Researcher calls Samsung's Tizen OS "the worst code I've ever seen"
Samsung's Tizen operating system is a mess of zero-day exploitable security flaws, broken encryption privacy issues and amateur-level coding mistakes, according to the findings of a security researcher participating in Kaspersky Lab's Security Analyst Summit.
Neiderman said Tizen may be "the worst code I've ever seen" after he examined the quality of Samsung's software used to power most its Galaxy Gear-branded watches, Smart TVs, and some of its smartphones, cameras and home appliances.
He added, "everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."
"You can see that nobody with any understanding of security looked at this code or wrote it."
In particular, Neiderman called attention to the flawed implementation of Samsung's Tizen Store for downloading apps.
"You can update a Tizen system with any malicious code you want," he noted, as the store software itself runs with full device privileges that can be assumed by any process capable of taking control of it. Samsung's code was also reported to inconsistently use SSL encryption, enabling sensitive data to be sent in the clear.
Because Tizen isn't widely used outside of Samsung, security researchers haven't invested as much time in looking at it as closely as they do more popular software, such as web browsers or the code in Android, Windows and iOS. A wide variety of exploits is commonly discovered and patched in software from all vendors. Devices that are not (or can't be) updated pose an additional problem.
Unlike Android phone buyers, many users running Tizen don't even realize they're running a flawed operating system that could expose their privacy or enable malicious users to spy on them.
Samsung is also making Android less secure
Samsung's poor track record for developing security software was previously on display at the introduction of its Android-powered Galaxy S8, which promoted a strangely ineffectual facial recognition unlocking feature that could be defeated with a simple photo of the user.
Other examples were also noted by Google's Project Zero team in an audit of Samsung's software added on top of Android in its Galaxy S6 phones. The group reported finding "a substantial number of high-severity issues," within just a week of looking.
"It was also surprising that we found the three logic issues that are trivial to exploit," the team noted. "These types of issues are especially concerning, as the time to find, exploit and use the issue is very short."
Ironically, Google had earlier turned to Samsung for assistance in shoring up Android's own security in order to make the platform more appealing to Enterprise users. Google's chief executive Sundar Pichai introduced Android 5 in 2014 with contributions from Samsung's Knox security software.
Android has its own problems
Similar egregious flaws have also been discovered in Android itself, including the improper escalation of privileges for system software, incorrect use of app signing encryption, the poorly designed storage of encryption keys that allow attackers to steal them and defeat Android's Full Disk Encryption, and of course, the StageFright vulnerability that enabled remote exploits via a single text.
In fact, Google's OS has earned such a bad reputation in security flaws and failing to protect the privacy of users that in 2015 the ACLU described the way Google leaves Android open to data collection and surveillance as a "digital security divide" and a human rights issue.
"Google has by far the best security team of any company in Silicon Valley," the ACLU's Chris Soghioan said, before also noting that "the security people I know at Google are embarrassed by Android."
Tizen's slow simmer inside Samsung
At the same time, Samsung has been trying for years to develop its own OS to reduce its dependence upon Google's Android, creating tension and friction between Google and the licensee that accounts for about half of all Android shipments.
Samsung first announced Bada in 2009, and shipped some smartphones running the software in 2011, hedging its bets the year Google attempted to buy its way into the consumer hardware business via Motorola Mobility.
By 2013, it was showing off Tizen, which folded its existing work on Bada into the abandoned ashes of MeeGo, a similar Linux-based mobile OS project that itself had merged Nokia's Maemo and Intel's Moblin.
Samsung's then-chief executive J.K. Shin outlined ambitious plans for Tizen, calling it more than a "simple alternative for Android" and describing a "cross-convergence" between various Samsung products ranging from smartphones, PCs, cameras, and connecting to external devices in automotive, biotech and banking.
In 2015, Samsung announced that it "will be introducing a flood of devices running the Tizen," including the Samsung Z1 phone. The company stated that "Tizen constitutes a large and important part of our Internet of Things (IoT) strategy that encompasses all device categories across the company."
The same press release noted, "at Samsung, our IoT initiatives are being undertaken with foremost emphasis on openness. We want open platforms, and we also remain open to other operating systems. In doing so, we can ensure seamless interoperability and connectivity among the billions of devices being used daily."
While Samsung has struggled to find interest in Tizen-based smartphones outside of low-end models targeting India and Russia, it has used the software to break from Android in its Gear 2 watches starting in 2014, with incremental advancement into other products and home appliances.
However, the sloppy security and coding practices on display in Tizen, Android and Samsung's layers of software on top of Android all challenge the notion that the largest problems with Samsung's products are its batteries, and further erode confidence in its ability to handle tasks ranging from secure banking transactions to protections of personal health data, as well as safeguarding users from dangerous new vulnerabilities in IoT-enabled home sensors, locks and automotive systems.