back to article Giving your old Tesco Hudl to Auntie June? READ THIS FIRST

UK supermarket Tesco’s Hudl tablet will offer up data from past users – even if it’s been factory reset. The Register spoke to Ken Munro from security firm Pen Test Partners, who said he'd bought 17 Hudls and AllWinner tablets from eBay and found that not only does the reset process not wipe all the data, it’s possible to …

  1. Mike Bell


    It might be an idea to encrypt all data by default. Then the wipe process merely involves destroying the private encryption key, which takes no time at all. Like my iPad does.

    1. Steve 53

      Yes, because a £100 tablet should have all the features of a tablet which is 3-5x the cost.

      As stated in the article, the CPU doesn't have hardware crypto - or enough grunt to do it on software

      1. Lionel Baden
        Thumb Down

        wow the downvotes already for a acceptable reply to an unfair comparison.

        the fanbois are out in force !!!

        Have an upvote on me

      2. Mike Bell

        Not all the features of a high end device are required on a bargain basement tablet. But a wipe operation that doesn't do the job is less than a feature. It's a bug. And a pernicious one at that.

    2. goldcd

      Unless Hudl have disabled it

      There should be an option to encrypt all your data.

      Why this isn't turned on by default is maybe an argument - but this still falls into the category of 'user error'

  2. Anonymous Coward
    Anonymous Coward

    Buy cheap

    pay twice

    Once for the original product and once again when someone buys your tablet second hand and lifts all your card details

    1. MyffyW Silver badge

      Re: Buy cheap

      Follow your sentiment and agree they're usually cheap for a reason, but to be honest I'm hesitant to trust my card details to any android slab. All those apps that keep asking for the front door key, tut tut.

  3. PaulM 1

    Its not difficult to wipe 99% of the data from a device

    The best way to wipe an Android device is to do a factory reset, completely fill the device with music or video podcast files and then do another factory reset. There may be fragments of old directory information left left but the majority of the data will be gone. This works because each location in flash memory can only contain data from one file and so when a device is full then to all intents and purposes the old data has gone.

    1. Richard Taylor 2
      Paris Hilton

      Re: Its not difficult to wipe 99% of the data from a device

      But it's the <1% that you need to be worried about. I don't know how the Hudl for example reserves particular parts of the memory for system/secure data rather than general user data - photos, music etc.. But this might represent a significant hole? Perhaps someone who has more knowledge of the lower levels of these tablets might comment?

    2. hammarbtyp

      Re: Its not difficult to wipe 99% of the data from a device

      Actually the best way is to do a factory reset, followed by placing it in a industrial crusher and burying the results in a foot of concrete.

      But I admit your way may leave it more resellable (What do you mean you want to return it? I said it was complete, not assembled. And the concrete will make a very nice garden feature)

      1. Steve 53

        Re: Its not difficult to wipe 99% of the data from a device

        But hey, you've got to do that 3-5 times before you're out of pocket

      2. Gene Cash Silver badge

        Re: Its not difficult to wipe 99% of the data from a device

        Or when the screen shattered on my Nexus 4, put a .30-06 round through it at 50 feet. I wish I'd had a slo-mo of that. It was magnificent.

    3. Arachnoid

      Re: Its not difficult to wipe 99% of the data from a device

      Depends where system cache and password files are stored on Android devices they may be in a different memory area to general music storage.Even if in the same srea I doubt the device would allow full memory use before baulking with some form of memory error.

  4. MrWibble

    And formatting a PC hard drive doesn't securely wipe it either. Is this really news, or just someone trying to sell their product?

    1. Kay Burley ate my hamster

      "And formatting a PC hard drive doesn't securely wipe it either. Is this really news, or just someone trying to sell their product?"

      MrWibble, I was thinking the same, I'd use 3rd party software to zero a drive the same as I would a phone or tablet or Mac...

    2. ThomH

      The device has a feature called 'factory reset' that doesn't reset it to a factory state. That's different from having a feature called 'format the hard drive' which establishes the correct formatting on a hard drive. The first feature doesn't do what it promises, the second does what it promises but is sometimes falsely assumed to do something else as well.

      That being said, it sounds like an easy bug to fix. A quick pop-up to explain that if the purpose is to remove confidential information then a full erase should be performed which will take X minutes rather than Y seconds and a couple of buttons would do it. It's such a fringe feature that it's probably not worth investing more time in than that.

      1. goldcd

        I agreed

        I'm a great big android fan-boy, but there's plenty of stuff that annoys me, and stuff like this is one of those things.

  5. xyz Silver badge

    we had a similar problem with an old Kindle...

    ...that had been in the bath once too often. The only thing we could do with it was use an angle grinder and a lump hammer. Happy days.

    1. TitterYeNot

      Re: we had a similar problem with an old Kindle...

      "The only thing we could do with it was use an angle grinder and a lump hammer."

      What, no attempt to answer the ultimate question, 'Will it blend'?

      1. Martin-73 Silver badge

        Re: we had a similar problem with an old Kindle...

        Dear god, i nearly choked, thanks!

  6. Anonymous Coward
    Anonymous Coward


    Cryptolocker from Windows. That keeps your files safe.

  7. Anonymous John

    But you'd lose the previous owner's porn stash.

  8. Destroy All Monsters Silver badge


    Segue into a randomly tacked-on and entirely believable Hollywood slasher scenario aka. "OMG STALKERS! Will nobody think of the CHILDREN"...?

