Researcher calls Samsung's Tizen OS "the worst code I've ever seen"

Posted:
in iPhone edited April 2017
Samsung's Tizen operating system is a mess of zero-day exploitable security flaws, broken encryption privacy issues and amateur-level coding mistakes, according to the findings of a security researcher participating in Kaspersky Lab's Security Analyst Summit.




Motherboard cited the scathing observations of Equus Software researcher Amihai Neiderman in a report by Kim Zetter.

Neiderman said Tizen may be "the worst code I've ever seen" after he examined the quality of Samsung's software used to power most its Galaxy Gear-branded watches, Smart TVs, and some of its smartphones, cameras and home appliances.

He added, "everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software.""You can see that nobody with any understanding of security looked at this code or wrote it."

In particular, Neiderman called attention to the flawed implementation of Samsung's Tizen Store for downloading apps.

"You can update a Tizen system with any malicious code you want," he noted, as the store software itself runs with full device privileges that can be assumed by any process capable of taking control of it. Samsung's code was also reported to inconsistently use SSL encryption, enabling sensitive data to be sent in the clear.




Because Tizen isn't widely used outside of Samsung, security researchers haven't invested as much time in looking at it as closely as they do more popular software, such as web browsers or the code in Android, Windows and iOS. A wide variety of exploits is commonly discovered and patched in software from all vendors. Devices that are not (or can't be) updated pose an additional problem.

Unlike Android phone buyers, many users running Tizen don't even realize they're running a flawed operating system that could expose their privacy or enable malicious users to spy on them.

Samsung is also making Android less secure

Samsung's poor track record for developing security software was previously on display at the introduction of its Android-powered Galaxy S8, which promoted a strangely ineffectual facial recognition unlocking feature that could be defeated with a simple photo of the user.

Other examples were also noted by Google's Project Zero team in an audit of Samsung's software added on top of Android in its Galaxy S6 phones. The group reported finding "a substantial number of high-severity issues," within just a week of looking.

"It was also surprising that we found the three logic issues that are trivial to exploit," the team noted. "These types of issues are especially concerning, as the time to find, exploit and use the issue is very short."

Ironically, Google had earlier turned to Samsung for assistance in shoring up Android's own security in order to make the platform more appealing to Enterprise users. Google's chief executive Sundar Pichai introduced Android 5 in 2014 with contributions from Samsung's Knox security software.

Android has its own problems

Similar egregious flaws have also been discovered in Android itself, including the improper escalation of privileges for system software, incorrect use of app signing encryption, the poorly designed storage of encryption keys that allow attackers to steal them and defeat Android's Full Disk Encryption, and of course, the StageFright vulnerability that enabled remote exploits via a single text.

In fact, Google's OS has earned such a bad reputation in security flaws and failing to protect the privacy of users that in 2015 the ACLU described the way Google leaves Android open to data collection and surveillance as a "digital security divide" and a human rights issue.

"Google has by far the best security team of any company in Silicon Valley," the ACLU's Chris Soghioan said, before also noting that "the security people I know at Google are embarrassed by Android."

Tizen's slow simmer inside Samsung

At the same time, Samsung has been trying for years to develop its own OS to reduce its dependence upon Google's Android, creating tension and friction between Google and the licensee that accounts for about half of all Android shipments.

Samsung first announced Bada in 2009, and shipped some smartphones running the software in 2011, hedging its bets the year Google attempted to buy its way into the consumer hardware business via Motorola Mobility.

By 2013, it was showing off Tizen, which folded its existing work on Bada into the abandoned ashes of MeeGo, a similar Linux-based mobile OS project that itself had merged Nokia's Maemo and Intel's Moblin.

Samsung's then-chief executive J.K. Shin outlined ambitious plans for Tizen, calling it more than a "simple alternative for Android" and describing a "cross-convergence" between various Samsung products ranging from smartphones, PCs, cameras, and connecting to external devices in automotive, biotech and banking.

In 2015, Samsung announced that it "will be introducing a flood of devices running the Tizen," including the Samsung Z1 phone. The company stated that "Tizen constitutes a large and important part of our Internet of Things (IoT) strategy that encompasses all device categories across the company."

The same press release noted, "at Samsung, our IoT initiatives are being undertaken with foremost emphasis on openness. We want open platforms, and we also remain open to other operating systems. In doing so, we can ensure seamless interoperability and connectivity among the billions of devices being used daily."




While Samsung has struggled to find interest in Tizen-based smartphones outside of low-end models targeting India and Russia, it has used the software to break from Android in its Gear 2 watches starting in 2014, with incremental advancement into other products and home appliances.

However, the sloppy security and coding practices on display in Tizen, Android and Samsung's layers of software on top of Android all challenge the notion that the largest problems with Samsung's products are its batteries, and further erode confidence in its ability to handle tasks ranging from secure banking transactions to protections of personal health data, as well as safeguarding users from dangerous new vulnerabilities in IoT-enabled home sensors, locks and automotive systems.
patchythepiratecapasicum
«1345

Comments

  • Reply 1 of 88
    Not a good day. If you're Samsung or Google, that is.

    Another exploit discovered is the one Apple literally just patched in 10.3.1 whereby the Broadcom WiFi chip could be hacked without any intervention by the user.

