Tuesday, 4 April 2017

Samsung’s Tizen operating system reported to be riddled with security vulnerabilities

Credit: Samsung

Samsung wants to reduce its dependence on Google’s Android. It’s planned replacement is Tizen – already in Samsung Gear watches, TVs, & phones in limited markets. Tizen smart washing machines & refrigerators are planned for later this year.

Just before you jump on board with Tizen, you may be interested to know that it has been described:

“You can see that nobody with any understanding of security looked at this code.” – Amihai Neiderman, head of research, Equus Software

“It may be the worst code I've ever seen … everything you can do wrong there, they do it.” – Amihai Neiderman, head of research, Equus Software

Motherboard – “Samsung's Android Replacement Is a Hacker's Dream”

Ars Technica – “Samsung’s Tizen is riddled with security flaws, amateurishly written”

Extreme Tech – “Samsung’s Tizen OS may be overrun with security flaws”
/ Samsung’s Tizen operating system riddled with security vulnerabilities Samsung Google’s Android replacement Tizen Samsung Gear watches TVs phones limited markets Tizen smart washing machine refrigerator Tizen worst code I've ever seen everything you can do wrong they do it Amihai Neiderman Israeli researcher Motherboard Samsung's Android replacement hacker's dream security researcher 40 unknown zero-day vulnerabilities Tizen operating system runs on millions of Samsung products CIA got WikiLeaks published internal documents spy agency can monitor people through their Samsung smart TVs hack hijack older models Samsung TVs CIA physical access TV install malware via USB stick window hijacking researcher Israel uncovered 40 unknown vulnerabilities zero-days remotely hack millions newer Samsung smart TVs smart watches mobile phones market slated for future release without needing physical access security holes open-source operating system called Tizen Samsung rolling out in its devices last few years Samsung reduce its reliance on Google Android run Galaxy smartphones tablets other devices Tizen running on 30 million smart TVs Samsung Gear smartwatches some Samsung phones limited countries Russia India Bangladesh plans 10 million Tizen phones Samsung Tizen operating system new line of smart washing machines refrigerators worst code I've ever seen operating system riddled with serious security vulnerabilities hacker to take control Tizen-powered devices Israeli researcher Amihai Neiderman worst code I've ever seen Motherboard in advance talk about research scheduled deliver Kaspersky Lab's Security Analyst Summit island of St. Maarten everything you can do wrong they do it nobody with any understanding of security looked at this code wrote it undergraduate program your software vulnerabilities hackers take control Samsung device from afar remote-code execution security hole Neiderman uncovered critical Samsung's TizenStore app Samsung's version Google Play Store delivers apps software updates to Tizen devices flaw design hijack software deliver malicious code Samsung TV TizenStore software highest privileges device Holy Grail hacker abuse it update Tizen system malicious code TizenStore use authentication only authorized Samsung software gets installed device heap-overflow vulnerability control before authentication function kicked in researchers uncovered problems other Samsung devices in the past Tizen escaped extensive scrutiny security community not widely used on phones yet head of research Equus Software Israel Android phone research began analyzing code eight months ago purchasing Samsung TV Tizen installed Samsung installing operating system on new televisions smart watches limited line of smartphones update Tizen system with any malicious code you want first Tizen phones sold in India since expanded South Africa Nepal Africa Indonesia Samsung plans sell Tizen phones Latin America Middle East Europe eventually the United States expand catalogue Tizen applications developers 100 most downloaded mobile apps how bad Tizen code was on his TV purchase few Tizen phones Tizen code base is old borrows from previous Samsung coding projects Bada previous mobile phone operating system that Samsung discontinued code push it into Tizen vulnerabilities he found new code written specifically for Tizen within the last two years mistakes programmers were making twenty years ago indicating Samsung lacks basic code development and review practices prevent catch flaws strcpy() Tizen Strcpy() function replicating data in memory basic flaw fails to check enough space write data create buffer overrun condition attackers exploit buffer overrun space to which data is being written too small for the data data write adjacent areas of memory programmers function today flawed, yet Samsung coders are using it everywhere programmers failed SSL encryption secure connection transmitting certain data use it on some data transmissions not others not on ones that need it most wrong assumptions about needed encryption extra work move between secure connections unsecure connections didn't do it inadvertently making conscious decisions not to use SSL Samsung report problems automated email response contacted Korean company Samsung spokesperson sent boilerplate response via email Samsung Electronics security and privacy regularly check our systems credible potential vulnerability act promptly investigate and resolve fully committed cooperating mitigate any potential vulnerabilities SmartTV Bug Bounty program Samsung committed working with security experts around the world mitigate any security risks been in contact with Samsung vulnerabilities uncovered Samsung reconsider deploying Tizen in phones major overhaul of the code Tizen Galaxies running Tizen Tizen is not safe /