Barnes & Noble began outsourcing its Nook e-readers a few years ago after a partnership with Samsung and their latest $50 Nook 7 android tablet, announced last month, shows us how that has worked out for them. Their latest e-reader includes ADUPS, a firmware that sends user data back to the manufacturer or an interested hacker. This is the same malware that researchers found on cheap Blu tablets and phones last month.
The manufacturer claims to have patched the malware in current products but it seems the new B&N Nooks are still running the old software. ADUPS allows for full data access on the device and command and control privileges including remote software installation and automatic updates without use permission.
How bad is it?
￼These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices… The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information.
The Digital Reader is recommending that users return their Nooks and notes that B&N has a holiday return policy that lets you send items back until January 31.
UPDATE – B&N Writes:
￼NOOK Tablet 7” went on sale on November 26. By that time, the device automatically updated to a newer version of ADUPS (5.5), which has been certified as complying with Google’s security requirements, when first connected to Wi-Fi. ADUPS has confirmed to Barnes & Noble that it never collected any personally identifiable information or location data from NOOK Tablet 7” devices, nor will it do so in the future.
Finally, we are working on a software update to remove ADUPS completely from the NOOK Tablet 7”. That update will be made available to download within the next few weeks, but in the meantime customers can rest assured that the device is safe to use.
Fred Argir, Chief Digital Officer