Tizen, the open source operating system that Samsung uses on a range of Internet-of-Things devices and positions as a sometime competitor to Android, is chock full of egregious security flaws, according to Israeli researcher Amihai Neiderman.
Samsung has been developing the operating system for many years. The project started as an Intel and Nokia project, and Samsung merged its Bada operating system into the code in 2013. Like Android, it’s built on a Linux kernel, with a large chunk of open source software running on top. App development on Tizen uses C++ and HTML5.
Presenting at Kaspersky Lab’s Security Analyst Summit and speaking to Motherboard, Neiderman had little positive to say about the state of Tizen’s code. “It may be the worst code I’ve ever seen,” Neiderman said. “Everything you can do wrong there, they do it.”
While much of the code is inherited from Tizen’s Intel and Samsung predecessor projects, Neiderman says that most of the flaws he found were in the newer code. Buffer overflows are widespread due to issues such as the improper use of the strcpy() function in C—a notoriously dangerous function with risks that are well known to experienced C and C++ programmers. These risks lead many developers to use alternative functions entirely, but not so the Tizen developers: Neiderman says that Samsung is “using it everywhere.”
Samsung’s code also failed to use SSL in a consistent way, transferring even sensitive data in the clear.
At the moment, Tizen is predominantly used in smart devices, though Samsung continues to dabble with using the operating system in smartphones. Hacked Smart TVs became a hot issue with the recent publication of CIA documents, which described an attack on Samsung Smart TVs using an exploit on a USB key. Another attack on Samsung Smart TVs was published last week that used malicious commands embedded in broadcast TV signals. Neiderman himself started looking at Tizen after buying a Samsung TV running the operating system, but he has found that the flaws also exist in the company’s smartphones.
Unlike the CIA’s exploit, Neiderman says that he found flaws that can be remotely exploited. One particular focus was TizenStore, Samsung’s marketplace for Tizen apps. He found exploitable flaws within the store app, and since the store app runs as a highly privileged account, exploiting it compromises the entire device.
When he contacted Samsung about the flaws, Neiderman says that he received only automated replies. Since going public, the company has said that it’s committed to cooperating with the researcher to mitigate the vulnerabilities.