Speaking with Israeli security researcher Amihai Neiderman of Equus Software, Motherboard tells us that there are currently 40 unreported security vulnerabilities that would allow remote execution and hacking of every Samsung TV, watch or phone that uses Tizen as the operating system. More serious are some allegations about the how and why behind many of these exploits.
It may be the worst code I've ever seen.
While Samsung may not be thinking about replacing Android with Tizen on its phones and tablets, the current ecosystem is about to be expanded in a big way: Samsung is committed to using Tizen on most every smart appliance it sells going forward. Smart refrigerators sound like a great idea until someone hacks your email through one.
It may be the worst code I've ever seen, Neiderman tells Motherboard. Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software.
Any large software project will have its fair share of bugs and exploits. While some are more serious than others, most researchers aren't looking at Tizen the same way they are focused on Android, iOS, and Windows. That's largely because Samsung will sell more Galaxy S8 phones in a week that it will likely ever sell of phones running Tizen. But that overlooks several of Samsung's successful product lines including the Gear S3 smartwatch that many of us have on our wrist right now. Neiderman goes on with some serious shade towards Samsung's development team for Tizen.
[Neiderman] says much of the Tizen code base is old and borrows from previous Samsung coding projects, including Bada, a previous mobile phone operating system that Samsung discontinued.
But most of the vulnerabilities he found were actually in new code written specifically for Tizen within the last two years. Many of them are the kind of mistakes programmers were making twenty years ago, indicating that Samsung lacks basic code development and review practices to prevent and catch such flaws.
This is particularly worrisome for several reasons. Firstly, the code Samsung adds to Android has no peer review process as it's not open source. If Samsung, as claimed, is lacking when it comes to coding and review techniques, the same sorts of mistakes could be abundant in its Android portfolio, too. Even if this isn't the case, the Samsung Gear family of watches is connected to quite a few Android devices and shares a lot of information that could be open to someone with the right tools and a little bit of know-how.
An attacker can install any software they like through the TizenStore application.
Even tokenized financial data through Samsung Pay has to live on your watch at some level, even if only long enough to transmit to a payment terminal or back to your bank. Thankfully, it is stored is a way that makes it mostly worthless without the keys to decrypt it and a reference to what the token is for.
All this aside, the biggest issue is a problem with the Tizen application store and installer.
One security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app—Samsung's version of Google Play Store—which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV.
This is a show stopper. The TizenStore app runs with absolute system privileges and can install and run anything with no secondary input from the user. Hijacking this process and using it to install tools for remote access and grant them system privileges means an attacker can do just about anything they like. Every device with access to the TizenStore or another way to install Tizen applications is potentially vulnerable, including the Samsung Gear family.
We're not advising anyone throw out their watch or television. We've reached out to Samsung, which tells Motherboard that it is working with Neiderman to get everything in shape, and we'll update when we hear something.
For now, exercise the same caution you would with a Windows computer or when sideloading Android applications while you're using your Tizen-powered gadgets.
We may earn a commission for purchases using our links. Learn more.