Samsung's Tizen OS is a hacker's dream, security researcher exposes 40 unknown vulnerabilities

Samsung's Tizen OS is a hacker's dream, security researcher exposes 40 unknown vulnerabilities

Last month, whistle-blowing site WikiLeaks published thousands of documents which revealed the various methods that the CIA uses to break into electronic devices. Most of the hacking tools targeted smartphones and computers, but many people were surprised to find out that even Samsung Smart TVs are open to vulnerabilities.

However, the latest revelations from one Israeli security researcher suggest that your Smart TV isn't the only Samsung device that can be exploited. Amihai Neiderman, head of research at Equus Software, has discovered that the Tizen operating system which is used on millions of Samsung smartphones, wearables, and other smart appliances is chock-full of security holes.

The entire affair began when Neiderman purchased a Tizen-powered TV for his home. Upon discovering just how badly the code on his TV was written, the researcher decided to buy a bunch of Samsung smartphones that use the OS in order to test them out. Neiderman managed to detect 40 unknown vulnerabilities (also known as zero-days), which could allow someone to remotely hack any current or future device using Tizen. By comparison, the CIA hijack described in the WikiLeaks documents only worked on older Samsung Smart TVs and required an agent to physically install it on a television set via a USB stick.

According to Neiderman, much of Tizen's code base has been borrowed by Bada, an old Samsung mobile OS which was discontinued, but most of the vulnerabilities he located were from code that was specifically written for Tizen within the last two years.

Speaking to Vice's Motherboard, Neiderman described how "charmed" he was with his discovery:


Of all the security risks, Neiderman points out one particular design flaw as critical. It involves the Tizen Store, which is Samsung's alternative to Google Play. The researcher claims that a heap-overflow vulnerability in the app enabled him to hijack the software to deliver malicious code into his Samsung TV. As the Tizen Store possesses the highest privileges one can get on a device, it is a Holy Grail for any malicious party that can abuse it.

One can find Tizen smartphones like the Samsung Z3 in certain markets like India.

One can find Tizen smartphones like the Samsung Z3 in certain markets like India.


As you may know, Samsung sees Tizen as the primary way to reduce its reliance on Android. Although the tech giant has released a limited number of smartphones running the OS in countries like India and Russia, there are speculations that we might see the system being employed on a much broader basis in the near future. Neiderman says his recent discovery prompted Samsung to contact him, and advises the company to reconsider the mass implementation of Tizen to phones before performing a major reconstruction of the code.

source: Motherboard

FEATURED VIDEO

23 Comments

1. trojan_horse

Posts: 5868; Member since: May 06, 2016

Oh, damn. It's about time Samsung gets it's s**t together on it's Tizen OS, as Samsung consumers are put at risk!

6. MattPerkins1

Posts: 94; Member since: Mar 25, 2017

Its no secret that Samsung is terrible when it comes to making software so I don't see why anyone would be surprised by this news. Avoid Samsung products at all cost.

8. Feanor

Posts: 1320; Member since: Jun 20, 2012

The biggest issue here is that the highly acclaimed Gear S2 and Gear S3 run Tizen. Already by nature smartwatches are for the moment vulnerable (mainly because I've read that Bluetooth connection between smartphone and smartwatch doesn't include any sort of encryption), so this is worrying news indeed.

11. jellmoo

Posts: 2531; Member since: Oct 31, 2011

Well... I'm sure glad this article came to light days after I picked up a Gear S3...

12. mikehunta727 unregistered

That's some extremely harsh words wow, says that"undergraduates" wrote this code and no one really even looks over it, that's horrible

13. kiko007

Posts: 7491; Member since: Feb 17, 2016

Wait, which is horrible? The statement regarding the undergrads coding, or the plausibility that said statement is accurate?

14. mikehunta727 unregistered

The reality of the situation, Tizen is a massive black hole in terms of security and needs a ton ton of work. Many Samsung products use Tizen and many people are really vulnerable

20. kerginaldo17 unregistered

In your opinion, mikehunta727, does Tizen have a future? If you ask me, I think so, but with a bit of doubt due to the time he is in activity.

23. mikehunta727 unregistered

Definitely isn't going anywhere in Samsung's ecosystem so it does have a future...i hope they can seriously improve on the security though

15. omnitech

Posts: 1131; Member since: Sep 28, 2016

I am actually surprised that intel, Samsung, and whoever backed this before would hire an inexperienced lead coder. This guy is probably getting paid like an experienced one. Maybe a better HR team is in order here Samsung.

16. Settings

Posts: 2943; Member since: Jul 02, 2014

Whats the point of hacking a Tizen phone when only 2 people has it?

17. mikehunta727 unregistered

Tizen runs in Samsung smart tv's, smart refrigerators, their smart watches, etc, affects much more then just "2 people"

22. PapaJi

Posts: 60; Member since: May 15, 2016

Tizen has second largest market share in India.... Almost double to iOS

18. omnitech

Posts: 1131; Member since: Sep 28, 2016

This honestly does not compute. The Alliance consists of NEC, Intel, Samsung, Panasonic etc. They decide what Tizen can do and Samsung and Intel under a group called technical steering group headed by Samsung and Intel execs make it happen. Not sure how they can hire someone that s**tty to do the software. This sounds fishy and is probably some kind of viral campaign against Samsung.

19. kerginaldo17 unregistered

This researcher could not have sought samsung and exposed them to the vulnerability of the system? That's more decent than going around publishing everything. Unless he's been looking for the company and it has not listened to him, which does not seem to be the case.

21. Lumia_Luigi

Posts: 173; Member since: Mar 22, 2017

Guess I should go apply with my 0 years of experience coding

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.