Samsung's Tizen is riddled with security flaws, amateurishly written

Adjust Comment Print

You can see that nobody with any understanding of security looked at this code and wrote it.

In one of the harshest comments, the researcher said, "Everything you can do wrong there, they do it".

When it was revealed that the US Central Intelligence Agency (CIA) was able to monitor people through their smart Samsung televisions, some small sense of relief was to be found in the fact that any such operation required physical access to an older model from the South Korean manufacturer.

According to Samsung, the open-source Tizen powered 50 million Samsung devices as of November 2016.

According to Neiderman, "It may be the worst code I've ever seen".

While each of the vulnerabilities Neiderman discovered allow for remote execution, one particular flaw stood out among the others, one that allows hackers to hijack Samsung's Tizen app store to deliver malicious code straight to Samsung TVs. Described in some quarters as Samsung's replacement for Google's Android, Tizen is set to appear on multiple new smartphones in 2017 and beyond. Samsung is also inconsistent in its use of encryption, often foregoing that protection at the very moment it's most needed.

Distracted Driving in Chilliwack got the bucket treatment this week
Police will be paying extra attention to enforcing distracting driving laws as part of the national "U Drive". The Connecticut Department of Transportation urges you to put your phone down when you get behind the wheel.

Paul Calatayud, CTO of FireMon, added that the newly found bugs are especially concerning given that USA intelligence agencies were also revealed to have been researching exploits in smart TVs.

Although the TizenStore software authenticates apps before they're installed on a device, Neiderman exploited a vulnerability that let him gain control of apps before they could be authenticated.

The software in question is Tizen, a Linux-based mobile OS similar to Android. Since the store has the highest level of clearance on a Tizen device, this is the "Holy Grail" for hackers as it will allow them to "update a Tizen system with any malicious code [they] want".

This pretty much means that Tizen is a hacker's dream come true. Amihai Neiderman, head of research at Equus Software, has discovered that the Tizen operating system which is used on millions of Samsung smartphones, wearables, and other smart appliances is chock-full of security holes. Tizen's protections against it are insufficient, Neiderman said. He also found that Samsung's programmers failed to use SSL encryption when transmitting certain data and "made a lot of wrong assumptions" regarding security.

Either stop selling IoT devices or immediately switch all of your devices to secure operating systems like Ubuntu Core. We might see the new Galaxy [smartphones] running Tizen, it could happen that soon. "We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities", the company said in a statement.