Blog: Android

New Rockchip firmware being released, but who is going to flash my grandma’s tablet?

Ken Munro 22 Aug 2014

RK3188

We’ve heard direct from Rockchip that they are releasing updated firmware for the RK3188 chipset that will fix the flash mode memory read flaw. A new option for a fast but effective wipe of the partition is likely to be included, over and above the standard factory wipe.

That’s great news, though one might wonder why it’s taken well over a year to release a fix. The rkflashtool was released publicly in mid-2013, a trivially easy tool to use to scrape memory. Here’s the bit I struggle with: are the various brands (Tesco, Aldi etc) that sell tablets with the vulnerable Rockchips going to release an update for their customers who have already bought these tablets?

Second, given cheap tablets are often sold to non-tech savvy users, how do they expect Great Aunt Sally to flash the firmware? If the user doesn’t even have a laptop to connect the tablet to, how are the supposed to flash it? Take it to store? Post it off somewhere?

I’m pretty techie, and even I struggled a bit with flashing the firmware on my Blu-Ray player recently. Admittedly, most of that was user+beer+RTFM error (rushed it & downloaded the wrong firmware) but to get my grandma to flash her tablet firmware…?

The support overhead and cost of helping 500,000 users update tablet firmware will be enormous. How should the supermarkets and retailers that sold these vulnerable tablets manage that? How hard should they try to convince users to upgrade? Publish a product return? That’s probably a bit much, but how important is it that users protect their data?

I suspect that in the long term, not a great deal with happen. A few more savvy users will upgrade the firmware, but most won’t bother.

More used tablets will be sold on eBay, more users will have their personal data exposed. More users social network accounts will be compromised, more users will go through the pain of having their identities stolen.

Conclusion

I think vendors need to keep closer tabs on their suppliers of tablet hardware. Cheap doesn’t always mean secure, though we have seen cheap, secure tablets out there.

They should carry out a more detailed security review of product before launch, and give real consideration towards pushing out updated firmware during the product lifecycle.

I have no idea what margin the supermarkets are making on cheap tablets, but a product recall or well managed firmware update for existing users could easily soak up a lot of this.

What all this indicates is that vendors, in the rush to jump on the tablet bandwagon still haven’t understood that a tablet is a small computer, which stores personal information and needs to be protected like a computer. This includes support, patching and security.