The Code Running Millions Of Samsung Devices Is Full of Giant, Gaping Security Holes

Image courtesy of Samuel M. Livingston

The Internet of Things — the amorphous, rapidly-growing mass of devices that are always on and speaking to the great cloud — has never exactly been known for its great security practices. And according to one researcher, the system Samsung uses in everything from its TVs to its phones is “worst code I’ve ever seen,” containing multiple major vulnerabilities.

The researcher, based out of Israel, is presenting his findings at a security analyst summit next week, Motherboard reports. And those findings include 40 so-called “zero day,” vulnerabilities previously undisclosed security holes a hacker could use to access Samsung devices.

The issue is the Tizen operating system Samsung has put in millions of devices. Tizen is basically an Android replacement, Motherboard explains, an open-source platform Samsung has been rolling out over the past few years.

You can’t use hardware without having software on it, and Samsung has been trying to use Tizen to reduce its heavy reliance on the Android platform, which belongs to Google. Having your own in-house platform can be cheaper and give you more control than relying on a third party, and so Tizen is now deployed in at least 30 million Samsung smart TVs, the Samsung Gear 2 smart watch, a solid 10 million phones sold largely in developing nations, and, soon, in washing machines and refrigerators as well.

Every last one of those devices is super vulnerable, the researcher explains.

All of the 40 vulnerabilities he identified can let a hacker remotely take over your device. That leaves a user subject to everything from ransomware attacks to spyware and data or identity theft.

One of the issues, though, struck the researcher as particularly bad: The TizenStore app, Samsung’s storefront for downloading and purchasing new apps, akin to Google Play or Apple’s App Store.

The TizenStore software lets a hacker who gets into it operate with the highest possible privileges available, Motherboard explains. Basically, if you get in there, you can then do whatever you want to the device you’re accessing, including installing any more malicious code you can think of.

Overall, Tizen “may be the worst code I’ve ever seen,” he told Motherboard. “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”

The researcher said he contacted Samsung months ago to report the issues he found — before publishing them — but received only an automated email in reply.

Motherboard then also contacted Samsung, only to receive a standard “taking it seriously” response. However, after Motherboard published their story, Samsung reached out again to say it’s, “fully committed to cooperating” when it comes to security risks.

Samsung’s Android Replacement Is a Hacker’s Dream [Vice Motherboard]