Cheap and cheerful Android tablets have revolutionised the market over the past year and are often seen as ideal for children. But what happens when that device becomes broken or the user wants to replace it with the latest model? It's here that the destruction of data becomes an issue, because if neglected it could leave your child open to predatory stalking.
We decided to do some research into just how much data we could recover from used and damaged budget tablets. We bought some twenty used tablets from eBay. None of them cost more than £20, and broken ones were much cheaper, usually under £5. Of these, five were physically broken so we had to fix them in order to recover data. Around half had cracked screens but the other hardware and data was intact.
Eight had been ‘factory reset' using the native facility in Android ‘settings'. This ‘wipe' is not effective and we were able to recover some sensitive personal data from ‘wiped' tablets. On these Android devices only a partial overwrite is performed, leaving behind a substantial amount of data that can be recovered. All that the wipe had done is retract the ability to reference files, though it is usually possible to recover files.
Of the twenty tablets, another eight hadn't been wiped at all. Five of those could have been wiped, but simply weren't (they weren't broken enough to prevent the user wiping them before sale. The user simply hadn't bothered).
To access data from the ‘wiped' devices we used a set of memory extraction tools. These were run from a test machine so it didn't matter whether the device had a broken screen or not.
Based on the apps, internet searches and passwords we found on them, we could clearly tell that six of the tablets had been used by children. We located children's Twitter, Amazon and Steam account details and passwords, plus YouTube, Google+ and other Google OAuth tokens. All passwords were very simple, some obviously pets names! Notably, we recovered Google Play OAuth tokens from ALL of the tablets used by children. Worryingly, we also found photos of those children.
Piecing all of this together, it's easy to see how data housed on these devices could form a detailed picture of that child and their habits. Our concern is that predators could buy cheap, used tablets and recover children's data and passwords. This could allow the predator to access their social networks directly, allowing the individual to cyber-stalk the child from inside their social network accounts.
With Christmas coming, parents will be thinking of disposing of that old tablet in favour of a new one. Our advice is do not sell used or broken tablets, unless you can be certain the data has been thoroughly wiped. As a reminder, the factory reset option for most Android tablets is not effective as a wipe.
Encryption has been supported by Android from version 3.0 (Honeycomb) but none of the tablets we bought had been encrypted. A fairly effective wipe can be carried out by first encrypting the tablet, then running a factory reset. This should overwrite the encryption keys. However, some of the cheap tablet hardware (notably those based on the Rockchip SoC) doesn't even support encryption, despite the software being capable of doing so.
However, a broken tablet is nearly worthless anyway. If the data wasn't wiped before it broke, it should not be sold.
Don't sell old tablets unless you can be certain the data is wiped. Never sell broken tablets. For some people it's too late though. If someone you know has sold a used tablet and is concerned that they didn't wipe the data effectively: at the least advise them to change their passwords, particularly for social networks and Google Play accounts. They may not be able to get that device and data back but password changes should prevent continued access to their online accounts.
Fortunately, several retailers are now refreshing their tablet offerings, and are building in much better security, encryption by default and decent wipe functions, which should make this less of an issue for the next generation of Android tablets.
Contributed by Ken Munro, Partner, Pen Test Partners