Samsung Tizen: 40 Zero Days Found by Researcher
Samsung’s Tizen operating system has come in for strong criticism after a security researcher reportedly found as many as 40 zero day bugs in it.
The Linux-based OS – which runs many off the Korean electronics giant’s smart TVs, smart watches and some smartphones – seems to be Samsung’s main IoT play.
Yet, according to Amihai Neiderman of Equus Software, it’s riddled with remote code execution flaws.
"Everything you can do wrong there, they do it,” he told Motherboard. “You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."
Most worryingly, some of the vulnerabilities found by Neiderman include buffer overflows stemming from misuse of the strcpy() function, an apparently basic mistake made repeatedly by Samsung coders.
In addition, SSL encryption was not used for transmitting certain data, exposing it to potential hackers.
Samsung has apparently been in contact with Nieiderman, whose first overtures he claimed were ignored.
The firm now says it is “fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities”, although judging by the extent of the issues at play it may need more than a few patches to sort things out.
Security experts were quick to raise the alarm.
Giovanni Vigna, founder and CTO of Lastline, argued that commercial pressures have prevented proper checks for bugs in the code.
“This is another clear example of how the pressure to deploy software in the current consumer market can actually harm the security of systems,” he added.
“Security needs to be built-in and not be an afterthought, as it is much harder to fix something broken that has been deployed to millions of devices, than to deploy secure systems in the first place.”
Paul Calatayud, CTO of FireMon, added that the newly found bugs are especially concerning given that US intelligence agencies were also revealed to have been researching exploits in smart TVs.
“As a security practitioner, we often use Microsoft as a solid example of a company that places a sizable emphasis on product security. Operating systems are now being replaced by IoT devices, but the security programs are not keeping with the pace of innovation. The same can be said about the car, healthcare and other markets,” he argued.
“Home networks are becoming complex with consumer data and connected devices, but it's also important to note many of these consumer electronics also have a home in corporations: conferencing rooms etc."
Source: Information Security Magazine