Hudl tablet

Researchers claimed to have found a security flaw in Tesco’s Hudl tablet

Tesco’s Hudl tablet made headlines for the wrong reasons over the weekend, with the news that a security flaw meant that users’ sensitive data could retrieved even after performing a factory reset on the device.

The BBC teamed up with researcher Ken Munro of Pen Test Partners to test 10 secondhand Hudls bought from eBay. By exploiting a flaw in the tablet’s processor, Munro was able to extract PIN codes to unlock devices as well as Wi-Fi keys, cookies and other browsing data that could be used to sign in to a website as the tablet’s original owner.

“At the moment, I do not think the Tesco Hudl is really suitable to put any data of any sensitivity on. Putting passwords on there, into browsers, is really asking for trouble,” said Munro, in a video demonstration of the Hudl flaw. “If it’s stolen, PIN-locked or not, someone’s going to get your data off it.

“It’s a really cool device with entry-level Android hardware. But unfortunately, with cheapness comes some problems with security.”

Tesco said: “Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, they should use a data wipe program.” A spokesman added that any device returned to the retailer would be wiped securely, while consumers could get more information from the government’s Get Safe Online website.

It’s worth noting that although the Hudl was singled out in this study, Android devices in general have attracted criticism for not completely wiping user data. In July, software company Avast was able to recover some 40,000 photos, 750 emails and 250 contact names from just 20 Android phones it bought on eBay that had supposedly been wiped. The problem arises because phones don’t always wipe your data when you think you’re wiping it – they just erase the index system used to find that data. The data stays on your phone until it is eventually overwritten.

The Hudl, lest we forget, flew off the shelves on its release last September (mark II is due this autumn). It’s only now, with those first devices coming up to a year old, that they are starting to appear on auction sites, as consumers look to upgrade – in the process exposing the problem outlined by Munro.

Warnings about processor security and Wi-Fi keys may seem a little obscure to people in the grocery sector, but they are a reminder that in its efforts to corner the digital customer, Tesco is exposing itself to the sort of PR problems usually experienced by consumer tech companies (and government employees who leave laptops on trains).

Some pundits will no doubt be thinking it was all a lot simpler when Tesco’s main job was to pile ‘em high and sell ‘em cheap – and some may be wishing fervently it would stick to this game. But this Hudl headache is the sort of thing Tesco will have to weather if it’s serious about being a digital player.