    Credibility lowered by serious amount.

  9. Anonymous Coward
    Anonymous Coward

    My Auntie June

    isn't into resurrecting deleted files, and stealing my log-ins, she has to be shown how to switch the tablet on, and wants to read her facebook and listen to Classic fm over the internet.

    Anyone more savvy is unlikely to be using a Hudl to own people.

    And if there is a person stalking a child, waiiting for the kid's parents to resell the kid's Hudl on ebay, let's go round their house and burn 'em out

  10. Irongut

    Its for the freaking children!

    This guy lost any credibility he had when he played the paedo card.

    1. goldcd

      Oh hush

      He clearly couldn't find any Islamic-tainted beheading videos, so he had to pick on this.

      The entire security establishment is crying out for something non-think of the children/terrorist to justify snooping.

      *personally* I think they should just go for the "android let me see your girlfriends tits" - but I'm not representative.

  11. Alan Denman

    Same as a PC

    Because it is a PC !

    So use simple wipe software, like a PC.

    This is very old PC news dressed up as if it is something new.

    1. John Brown (no body) Silver badge

      Re: Same as a PC

      "This is very old PC news dressed up as if it is something new."

      Well, yeah, it's "on a mobile device" innit.

      1. Pookietoo

        Re: "on a mobile device"

        Excellent. :-)

  12. Anonymous Coward
    Anonymous Coward


    How are the redundant "over-used" faulty areas erased on the flash storage?Are they hidden from user programs - or even the O/S?

    1. Toastan Buttar

      Re: Flash

      It all depends on the firmware in the Flash controller. I suspect that any faulty areas will be marked as unreadable, but would doubt that it'd go much beyond that. For example, performing an erase on a bad area WOULD wipe any stored info permanently, but I don't think any but the most paranoid, security-specific FW would go that extra yard.

      If you run a zeroing utility on a spinning rust HDD, will it attempt to overwrite excluded bad blocks as well as the 'good' data / directories?

    2. Pookietoo

      Re: Flash

      Addresses are translated by the flash controller, this is transparent to the OS. AIUI you'd need to reflash the firmware or replace the controller chip to gain access to the raw storage, although it's possible that there's an "engineering mode" the manufacturers aren't telling us about.

  13. stu 4

    ken arsehole monroe

    ok.. I want to get some publicity from this crappy story.. what can I do…


    staklers…yeh yeh that'll do it.


  14. brooxta

    It's not your auntie June you should be worried about

    ... it's who she passes it on to afterwards.

    After all, auntie June is probably not going to have the elite hacker skills necessary to discover the undeleted files on the (emulated) sdcard. So you're safe for now. But only until she sells it on eBay for ££.99 (excl p&p).

    And then you're both done for...

  15. heyrick Silver badge

    Started off a logical enough article...

    ...after all, a factory reset that doesn't is pretty poor, especially if there is no obvious (non-geek) way to wipe important data from the machine.

    Then Mr. Munro makes the illogical leap from a badly wiped tablet sold on eBay to providing information for weirdos to stalk your children (the obvious question is that this only means a damn if the purchaser is a kiddie stalker, has the knowledge of how to get into the device, and most importantly of all, lives nearby). As if this wasn't bad enough, somehow having end user information on a cheap supermarket tablet will automagically help a stalker avoid a police sting? How is this? Will it start playing the theme tune from The Bill whenever a cop car drives by?

    Mr. Munro, you might have had a good and convincing argument if you warned adults about their login details, credit card information, etc being potentially accessible by the person the tablet is sold on to. But this half-assed "think of the children"? That's an even more desperate attempt than one would expect to see in The Daily Mail. So go away. Very far away. Preferably in a coffin. Thank you.

  16. Truth4u

    I'm struggling to understand Munro

    "It also helps the stalker avoid a police sting – a copper would not be using a cheap tablet to sting a stalker with! They would be using a carefully managed and secured PC in a police building somewhere."

    I'm not exactly sure what is his point here?

    Is he really scared of stalkers trawling eBay for old tablets in the hope some kiddie left it logged into Facebook? Start with the basics: every child in this country must attend school by law. So where do you think the children are? Doesn't need a fuckin social media account to figure out how to find kids.

  17. Ian Johnston Silver badge

    I was beyond fuming

    He points out that cheap tablets are often bought for children and by selling on a tablet which has the child’s social network data, the parent might be unwittingly aiding a stalker who could use the identity of the child to stalk other children

    He appears to be channelling the collective mind (using the term loosely) of Mumsnet.

  18. FunkyEric

    Can I patent this idea as it's on a mobile platform now?

  19. paul 194

    when you sell the device change you pass words it not hard, thats google facebook and the so on .

    no stalking then .it wont log in, the old certificates will be out of date. job done .

  20. DaddyHoggy

    My daughter's Hudl stopped recharging - the microUSB port died (apparently this happens a lot to pre-Christmas rush Hudls). By the time I noticed it was almost out of charge - so I ported off what I could to the microSD card and then performed a Factory Reset - surprised that it didn't take very long - but since the battery finally completely expired a few minutes later, I didn't get chance to do much else with it.

    It then went back to Tesco for a warranty replacement.

    Have changed account passwords (as I had the admin acct on it, I changed hers and mine Google logins for example) - so hoping that even if this unit does get refurb'd, and the factory reset is potentially ineffectual, nobody will be able to login with the account details stored on the device.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like