Not all efforts yield the desired product – and Samsung’s clearly aware of that maxim. It might be feeling a little raw learning of it firsthand, after the discovery of numerous vulnerabilities in it’s proprietary mobile-device operating system, Tizen.
Samsung started working on Tizen around 2013, with visible sincerity. The open source mobile operating system was being created as an alternative to Android, given that Samsung wanted to limit its dependence on Google and also increase profitability by reducing licence costs.
Apparently, this reliance will not end anytime soon, as Tizen has proved to be the embodiment of code-related vulnerabilities, at the behest of amateurish coding.
An Israeli researcher, Amihai Neiderman revealed that he’d discovered as many as 40 vulnerabilities in the code base, which could easily be leveraged to enter into, and control Tizen-powered devices.
He said, “I found 40 bugs, and most of them look exploitable”.
At the Security Analyst Summit, Neiderman threw light on the issue saying, “It feels like 2005 in terms of the vulnerabilities I found”.
He kind of smashed another nail into the coffin when he added, “Tizen is not mature enough to be sent to the public like this. I found a few vulnerabilities in the first few hours of research. A dedicated Tizen researcher could find way more”.
Some of the code of Tizen has been taken from Bada, an older, more basic mobile operating system. Yet, the problematic code seems to have be written over the last two years and bears mistakes that the researcher says one could have expected ages ago.
Some of the issues flung at Tizen are that the communication setup is far from secure, data was found to have been transferred frequently without protection, and even the potential of hackers being able to wrest total control over a Tizen-powered TV via TizenStore.
That’s not the worst of it.
One of the major errors in code could allow an intruder to install malicious code via the inbuilt update mechanism. And this could happen despite a built-in authentication programme (which is supposed to prevent such a thing from happening in the first place).
Neiderman has shown that the authentication system can be overridden.
In an interview with Motherboard, Neiderman said it appears that the code has been written by an undergraduate who has overlooked all the important security features.
The scary part is that Tizen-powered phones Samsung phone have been sold in India since 2015. Not only that, they’ve also reached Bangladesh and Nepal. Neiderman claims that Samsung has already added language support for Sri Lanka, South Africa, Nigeria, Kenya, Indonesia and Ghana. So there’s clearly a long-tail roll-out plan that Samsung has in mind for this platform.
Worse, Tizen already runs on around 30 million TV’s!
What’s Samsung doing about this?
Well, initially, Neiderman only received an automated email response from Samsung when he wrote to them with his findings. After the report appeared in Motherboard however, Samsung claims it is “fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities”.
Clearly, Tizen is not ready to be a competition to Android. Until the code is fixed, Tizen is a hacker’s delight.