Samsung is indisputably the most successful maker of Android devices, even with the trouble last year with the Note 7 battery fires. Android is doing fine right now — better than fine, actually. If that ever changes, Samsung is hedging its bets. Samsung has long had an in-house mobile platform called Tizen as a backup plan if Android ever becomes a problem. However, a new report claims that Samsung’s Tizen OS is riddled with serious security flaws.
The open source Tizen is used mostly on Samsung’s smart TVs, but it’s also running on all the Gear S smartwatches and more smartphones than you’d expect. Samsung’s bread and butter is still Android, but there are millions of budget-oriented Tizen-powered smartphones in the world in countries like Russia and India. Samsung even plans to expand its sales of Tizen phones to 10 million units in 2017.
Israeli researcher Amihai Neiderman calls Tizen “the worst code I’ve ever seen.” Think that’s bad? Neiderman has more harsh words for Tizen, saying it looks like something an “undergraduate” programmer wrote. He claims to have found 40 previously unknown zero-day vulnerabilities in Tizen, and these aren’t just any bugs. Neiderman says these vulnerabilities are critical in nature, potentially opening the door to remote code execution. An exploit that allows remote code to be run on a device is a bit like the holy grail of hacking. If you can run your code without even having access to a phone, you can do almost anything to it.
Some of the mistakes made are obvious even to people who can’t write a line of code. For example, Tizen doesn’t require SSL on all secure transmissions. There’s even one vulnerability that could allow attackers to completely rewrite the software on a device. This flaw is part of the Tizen Store, which allows a hacker to push malicious system updates. The update system operates with the highest system privileges, but update packages are supposed to be authenticated before they are installed. However, Neiderman found a heap-overflow bug that could be used to bypass that step.
Some of Tizen’s problems may come from its reliance on Samsung’s previous custom mobile platform, known as Bada. That OS was discontinued by Samsung in 2013, but much of the code was migrated to Tizen. Although, Neiderman notes the exploits are mostly in new code that was written in the last few years for Tizen. Perhaps this is a byproduct of trying to work around all that old Bada code.
Neiderman says he contacted Samsung months ago about the vulnerabilities, but the company didn’t show any interest. Only after publishing his findings did Samsung respond and pledge to investigate the state of Tizen.