Yesterday I posted a story about the new NOOK branded tablet coming with malware pre-installed. Barnes and Noble says that the device had already been update prior to its initial sale and that an new update to remove it completely is forthcoming. Here’s their response to 9 to 5 Google’s request for comment:
“NOOK Tablet 7” went on sale on November 26. By that time, the device automatically updated to a newer version of ADUPS (5.5), which has been certified as complying with Google’s security requirements, when first connected to Wi-Fi. ADUPS has confirmed to Barnes & Noble that it never collected any personally identifiable information or location data from NOOK Tablet 7” devices, nor will it do so in the future.
Finally, we are working on a software update to remove ADUPS completely from the NOOK Tablet 7”. That update will be made available to download within the next few weeks, but in the meantime customers can rest assured that the device is safe to use.” – Fred Argir, Chief Digital Officer
The problem with this is that Charles Fisher, the engineer who broke the story on Linux Journal, says that ADUPS 5.5 is not version that was on the NOOK BNTV450.
A new Android Central article notes that the shipping version for the tablet was 22.214.171.124.002. Evidently, there was some sort of an update, as their post goes on to note that “the version in the update file we received last night is 6.0.” While they state that the update should solve the ADUPS problem, they are still saying avoid this one:
But there are plenty of reasons to still not buy this tablet. Beginning with the fact that it’s still 100% vulnerable to CVE-2015-6616. In human language, that means the Stagefright exploit. The Android version (6.0 in this case) should be at least partially patched, but there are security updates for the processor which have not been applied.
The bottom line is that there is just too much uncertain about this tablet. I am sending mine back.From comparing them side by side, the $50 Fire 7″ was faster anyway….
Photo © The Ebook Evangelist
I think B&N really meant that the 12/17 OTA firmware update updates ADUPS 5.5 or later (6.0 as Android Central say) and so removes that spyware functionality. All the hardware in the stores has the Oct 2016 firmware (the RTM firmware).
My Nook notified me of an update yesterday and I took it today. They release notes don’t mention ADUPS but there are a lot of unmentioned changes (e.g. Chrome moves from 53 to 54).
B&N also said that “in a few weeks” we’ll see a version of the firmware without ADUPS at all. They’ll manage their OTA firmware updates some other way. It seems that B%N recognize the issue though I’d like them to be a bit more prompt with it (though part of that might be finding another firmware OTA provider or setting up the infrastructure in their own IT to do it).
Kevin, interesting point about what Barnes and Noble meant. Even Android Central said they thought the update should fix the problem. Are you keeping yours?
I think everybody needs to decide if the risk is worth it to them for $50. Personally, I don’t want to have to trust them if they were careless enough to let this be installed in the first place. I was interested in a cheap tablet that had the Play store. The hassle of worrying about this is not worth it to me. For folks who are not tech savvy, this kind of thing could be a real nightmare. 🙂
I still have my one and intend to keep it. A vanilla Android device for $50 is not bad.
I did not put any “critical” credentials on the device until the ADUPS software was removed.
B&N pushed a firmware update to use the Google firmware OTA
updater on Jan 8 2017 rather than the ADUPS firmware OTA. The Nook 7″ should now be free of any ADUPS software (as promised). Future firmware OTA updates will come from B&N via Google’s infrastructure which I trust a lot more than “some company” in China. I would like to know where B&N devs are based (are they in Shanghai?).
B&N might be waking up to security issues. Perhaps a fix for CVE-2015-6616 in the media player too? That exploitable bug is more than a year old. If you’re pushing out a new updater then why not take the more recent security bug fixes too.
Overall, a decently fast response for them especially with the holidays in that gap. It may be that B&N have realized that they have to think about security in their readers. If we could get to monthly updates that would be the goal.
Pingback: So that $50 NOOK has malware…. | The eBook Evangelist
Pingback: Barnes & Noble recalls the new $50 NOOK tablet | The eBook Evangelist
Pingback: Barnes and Noble sends customers email about defective charger (finally) | The eBook Evangelist