Samsung's Tizen OS is a hacker's dream, security researcher exposes 40 unknown vulnerabilities
The researcher discovered 40 zero-day vulnerabilities
The entire affair began when Neiderman purchased a Tizen-powered TV for his home. Upon discovering just how badly the code on his TV was written, the researcher decided to buy a bunch of Samsung smartphones that use the OS in order to test them out. Neiderman managed to detect 40 unknown vulnerabilities (also known as zero-days), which could allow someone to remotely hack any current or future device using Tizen. By comparison, the CIA hijack described in the WikiLeaks documents only worked on older Samsung Smart TVs and required an agent to physically install it on a television set via a USB stick.According to Neiderman, much of Tizen's code base has been borrowed by Bada, an old Samsung mobile OS which was discontinued, but most of the vulnerabilities he located were from code that was specifically written for Tizen within the last two years.
Speaking to Vice's Motherboard, Neiderman described how "charmed" he was with his discovery:
It may be the worst code I’ve ever seen.Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software...You can update a Tizen system with any malicious code you want.
"You can update a Tizen system with any malicious code you want"
Of all the security risks, Neiderman points out one particular design flaw as critical. It involves the Tizen Store, which is Samsung's alternative to Google Play. The researcher claims that a heap-overflow vulnerability in the app enabled him to hijack the software to deliver malicious code into his Samsung TV. As the Tizen Store possesses the highest privileges one can get on a device, it is a Holy Grail for any malicious party that can abuse it.One can find Tizen smartphones like the Samsung Z3 in certain markets like India.
As you may know, Samsung sees Tizen as the primary way to reduce its reliance on Android. Although the tech giant has released a limited number of smartphones running the OS in countries like India and Russia, there are speculations that we might see the system being employed on a much broader basis in the near future. Neiderman says his recent discovery prompted Samsung to contact him, and advises the company to reconsider the mass implementation of Tizen to phones before performing a major reconstruction of the code.
source: Motherboard
Things that are NOT allowed: