Barnes & Noble began outsourcing its Nook e-readers a few years ago after a partnership with Samsung and their latest $50 Nook 7 android tablet, announced last month, shows us how that has worked out for them. Their latest e-reader includes ADUPS, a firmware that sends user data back to the manufacturer or an interested hacker. This is the same malware that researchers found on cheap Blu tablets and phones last month.
The manufacturer claims to have patched the malware in current products but it seems the new B&N Nooks are still running the old software. ADUPS allows for full data access on the device and command and control privileges including remote software installation and automatic updates without use permission.
How bad is it?
These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices… The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information.
The Digital Reader is recommending that users return their Nooks and notes that B&N has a holiday return policy that lets you send items back until January 31.