Security Researcher Finds 40 Zero-Day Vulnerabilities in Samsung’s Tizen OS

Security Researcher Finds 40 Zero-Day Vulnerabilities in Samsung’s Tizen OS

"It may be the worst code I have ever seen"

Samsung, being a large multinational company, makes a lot of products spread across various spheres of life and marketed to diverse segments in a multitude of countries. Over here on XDA-Developers, Samsung is famously known for their Android smartphones and tablets, given they are some of the top contenders for their respective product categories.

But that is not all that Samsung makes. Samsung also makes many more interesting electronics, including a few “smart” ones that run on its own open-source OS, Tizen OS. Tizen powers Samsung products like smart TVs, smartwatches like the Gear series and even mobile phones like the Samsung Galaxy Z lineup. Samsung is seeking to expand the Tizen offerings to more products and more markets, as is evident from the expansion of the Galaxy Z smartphones and the Gear smartwatches.

All may not be well with Tizen though. As security researcher Amihai Neiderman of Equus Software mentioned to Motherboard, Samsung’s Tizen OS has as many as 40 zero-day vulnerabilities still active and posing threat to the security of the operating system. These vulnerabilities allow someone to remotely hack “millions” of newer Samsung smart TVs, smartwatches and mobile phones, both already on the market as well as ones slated for future release as Samsung does not know and has not fixed these vulnerabilities (hence, “zero day”).

As Motherboard quotes the researcher (emphasis ours),

“Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”

All of the vulnerabilities allow remote code execution on a Samsung device. One of these vulnerabilities even exploits a flaw in the design of Samsung’s TizenStore app to hijack the software and deliver malicious code to a Samsung TV. Worse, the TizenStore app operates with the highest privileges on a Tizen device, so such a vulnerability is an even bigger cause of worry as Mr. Neiderman says that you can update a Tizen system with any malicious code the hacker wants. The TizenStore does use authentication for making sure only authorized Samsung software gets installed, but a heap-overflow vulnerability allows for gaining control before the authentication kicks in.

The researcher mentions that a lot of the Tizen code base is old and borrows from previous projects like Bada. But most of the vulnerabilities he found were in new code specifically written for Tizen within the last two years. The vulnerabilities are described as “mistakes programmers were making twenty years ago” to indicate that Samsung lacked basic code development and review practices for Tizen.

An interesting example is mentioned in the form of the usage of strcpy() function in Tizen:

Strcpy() is a function for replicating data in memory. But there’s a basic flaw in it whereby it fails to check if there is enough space to write the data, which can create a buffer overrun condition that attackers can exploit. A buffer overrun occurs when the space to which data is being written is too small for the data, causing the data to write to adjacent areas of memory. No programmers use this function today because it’s flawed, yet the Samsung coders are using it everywhere.

When contacted, Samsung sent the researcher an automated email in response.

Samsung’s current smartphone lineup is heavily dependent on Android, so these news shouldn’t necessarily impact your opinion of their Android smartphones in particular. But Samsung’s other avenues that involve Tizen are likely to invite hackers to explore and find more of such zero-day vulnerabilities. There needs to be a higher priority on Tizen’s security if Samsung ever wants Tizen to bean OS for the internet of things.

What are your thoughts on Tizen OS and the claims of vulnerabilities? Let us know your thoughts in the comments below!

Source: Motherboard

About author

Aamir Siddiqui
Aamir Siddiqui

I am a tech journalist with XDA since 2015, while being a qualified business-litigation lawyer with experience in the field. A low-end smartphone purchase in 2011 brought me to the forums, and it's been a journey filled with custom ROMs ever since. When not fully dipped in smartphone news, I love traveling to places just to capture pictures of the sun setting. You can reach out to me at [email protected]