As if Tizen hasn’t been abused enough by Samsung, demoted from flagship smartphone OS to its IoT operating system for its consumer electronics and home appliances, a security researcher has unearthed 40 zero-day vulnerabilities – surely sounding the death-knell for the project in an industry that is slowly waking up to the threat that IoT security poses.
Branding it “maybe the worst code I’ve ever seen,” Equus Software researcher Amihai Neiderman presented his Tizen findings at Kasperky’s Security Analyst Summit. “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software,” he told Vice’s Motherboard.
The most critical problem is found in the TizenStore, the equivalent of the Google Play store, in which Neiderman says there exists a flaw that lets attackers inject code into Tizen devices – abusing the privileges that the store function has in the OS, by exploiting a heap-overflow vulnerability to bypass Samsung’s code authentication systems.
Because of Tizen’s relatively minuscule market presence, compared to iOS and Android, it hasn’t garnered much attention from the penetration testing and security community. Neiderman said he only took an interest in the software after purchasing a new Samsung TV.
Neiderman said that he found much of the code was borrowed from Samsung’s previous Bada OS project, which was abandoned. However, the bulk of the vulnerabilities are attributable to new code, with Neiderman saying that they are proof of the inexperience of Samsung’s coders – such as using the Strcpy() function, which is now avoided almost by consensus because of its exploitable overflow errors.
Another glaring error was a lack of SSL encryption in certain transmissions, with Neiderman saying that “they made a lot of wrong assumptions about where they needed encryption,” adding that because “it’s extra work to move between secure and insecure connections, it indicates that they didn’t do it inadvertently, but were making conscious decisions not to use SSL in those places.”
It’s a pretty damning blow to Samsung’s security credibility, especially in the wake of the infamous Note 7 debacle. Samsung has been positioning its Knox offering as an enterprise mobile security platform for businesses, and these Tizen revelations will have tarnished its reputation – even if Knox’s containerization technology is far removed from Tizen’s codebase.
The recent Wikileaks publication of CIA exploits also showed systemic vulnerabilities in Samsung’s TVs, and in the past week, an attack was demonstrated using DVB broadcast TV signals. While the CIA attacks require physical access, both the DVB and the Tizen exploits can be executed remotely – which is a major problem in a hyper-connected world.
An estimated 10m Tizen smartphones are expected in the wild in 2017, mostly in Russia and India, and apparently around 30m of its TVs. Samsung’s Tizen footprint has been growing, and back in November, it said the OS powered 50m devices globally. But despite its open source status, Tizen appears embarrassingly vulnerable.
Tizen was initially planned as a way to distance Samsung from Google, after Google became increasingly frustrated with the manner in which Samsung was treating Android. In Google’s eyes, the number-one Android device maker was sullying the stock Android experience by adding so many Samsung applications on top – bloatware that was Samsung’s attempt to act as the conduit for its users, rather than Google’s services.
Fearing a potential revocation of its Android license, Tizen was commissioned as a means of replacing Android entirely, and Samsung was planning on using it in its Galaxy flagships. But then Tizen was ousted, demoted to a much-delayed Russian flagship device, and then further shuffled into low-cost phones aimed at the Indian market. Eventually it surfaced on Samsung’s wearables, but its premium operating system was now confined to TVs, white goods, and “IoT devices” – whatever they were envisioned as being.
So if we can infer that Samsung is dedicating very little in the way of developer resources and investment to Tizen, then it stands to reason that the OS isn’t going anywhere fast. Exploding phones have been an easy punchline to make at Samsung’s expense, and while the IoT-refrigerator has been a punching bag for IoT skeptics, Tizen is on track to be the butt of many jokes – and potentially the subject of a lawsuit further down the line.