Last month's Wikileaks revelation on the CIA's hacking tools told us that, among other things, older Samsung Smart TVs could be hacked and used for surveillance. This prompted Samsung and other tech companies to take the matter seriously and use WikiLeaks' information to fix its vulnerabilities. However, it looks like Samsung not only has worry about the CIA but also every other hacker out there as its home-grown Tizen OS is reportedly riddled with critical security flaws that could affect more than just its Smart TVs.
An Israeli researcher, Amihai Neiderman, claims to have discovered as many as 40 unknown zero-day vulnerabilities in Tizen. Neiderman says that these critical bugs have the potential to allow hackers to control Tizen-powered devices remotely. On discovering the bugs, Neiderman told Motherboard that Tizen "may be the worst code I've ever seen."
"Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."
The concern here is that the flaws allow hackers to remotely control a device through remote code execution (REC). So a hacker doesn't even need to be around the device to hack, control, or wipe the device clean. One particular flaw involves Samsung's TizenStore app, which could allow Neiderman to control the software to deliver malicious code to his Samsung TV.
Samsung has relied heavily on its own OS rather than depend on Android, which has also had its fair share of bug reports in the past. This means millions of newer Tizen-based devices in the market, ranging from Smart TVs, smartphones, smartwatches, tablets to washing machines and refrigerators are left potentially open to hackers, unless Samsung finds a way to quickly fix the flaws.
Neiderman says that most of Tizen's code is based on previous projects including Bada, Samsung's previous operating system which was killed in 2013. However, vulnerabilities were found in some of the most recent codes written in the past two years.
In one instance, the researcher discovered that Tizen doesn't require SSL encryption for secure transmitting of data. Programmers use it on certain data transmissions but not all. "They made a lot of wrong assumptions about where they needed encryption," he says. "It's extra work to move between secure connections and unsecure connections."
Samsung ships bulk of its Tizen-powered devices to countries like Russia, India, and Bangladesh. The company in November last year launched an incentive programme to attract developers onto its platform. But if Samsung is indeed keen on slowly weaning out Android in favour of its own OS, the company will need to fix and update its code before it entirely relies on it for all its future devices.
Samsung initially did not act on Neiderman's findings, but changed its stance once the report was published. As of now, the company is reportedly working on fixing the risks with the help of Neiderman and through the company's SmartTV Bug Bounty programme.
"Tizen is going to be Samsung's biggest thing. We might see the new Galaxies running Tizen, it could happen that soon. But right now Tizen is not safe enough for that," Neiderman says.