In today’s age of the Internet of Things (IoT) where almost all our devices are being networked and connected to each we need to be extra careful about how susceptible they are to being hacked. This was sharply bought to fore for Samsung by Israeli researcher, Amihai Neiderman who claims to have discovered as many as 40 unknown zero-day vulnerabilities in their home-grown Tizen OS.
Niederman in an interview with Motherboard (a sub-division of VICE magazine) stated that Tizen,
“may be the worst code I’ve ever seen.”
He further elaborates that these critical bugs and flaws have the potential to allow hackers to control a Tizen-powered device remotely. This comes in sharp relief after Wikileak’s revealed that the CIA had hacking tools that could hack older Samsung Smart TVs and use them for surveillance purposes.
The major issue here being that these flaws allow hackers to remotely control a device through remote code execution (REC). The flaw involves Samsung’s TizenStore application, which allowed Neiderman to control the software and deliver malicious code to the TV running on Tizen.
He sums it up by saying, “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”
Samsung has heavily pushed its Tizen OS for its appliances instead of relying on Android or Microsoft’s Windows both of which have been under the scanner. The revelation of these security breaches imply that millions of Tizen-based appliances and consumer electronics in the market, ranging from Smart TVs, washing machines, refrigerators, smartphones, smartwatches and tablets are potentially vulnerable to being hacked. That is unless Samsung gets around to plugging these security holes.
Mr. Neiderman says that most of the code-base for Tizen is based on Samsung’s earlier OS projects like Bada which was shelved in 2013. However, vulnerabilities have crept into more recent code written in the two years between Bada’s termination and Tizen’s launch. Further more he claims to have discovered that Tizen does not require SSL encryption for securely transmitting data. The code was written in such a way that it was used in certain instances but not all, which he says is based on wrongful assumptions about where they need encryption while adding, “It’s extra work to move between secure connections and unsecure connections.”
Most of Samsung’s Tizen-powered devices are found in countries like Russia, India and Bangladesh and the company has been trying to incentivise developers to attract developers onto the platform. Initially the company did not act on Mr. Neiderman’s findings but changed its tack once the report was published. For now, Samsung is cooperating on patching the vulnerabilities with his help under the company’s SmartTV Bug Bounty program.
Unfortunately if the company wants to break free of Android, it needs to improve its codebase as well make a better system to patch out any known vulnerabilities. Closing on point, Mr Neiderman said
“Tizen is going to be Samsung’s biggest thing. We might see the new Galaxies running Tizen, it could happen that soon. But right now Tizen is not safe enough for that,”