Several top-selling Android tablets made for children have serious security flaws that could expose kids to malware and identity theft, a new report from a mobile security provider finds. Unpatched software vulnerabilities and hidden "backdoors" appear to be common, and some tablets even transmit childrens' names, birthdates and photos across the Internet in plain text, exposing youngsters to greater risk of identity theft.
The report, released today (Feb. 24) by San Francisco-based Bluebox, ranks the Fuhu Nabi 2 best in class out of nine tablets evaluated, yet notes that the Nabi barely scored above a 5 on Bluebox's 10-point trustworthiness scale. Two other devices, iDeaUSA's iDeaPLAY and Chromo Inc.'s Orbo Jr., each scored below 3. (Amazon's Fire HD Kids Edition was not evaluated.)
"You get what you pay for in terms of data privacy and security," the Bluebox report said, noting that some of the cheaper devices came with development builds of Android that were insecure by design. But even the more expensive models had well-known Android security vulnerabilities, and all but two used third-party app stores unauthorized by Google.
MORE: Best Android Antivirus and Security Apps
In addition to the Nabi 2, iDeaPLAY and Orbo Jr., the devices tested were the Contixo Kids 7, the iRulu Kid Pad, the Kurio 7s, the ProntoTec 7-inch WiMo, the Southern Telecom Smartab and the Sprout Channel Cubby. All were the latest models available in early 2015; all complied with the 1998 Children's Online Privacy Protection Act (COPPA), which requires parental authorization for online activities.
On each device, Bluebox researchers ran the company's own Trustable app, which scans devices for known system vulnerabilities, insecure configurations and "excessive device population" — too many apps with dangerous permissions, such as root access or the ability to send text messages.
Bluebox gave the Fuhu Nabi 2, which retails for about $140, a Trustable score of 5.3 out of 10 — and that was only after installing two system updates once the device came of the box. (By comparison, in a November study of regular Android tablets, Bluebox gave the HTC Nexus 9 a perfect 10 and the Samsung Galaxy Tab 3 Lite an 8.6.)
Like many kids' tablets, the Nabi 2 lets parents set up multiple accounts. It becomes COPPA compliant when parents provide an email address or pay a token 50 cents, but the Bluebox researchers "noticed some odd behavior regarding the child account setup and retrieval."
For each child's account, the child's name, date of birth, gender and photo are transmitted to Fuhu's servers, which are hosted by Amazon's enterprise services, yet "the photos are stored on Amazon S3 and are not protected by any authentication or encryption," Bluebox's report says. "Basically, if you had the URL (acquired directly via network traffic analysis), you can easily grab the images."
In contrast, the iDeaPLAY tablet, which sells for about $90, got only 2.7 out of 10, less than half the Nabi 2's Trustable score, due to engineering backdoors and USB debugging being enabled, either of which could give root or administrative access to unauthorized persons. (The Contixo Kids 7 had the same issue.) On the bright side, the iDeaPLAY didn't transmit any personally identifiable information.
"The iDeaPLAY is a good example of what we typically find with cheaper tablets that ship with test builds of the Android operating system that include the Android Open Source Project (AOSP) signing key," the report said.
All nine devices were vulnerable to three well-documented Android flaws: the Futex bug, the ObjectInputStream flaw and the BroadAnywhere vulnerability. Except for the Nabi 2, each device was also vulnerable to the FakeID flaw, and the Kurio 7s and the iDeaPLAY were also vulnerable to the MasterKey flaw. All these vulnerabilities were patched by Google months ago.
The overall Trustable score for each device was: Contixo Kids 7, 4.0; iDeaPLAY, 2.7; iRulu Kid Pad, 3.9; Kurio 7s, 4.5; Orbo Jr., 2.9; Nabi 2, 5.3; ProntoTec 7 -inch WiMo, 3.9; Smartab, 4.5; Sprout Channel Cubby, 4.5.
- How to Avoid Tax-Return Identity Theft
- Do You Really Need a Third-Party Android Security App?
- Synthetic Identity Theft: How Crooks Create a New You
Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.