It’s bad when a security researcher finds a critical security flaw in your software. But when he finds about 40—all of them critical? Well, then you might consider rewriting the entire thing from scratch.
That’s exactly what’s happening to none other than Samsung and its Tizen operating system, which the company uses on a number of its devices, including phones, smartwatches, and smart TVs.
Israeli security researcher Amihai Neiderman laid out the numerous, previously unknown security flaws in Tizen in a report detailed at Kaspersky’s Security Analyst Summit at St. Marteen Monday. Neiderman claims all of the holes he found are critical and would allow hackers to control a Samsung device remotely.
Some, however, are worse than others. A particularly nasty flaw would let an attacker take over the TizenStore app — an app store for Tizen — and hijack it to inject malicious software into a Tizen device. Since this particular app can access and change any part of the system, a malicious hacker exploiting the flaw would have absolute and total control over your Tizen device.
Neiderman, who started looking into Tizen’s security after purchasing a Samsung smart TV last year, calls the Tizen code the “worst” he has “ever seen.”
“You can see that nobody with any understanding of security looked at this code or wrote it.”
“Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software,” he told Motherboard.
Neiderman claims he contacted Samsung about the security flaws months ago, but received nothing besides an automated response. However, Samsung did tell Motherboard that it’s now working with Neiderman to “mitigate any potential vulnerabilities.”
According to Samsung, the open-source Tizen powered 50 million Samsung devices as of Nov. 2016. These include Samsung’s Gear S3 smartwatch; they also include the company’s lineup of smart TVs, which recently came into focus after a WikiLeaks leak of CIA’s hacking tools unearthed an exploit that enables the agency to eavesdrop on someone through a Samsung smart TV.
Samsung has big plans for Tizen; the company likely won’t launch flagship phones based on the OS any time soon, but it does plan to use it on many future Internet-of-Things devices. If this report is accurate, however, it might put a big dent in those plans.
Mashable has contacted Samsung about these security issues and we will update the post if we hear from them.
UPDATE: April 5, 2017, 8:16 a.m. CEST A Samsung spokesperson got back to us with what is possibly the blandest response ever.
“Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue. We continually provide software updates to consumers to safeguard their products. We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities,” it said.