Samsung’s Tizen is riddled with security flaws, amateurishly written

Tizen logoTizen, the open source operating system that Samsung uses on a range of Internet-of-Things devices and positions as a sometime competitor to Android, is chock full of egregious security flaws, according to Israeli researcher Amihai Neiderman.

Samsung has been developing the operating system for many years. The project started as an Intel and Nokia project, and Samsung merged its Bada operating system into the code in 2013. Like Android, it's built on a Linux kernel, with a large chunk of open source software running on top. App development on Tizen uses C++ and HTML5.

Presenting at Kaspersky Lab's Security Analyst Summit and speaking to Motherboard, Neiderman had little positive to say about the state of Tizen's code. "It may be the worst code I've ever seen," Neiderman said. "Everything you can do wrong there, they do it."

While much of the code is inherited from Tizen's Intel and Samsung predecessor projects, Neiderman says that most of the flaws he found were in the newer code. Buffer overflows are widespread due to issues such as the improper use of the strcpy() function in C—a notoriously dangerous function with risks that are well known to experienced C and C++ programmers. These risks lead many developers to use alternative functions entirely, but not so the Tizen developers: Neiderman says that Samsung is "using it everywhere."

Samsung's code also failed to use SSL in a consistent way, transferring even sensitive data in the clear.

At the moment, Tizen is predominantly used in smart devices, though Samsung continues to dabble with using the operating system in smartphones. Hacked Smart TVs became a hot issue with the recent publication of CIA documents, which described an attack on Samsung Smart TVs using an exploit on a USB key. Another attack on Samsung Smart TVs was published last week that used malicious commands embedded in broadcast TV signals. Neiderman himself started looking at Tizen after buying a Samsung TV running the operating system, but he has found that the flaws also exist in the company's smartphones.

Unlike the CIA's exploit, Neiderman says that he found flaws that can be remotely exploited. One particular focus was TizenStore, Samsung's marketplace for Tizen apps. He found exploitable flaws within the store app, and since the store app runs as a highly privileged account, exploiting it compromises the entire device.

When he contacted Samsung about the flaws, Neiderman says that he received only automated replies. Since going public, the company has said that it's committed to cooperating with the researcher to mitigate the vulnerabilities.

Source: Ars Technica

Tags: OSes, Samsung, security, Tizen

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (15)