Samsung is one of the biggest players in the fast-growing consumer Internet of Things space, manufacturing everything from mobile phones to wearables to home surveillance cameras and television sets. But the company’s new operating system for mobile systems, dubbed Tizen, may be a security disaster in the making, according to a security researcher for the firm Equus.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
As reported by Kim Zetter over at Motherboard, Amihai Neiderman, the head of research at Equus, said an audit of the Tizen operating system revealed a slew of serious and remotely exploitable security holes, including a serious flaw in the implementation of Samsung’s TizenStore, the company’s mobile application store, that allows malicious code to be distributed to- and run on devices that use the Tizen operating system.
Tizen is Samsung’s answer to Google’s Android, an open source mobile operating system geared to use on mobile and connected devices. Tizen comes in a variety of flavors to serve the needs of different industries and device types. They include Tizen IVI (in-vehicle infotainment), Tizen Mobile, Tizen TV, and Tizen Wearable. Beginning with the Tizen 3.0 release, all those profiles run on on top of a common, shared infrastructure called Tizen Common.
Despite its newness, however, the operating system is plagued by “old school” security vulnerabilities that call into question the trustworthiness of the entire platform, according to Neiderman, who presented the findings of his audit of Tizen at Kaspersky Lab’s recent Security Analyst Summit.
Samsung’s Tizen runs around 30 million smart TVs, as well as Samsung Gear smart watches. It powers some Samsung phones used in Russia, India and Bangladesh with company plans to have 10 million Tizen phones in the market this year. Samsung smart washing machines and refrigerators powered by Tizen are also on tap.
All of which makes Neiderman’s findings the more concerning. From the Motherboard story:
“It may be the worst code I’ve ever seen,” he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab’s Security Analyst Summit on the island of St. Maarten on Monday. “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”
Among the problems: Tizen re-uses parts of preceding Samsung mobile operating systems like the prophetically named Bada. As for the new code, Neiderman said the code he reviewed revealed “the kind of mistakes programmers were making twenty years ago.” In just one glaring example, Samsung’s developers made liberal use of the strcpy() function, which has long been recognized as insecure because of the ease with which developers can create a buffer overrun condition using it. Such slips suggest that “Samsung lacks basic code development and review practices to prevent and catch such flaws,” he said.
Read the rest of Kim’s story on Samsung’s Tizen operating system here: Samsung’s Android Replacement Is a Hacker’s Dream – Motherboard