had so many discrepancies and never-encountered-before issues that the company couldn’t accurately score it. The device makes it easy for an attacker to create a Trojan system update, has root privileges on its USB debugging connection, and is vulnerable to the Futex bug.Several other tablets priced at $39 to $69 were rated as “semi-trustable” for having known vulnerabilities. They included the Nextbook, the Pioneer 7″, the Ematic, and the RCA 9″, all available from Walmart, the RCA Mercury 7″ from Target, the Mach Speed Xtreme Play from Kmart, the Mach Speed Jlab Pro from Staples, and the Craig 7″ from Fred’s.A user could easily pick up an infection with one of these devices while surfing the web, or downloading applications with malware in them from third-party app stores, Blaich said.Then, when users bring the devices to work, or use them to access corporate systems, they could expose their employers to potential problems. “Applications on the device could be stealing corporate data,” Blaich said. “Your email could be vulnerable.”He recommends that users install and run anti-malware applications from their official sources. A number of vendors make such apps, he said, including AVG AntiVirus and Lookout.In addition, Bluebox Security offers its own app, Trustable, which was the app used to score these devices.“Within that application we give some steps that the user can take to increase their score and resolve some of the security problems,” said Blaitch. Not all sub-$100 tablets scored poorly, however.The $99 Samsung Galaxy Tab 3 Lite, available from multiple stores, got a clean bill of health, despite running a relatively older version of Android — 4.2.2.The latest Android devices on the market are running Android 5.By comparison, some of the “semi-trustable” devices were running Android 4.4.2 and two of the “suspicious” tablets were running 4.1.1.“Despite it having a somewhat older OS version, it had the highest Trust Score of all reviewed tablets, no known vulnerabilities, and no security misconfigurations,” Blaich said in the report. “Which goes to show: pay a little more for a reputable brand, and you’ll get a better experience.” Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe