Tesco Hudl and other Android devices contain 'factory reset' data retention flaw

Firmware error is to blame, say security experts

Tesco's hugely successful Hudl, and other Android devices, have been discovered to contain firmware glitches which prevent data being truly wiped after factory settings resets.

The errors on Hudl were discovered by the BBC, which worked with security experts at Pen Test Partners to try to recover data from 10 factory-wiped Android devices purchased from auction site eBay.

The Tesco Hudl's vulnerability was found in its Rockchip SoC processor, from which it is possible to read firmware information as well as write to it.

As a result, usernames and passwords, WiFi keys, device PINs and cookies could all be recovered, effectively allowing new users to imitate old users, and gain access to the same applications and destinations from the device's internet browsing history.

Tesco's response to the discovery was simply to state that "customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program."

With no particular program specified, Tesco also said it would be happy to safely factory reset any devices sent directly back to the company.

The next version of Android, 5.0 (codenamed L), is expected to enable data encryption by default, as opposed to the current user-controlled setting.

Currently, it seems that a general data wipe, as in a high-level format on any hard drive, will only remove data indexing on most Android devices, and not the data itself. However, accessing the unindexed data would still require the use of special tools and techniques.