A security researcher has discovered around 40 zero-day vulnerabilities in Samsung's Tizen operating system.
Samsung adopted Tizen – a Linux-based OS developed in partnership with Intel and based on Nokia and Intel's failed MeeGo – to reduce its dependency on Google's Android operating system and is deploying it in TVs, smartphones, watches and other devices.
According to Israeli security researcher Amihai Neiderman, head of research at Equus Software in Israel, almost every system app is vulnerable to attack, but in a presentation at Kaspersky's Security Analyst Summit in St. Martin, he said that some of the bugs found in the OS “felt like 2005”.
He claimed that Tizen was "maybe the worst code I've ever seen". He tested his findings on a Samsung smart TV as well as two Tizen smartphones, the Samsung Z1 and Z3, which he purchased on eBay.
He claimed that all the security holes found were critical and would enable a hacker to control a Samsung device remotely.
He noted the TV implementation of the software was particularly bad. Its TizenStore app (Samsung's version of the App Store), could be hijacked and inject malicious code into a Tizen device, changing parts of the system to gain control of devices.
Another issue was the reuse of code from Bada, Tizen's predecessor operating system. But new code also had problems.
One function, called “strcpy()”, has a buffer overflow exploit, while another fails to use SSL encryption when transmitting certain data.
"They made a lot of wrong assumptions about where they needed encryption," he said. "It's extra work to move between secure connections and unsecure connections."
Tizen is Samsung's attempt to move beyond using Android in its devices, particularly its smartphones, in a bid to have more control over both the hardware and software its sells. Neiderman said that the company should reconsider widespread deployment of the OS until there has been a major overhaul of the code.
Samsung has told the press that it is “fully committed” to working with Neiderman to mitigate flaws.
Professor Giovanni Vigna, founder and CTO of Lastline, told SC Media UK that Samsung, “in its rush to come to market with a product to substitute Android, has not performed the relevant code analyses that would have prevented these flaws from being shipped with the Tizen OS”.
“This is another clear example of how the pressure to deploy software in the current consumer market can actually harm the security of systems (from phones to IoT devices). Security needs to be built-in and not be an afterthought, as it is much harder to fix something broken that has been deployed to millions of devices, than to deploy secure (or at least reasonably secure) systems in the first place,” he said.
Cris Thomas, strategist at Tenable Network Security, told SC that organisations need to be vigilant and take control of their security, instead of waiting for the next patch to be pushed out.
“Given the long lifespan of these and other IoT devices, people may forget about the problem months down the road and plug them back into the network leaving them vulnerable again, so it's important to think long-term. This means knowing what's on your network, knowing all of the vulnerabilities, actively searching for malware and signs of compromise and prioritising actions to immediately reduce your exposure and cyber-risk,” he said.
Javvad Malik, security advocate at AlienVault, told SC that steps can be introduced to reduce the likelihood, or severity, of vulnerabilities by “conducting extensive static and dynamic code testing during development, allowing pen testers to test once deployed and finally inviting researchers globally via a bug bounty programme”.
