When WikiLeaks revealed the Central Intelligence Agency’s (CIA’s) hacking arsenal to the world, it was made clear that the agency is capable of snooping on Samsung Smart TVs thanks to various security exploits. However, it’s not just Samsung Smart TVs that are susceptible, a new report suggests that a number of Samsung devices running the Tizen OS are at risk due to unpatched exploits.
Tizen is Samsung’s homegrown operating system that can be found on its low-end smartphones, smartwatches and of course smart TVs. Like Android, it’s based on the Linux kernel. However, unlike Android, it isn’t nearly as popular, so perhaps Samsung has been reticent to fixing vulnerabilities that plague the operating system.
Just how many outstanding exploits are there? According to one Israeli researcher, he has unearthed 40 known zero-day vulnerabilities in Tizen. If a single security researcher was able to find over three dozen exploits in a “modern” operating system that is shipping in commercial products, imagine what an intelligence agency with the resources of the CIA could find with their elite hacking teams.
"It may be the worst code I've ever seen," said Amihai Neiderman, the researcher that discovered the vulnerabilities, in an interview with Motherboard. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."
Ouch! Tell us how you really feel! Not one, but all of the exploits could allow nefarious parties to take complete control of your Tizen-based devices via remote-code execution. The biggest concern, however, came with the lax security used on Samsung’s own TizenStore app. Neiderman was able to use the app as a conduit to deliver malicious payloads, giving him full control over Tizen.
If Samsung ever wants to supplant Android as the operating system of choice for its scores of consumer electronics devices, it might want to get a handle on its security nightmare. Android is no saint when it comes to security vulnerabilities, but at least Google has the manpower (and oversight from the Android community) to address those issues in a somewhat timely manner. Samsung, on the other hand, seems to have been policing itself to disastrous results.
For its part, Samsung delivered the following statement to Motherboard:
Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue.
We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities. Through our SmartTV Bug Bounty program, Samsung is committed to working with security experts around the world to mitigate any security risks.
Let’s hope that Samsung is able to release a slew of updates to address these exploits. Surely the South Korean company will be capable of finding someone other than an “undergraduate” coder.