Security researcher blasts Tizen: ‘May be the worst code I’ve ever seen’
Samsung has had enough struggles with Tizen, the open-source operating system it is positioning as an alternative to Android. But now Tizen is being blasted by a security expert for being full of egregious security flaws and sloppy programming.
Israeli researcher Amihai Neiderman, who heads the research department for Equus Software, spoke at Kaspersky Lab’s Security Analyst Summit and later to Motherboard, the tech site run by Vice.com. Neiderman said Tizen’s code “may be the worst code I’ve ever seen. Everything you can do wrong there, they do it.”
Tizen is similar to Android in that it’s built on a Linux kernel with a lot of open-source code around it. After that, though, the two part company. Tizen started as an Intel and Nokia project, and Samsung merged its Bada operating system into the Intel/Nokia code in 2013. However, Neiderman says most of the flaws he found were in the newer code.
Many of them are the kind of mistakes programmers were making 20 years ago. For example, because the TizenStore software operates with the highest privileges you can get on a device, it’s the perfect delivery method for malicious code. “You can update a Tizen system with any malicious code you want,” said Neiderman.
Buffer overflows are widespread due to the improper use of the strcpy() function in C. This function is used to replicate data in memory, but it’s also got risks, and developers today no longer use it, except for the Tizen development team. Neiderman says that Samsung is “using it everywhere.”
Samsung’s code also failed to use SSL in a consistent way, transferring even sensitive data in the clear.
Where is Tizen used?
At the moment, Tizen is predominantly used in smart devices, though Samsung continues to dabble with using the operating system in smartphones. Hacked Smart TVs became a hot issue with the recent publication of CIA documents, which described an attack on Samsung Smart TVs using an exploit on a USB key. Another attack on Samsung Smart TVs was published last week that used malicious commands embedded in broadcast TV signals.
Neiderman started looking at Tizen after buying a Samsung TV running the operating system, but he has found that the flaws also exist in the company’s smartphones.
Unlike the CIA’s exploit, Neiderman says he found flaws that can be remotely exploited. One particular focus was TizenStore, Samsung’s marketplace for Tizen apps. He found exploitable flaws within the store app, and since the store app runs as a highly privileged account, exploiting it compromises the entire device.
When Neiderman contacted Samsung about the flaws, Neiderman said he received only automated replies. Since going public, the company has said that it’s committed to cooperating with the researcher.