Hackers could exploit the vulnerabilities found in Samsung’s Tizen operating system to gain remote access and control of a variety of the company’s products, Amihai Neiderman, head of research at Equus Software, told Motherboard.
Neiderman presented his findings at a security conference sponsored by Kapersky Lab.
Tizen is running on some 30 million smart TVs, as well as on Samsung’s Gear smartwatches and on phones in a limited number of countries, including Russia, India and Bangladesh, according to the Motherboard report.
Samsung plans to have 10 million Tizen phones in the market this year and has announced the OS will be installed on its new line of smart washing machines and refrigerators, it added.
Store App Vulnerable
While all the vulnerabilities in the software allow a hacker to take control of devices running Tizen, a flaw Neiderman found particularly disturbing compromised the software used to install software through the app store for the OS.
Although the TizenStore software authenticates apps before they’re installed on a device, Neiderman exploited a vulnerability that let him gain control of apps before they could be authenticated.
Neiderman contacted Samsung months ago about his findings, he told Motherboard, but he received only an automated email message in response.
The company apparently has approached him about his research in recent days, however, and he has shared some information with the firm.
“Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue,” Samsung said in a statement provided to LinuxInsider by spokesperson Danielle Meister Cohen.
“We continually provide software updates to consumers to safeguard their products,” the company maintained. “We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities.”
Reinventing the Wheel – Badly
With Tizen, which is an open source operating system based on Linux, Samsung is trying to offer an alternative OS to a market dominated by Google’s Android and Apple’s iOS.
“It’s trying to reinvent the wheel and doing a bad job of it,” said Patrick Tiquet, director of security and architecture at Keeper Security.
“It sounds to me, too, that they cheaped out on their software development team,” he told LinuxInsider. “You can’t do that when you’re taking on Google and Android.”
Tizen’s programming is the worse code Neiderman has ever seen, he told Motherboard, noting there are mistakes in the software similar to those programmers made 20 years ago.
It appears that no one who understands security was involved either in the writing of the code or in reviewing it, he said, resulting in everything going wrong that possibly could go wrong.
Consumers should be concerned about the vulnerabilities Neiderman discovered in Tizen, maintained James Scott, a senior fellow with the Institute for Critical Infrastructure Technology.
Previously unknown, or “zero day,” flaws are found in all software, he acknowledged.
That said, “consumers should be very concerned by the sheer number of zero day vulnerabilities discoverable by a single researcher,” Scott told LinuxInsider. “Other pen testers, researchers or attackers may be able to discover tens or hundreds more exploitable zero day vulnerabilities.”
Shipping devices running software that puts consumers at risk violates a tacit agreement between a company and its customers, said Michael Patterson, CEO of Plixer International.
“Technology consumers have an unspoken trust that new technology purchases are shipped from the manufacturer with the latest security features and functionality embedded,” he told LinuxInsider.
“If Amihai Neiderman’s findings are accurate, it is alarming that Samsung is shipping smart TVs, smartwatches and mobile phones with many serious security flaws,” Patterson continued.
“Given that Tizen is currently running on 30 million devices and that Samsung plans to have 10 million Tizen phones this year, the potential for these devices to become members of the next big botnet is very real,” he warned.
Eyeballs on Security
One of the pillars of open source software is that the “many eyes” of the community will catch flaws in a project’s code. That apparently hasn’t been the case with Tizen.
“I haven’t seen a lot of interest in Tizen from developers, and it hasn’t been widely deployed — so you don’t have the interest in it that you’d see in something like Android,” Keeper Security’s Tiquet said.
“If there are no eyeballs looking at the source code,” he noted, “then you don’t have the security or the review that you would have with a more popular open source project.”
Tizen’s problems are familiar, said Chris Clark, principal security engineer for strategic initiatives at Synopsys.
“When Linux came out, the same comments about ‘terrible code,’ ‘poor security,’ and other more colorful explanations flowed freely,” he recalled.
“Now that Linux is more mature, these issues are harder to find, although they still exist,” Clark told LinuxInsider. “This is not a simple problem. TV manufacturers must focus on testing automation and development methodologies to minimize successful attacks.”