Desperately casting around for a last-minute gift? Too price sticker-shocked to get an iPad or Kindle Fire HD?
You may be relieved to learn that the $50 Barnes & Noble Nook Tablet 7, which was shipping with Adups backdoor-planting firmware preinstalled, has got a fix.
Sort of. Hold on to your wallets: some say you still shouldn’t buy it, since the tablet is still vulnerable to an even more serious exploit than the Adups adware/spyware: namely, Stagefright.
From Android Central (link added):
There are plenty of reasons to still not buy this tablet. Beginning with the fact that it’s still 100% vulnerable to CVE-2015-6616. In human language, that means the Stagefright exploit. The Android version (6.0 in this case) should be at least partially patched, but there are security updates for the processor which have not been applied.
You might remember Stagefright as the collection of eight vulnerabilities rolled up under one good, scary name.
Stagefright was one of a collection of big security holes – the worst, actually discovered in Android last year that motivated Google to start issuing monthly security updates in the OS. Samsung did the same.
As we noted last month, Adups was recently found on several models of Androids that were pushing text messages, call logs, contacts, location information and more to a company in China, bypassing the Android permission model and executing remote commands with escalated system privileges.
The same Adups firmware has been shipping preinstalled on the Nook 7, as researcher Charles Fisher detailed in a Linux Journal post published on Tuesday.
Following a flurry of media attention, Barnes & Noble reached out to 9to5 Google to say that it pushed out a software update to all Nook devices prior to sales.
The newer version of the firmware, Adups 5.5, doesn’t break Google’s security requirements, Barnes & Noble says. Adups has also confirmed that it hasn’t been harvesting user data from Nook 7 units.
Barnes & Noble also said in its statement that it’s working on an update to completely remove Adups from the tablets:
Barnes & Noble Chief Digital Officer Fred Argir:
NOOK Tablet 7” went on sale on November 26. By that time, the device automatically updated to a newer version of ADUPS (5.5), which has been certified as complying with Google’s security requirements, when first connected to Wi-Fi. ADUPS has confirmed to Barnes & Noble that it never collected any personally identifiable information or location data from NOOK Tablet 7” devices, nor will it do so in the future.
Finally, we are working on a software update to remove ADUPS completely from the NOOK Tablet 7”. That update will be made available to download within the next few weeks, but in the meantime customers can rest assured that the device is safe to use.
If you want, and if you have the technical chops, you can decompile Adups to make sure the backdoor is truly closed.
Alternatively, you can trust what Barnes & Noble and Adups are now telling us.
Or, you can spend $50 on Edwin, the Smart Duck.
He’s soft. He’s yellow. He’s waterproof and Bluetooth-enabled.
And we haven’t yet received reports of duck-enabled surveillance on kids.
Charlie
As the author of the Linux Journal article, I can confirm that I pulled ADUPS 5.2 off my BNTV450 on 12/16 for version analysis after spending extended time online with the tablet over several days.
This software was not updated on November 26th.
I understand that if I let the tablet online now, updates to this file will be applied. I will be refraining from the for the indefinite future.