Samsung's Tizen Android replacement riddled with security holes, claim researchers

Subscribe		
					
					
			Share

Subscribe Share

He said Tizen's code may be "the worst he'd ever seen" and that the people who wrote it "don't have any understanding of security".

In one of the harshest comments, the researcher said, "Everything you can do wrong there, they do it".

The entire world was shocked when Wikileaks uploaded the Central Intelligence Agency exploits documents which showed how the Central Intelligence Agency was able to forcefully access and steal information from a bunch of operating systems including Samsung's smart TV OS. Instead, the security flaw was found in the open-source Tizen software now running on millions of Samsung devices, including cameras, printers, Blu-ray players and refrigerators.

Neiderman, who started looking into Tizen's security after purchasing a Samsung smart TV a year ago, calls the Tizen code the "worst" he has "ever seen". This is the attempt of the South Korean tech company to detach itself from Google's Android software. Samsung is also inconsistent in its use of encryption, often foregoing that protection at the very moment it's most needed. The researcher could infuse malicious code into Samsung's smart TVs without any complications using the app store.

While much of the code is inherited from Tizen's Intel and Samsung predecessor projects, Neiderman says that most of the flaws he found were in the newer code. "It's like taking an undergraduate and letting him program your software", he said.

One of the issues, though, struck the researcher as particularly bad: The TizenStore app, Samsung's storefront for downloading and purchasing new apps, akin to Google Play or Apple's App Store. The irony is that it has the highest level of clearance on a Tizen device. I love Samsung hardware and an own couple of their IoT devices, but I despise their software. According to Amihai Neiderman, a security researcher with Israel's Equus Software, there are more than 40 zero-day exploits that allow malicious users to remotely hack the company's Tizen operating system.

Also, Samsung programmers failed to use SSL encryption for secure connection when transmitting certain data, while applying it for other types of data.

If Neiderman reveals the details of this method of attack in his presentation, owners of Tizen-powered devices may want to take them offline until the vulnerability is fixed.

IBTimes UK has contacted Samsung and will update this article when we receive a reply. "There's a great chance that we'll see [next year's] Galaxy S9 coming with Tizen, and the OS is not mature enough".

Samsung initially responded to Neiderman with an automated email response, but after Motherboard's report the company says it is "fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities".

Latest News