It’s in May year, Alexis Hancock’s daughter got a children’s tablet for her birthday. As a security researcher, Hancock was immediately concerned.
“I’m kind of looking at it sideways because I’ve never heard of Dragon Touch,” Hancock told TechCrunch, referring to the tablet maker.
As it turns out, Hancock, who works at the Electronic Frontier Foundation, has good reasons to be concerned. Hancock said she knew the tablet had several security and privacy issues that could have put her daughter’s and other children’s data at risk.
The Dragon Touch KidzPad Y88X has traces of a known malware, runs a version of Android released five years ago, comes pre-loaded with other software considered malware and a “potentially not desired program” because of “its history and widespread. system-level permission to download any application it wants,” and includes an older version of an app store designed for those child, according to Hancock’s reportwhich was released on Thursday and was seen by TechCrunch ahead of its publication.
Hancock said he reached out to Dragon Touch to report these issues, but the company never responded. Dragon Touch also did not respond to TechCrunch’s questions.
The first worrisome thing Hancock said he found on the tablet was traces of the presence of Corejava, which in January cybersecurity firm Malwarebytes analyzed and concluded to be malicious. Also this year, the Electronic Frontier Foundation and independent security researchers discovered the same type of malware embedded in the software of low-cost Android-powered TVs. The good news, Hancock said, is that at least the malware appears to be inactive, and programmed to send data to dormant servers.
According to Hancock’s technical reportthe tablet also comes pre-loaded with Adups – the same software found on Android TVs – which is used to perform “firmware over the air” updates. Malwarebytes classifies Adups as malware and a “potentially unwanted program” for its ability to automatically download and install new malware from the internet.
Finally, the tablet has a pre-installed and outdated version of the KIDOZ app, which serves as an app store that allows parents to set parental controls and children to download games and apps. The app store “collects and sends data to ‘kidoz.net’ on the use and physical characteristics of the device. This includes information such as device model, brand, country, timezone, screen size, view of events, click events, time logging events, and a unique KID ID,” Hancock reports.
KIDOZ founder Eldad Ben Tora told TechCrunch that the app is certified to comply with COPPA, the US federal law that carves out certain online privacy protections for children, and that the app ” has undergone a rigorous review process in an FTC-approved COPPA Safe Harbor Program called PRIVO, which includes a thorough review of our data collection, storage, and usage practices.
“This process ensures that our services fully comply with COPPA requirements, primarily to protect children’s privacy,” Ben Tora told TechCrunch.
The Dragon Touch tablet analyzed by Hancock was previously sold on Amazon until this week, when the listing was dropped and replaced by a listing for the same tablet, which claimed the tablet was running Android 12, due out in 2021. . the listing, however, says that the tablet runs Android 10, which was released in 2019.
It’s unclear how popular these tablets are, but Amazon listings show more than 1,000 reviews.
Amazon spokesman Adam Montgomery told TechCrunch in an email that the company is “looking into these claims, and will take appropriate action if necessary.”
The Dragon Touch tablet will also be available at Walmart through this week. After TechCrunch reached out to the company, Walmart removed the listing from its website.
“We have removed this third-party item from our site while our Trust and Safety department conducts a review,” Walmart spokesman John Forrest Ales said in an email. “Like other major online retailers, we operate an online marketplace that allows outside third-party sellers to offer merchandise to customers through our eCommerce platform. We expect these items to be safe, reliable, and comply with our standards and all legal requirements. Items found not to meet these standards or requirements will be immediately removed from the website and remain blocked.
Do you have more information about other defects in popular devices? We love hearing from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or email. You can also contact TechCrunch through SecureDrop
Dragon Touch is listed on the official Android website as a “certified” device that has been “tested for security and performance.”
Google spokesman Ed Fernandez told TechCrunch via email that the company is “fully evaluating the claims in this report to determine whether the manufacturer’s device meets the required security standards for. Play Protect certification.”
Children’s internet-connected products have long been a target for hackers. In 2015, a hacker broke into VTech’s servers, a consumer electronics company that makes gadgets for kids. The hack resulted in the theft of the personal information of nearly five million parents, including names, email addresses, passwords, and home addresses, and the personal data of over 200,000 children, including names , gender and birthday. The hacker got it too thousands of pictures of parents and children and a year’s worth of chat logs.
After doing her research, Hancock said she had to keep the tablet because her daughter was attached to it on a trip with her cousins. But Hancock didn’t return her daughter’s tablet until after making changes to protect her daughter’s privacy.
“I told him why I got his tablet, and why it took me so long without him. I told him that it’s sick, it has a virus, and I need to get it right and I need to take it to the doctor ,” Hancock said.
In practice, Hancock said he “nuked everything” he could.
First, Hancock said he installed a VPN profile on the tablet on a private server running Pi hole, an ad blocking software; then, she limits the number of apps her child can use; redirected DNS — the internet system that connects IP addresses to domain names, for “any problematic domains;” and even installed Tor, a browser designed to protect its user’s anonymity.
Hancock, however, said parents don’t have to do all of this to protect their children’s privacy, especially since not everyone has the technical chops, or time, to research the issues of cybersecurity and privacy of their children.
“Parents can’t do much,” he said. “And really, it shouldn’t be left up to them.”