    Of course Google will patch it quickly. Just don't expect it to arrive on your device any time soon.
    chiamacseekermagman1979SolisockrolidstarwarsRayz2016caliRacerhomieXcapasicum
  • Reply 2 of 88
    zoetmbzoetmb Posts: 2,656member
    Well..Samsung is the company that made a washing machine that caught fire, which I would think would be hard to accomplish.    So what do you expect?   

    sockrolid[Deleted User]palominecalipatchythepiratejbdragoncapasicumlostkiwiwatto_cobracornchip
  • Reply 3 of 88
    davendaven Posts: 731member
    Not good. I was hoping Samsung would be able to use Tizen to fragment the Android market. Looks like they have a lot of work to do.
    sockrolidcapasicumStevenSterkwatto_cobracornchip
  • Reply 4 of 88
    sflocalsflocal Posts: 6,136member
    No software engineers worth anything would even remotely consider ever working for Samsung.  That sham of a company can only hire coders that basically have no real path to greatness.  Those that do show hope would take the next job at a more glamorous "hip" company.  Even I knew Tizen was a wretched mess from the get go.

    Have reviewers did the same for Samsung's KNOX code?  I do know that KNOX failed to be as secure as Samsung's marketing machined claimed, but I wonder if the coding in that system was of the playschool-variety as Tizen.

    Samsung just keeps digging its own hole so much deeper.
    anton zuykovericthehalfbeesockrolidmacpluspluscalicapasicumwatto_cobracornchipjony0
  • Reply 5 of 88
    stanthemanstantheman Posts: 332member
    Don't do evil: "In 2015 the ACLU described the way Google leaves Android open to data collection and surveillance as a 'digital security divide' and a human rights issue."
    sockrolidpatchythepiratecapasicumwatto_cobracornchip
  • Reply 6 of 88
    SoliSoli Posts: 10,038member
    Not a good day. If you're Samsung or Google, that is.

    Another exploit discovered is the one Apple literally just patched in 10.3.1 whereby the Broadcom WiFi chip could be hacked without any intervention by the user.

    Of course Google will patch it quickly. Just don't expect it to arrive on your device any time soon.
    That's always the rub with Android. Many things are patched, but getting the patch in a timely manner (or at all) is a constant issue. Apple did right by starting off by detaching the iPhone and its OS from the carrier, but even if Google had done that there would still be vendor issues for Android users to contend with.

    I wonder how how long that issue has been exploitable in the wild and if we'll find out years from now it was used extensively by various gov't agencies.
    sockrolidcapasicumwatto_cobracornchip
  • Reply 7 of 88
    SoliSoli Posts: 10,038member
    Even if Tizen is crap, I still applaud Samsung for working on their own OS. I've been saying since at least the 1990s that WinPC vendors should've been working on developing their own OSes so that they would have a chance to get out from under Microsoft's thumb or be ready for any paradigm shifts in the market that may come about.
    sockrolidmaciekskontaktcapasicumcornchip
  • Reply 8 of 88
    sockrolidsockrolid Posts: 2,789member
    I played with a Tizen-driven Samsung phone prototype about 3 years ago.
    It looked and worked like a bad clone of PalmOS 4.0.  Just awful.  
    Good luck with that, Sammy.
    watto_cobra
  • Reply 9 of 88
    john.bjohn.b Posts: 2,742member
    IoT devices are the absolute worst places to deploy an insecure mini-OS, due to how difficult patching those devices will turn out to be.
    watto_cobracornchip
  • Reply 10 of 88
    sflocalsflocal Posts: 6,136member
    Soli said:
    Not a good day. If you're Samsung or Google, that is.

    Another exploit discovered is the one Apple literally just patched in 10.3.1 whereby the Broadcom WiFi chip could be hacked without any intervention by the user.

    Of course Google will patch it quickly. Just don't expect it to arrive on your device any time soon.
    That's always the rub with Android. Many things are patched, but getting the patch in a timely manner (or at all) is a constant issue. Apple did right by starting off by detaching the iPhone and its OS from the carrier, but even if Google had done that there would still be vendor issues for Android users to contend with.

    I wonder how how long that issue has been exploitable in the wild and if we'll find out years from now it was used extensively by various gov't agencies.
    The makers of Android phones have zero incentive to pour time and resources to implement patches on "old" phones.  They make their money on selling phones.  Once that phone is purchased, that customer is gone until it breaks.  There's no revenue stream really for the manufacturers once the phone is sold.

    That's the beauty of iPhones.  So long as the hardware can (decently) run the latest OS, Apple will support it.  That's the key thing that fandroids continue to be in denial with.

    calistarwarsStrangeDaysbrucemccapasicumlostkiwiStevenSterkwatto_cobracornchip
  • Reply 11 of 88
    Rayz2016Rayz2016 Posts: 6,957member
    So, Samsung designs software with the same thought and attention to detail they apply to the design of phone internals. 

    Who knew?

    After thousands of their customers have their finance details stolen, I suppose the U.K. will be subjected to months of propaganda advertising showing people using Samsung devices "safely". 
    edited April 2017 watto_cobracornchip
  • Reply 12 of 88
    iqatedoiqatedo Posts: 1,837member
    Soli said:
    Even if Tizen is crap, I still applaud Samsung for working on their own OS. I've been saying since at least the 1990s that WinPC vendors should've been working on developing their own OSes so that they would have a chance to get out from under Microsoft's thumb or be ready for any paradigm shifts in the market that may come about.
    Given the sophistication and complexity of iOS, MacOS and Windows, is it possible for anyone to create a competitive OS from scratch... or will quantum computing and AI obviate all current and future offerings?
    palominewatto_cobra
  • Reply 13 of 88
    waits for mainstream media to run anti-samsung/android security scare stories... oh, nothing? if this were apple, they'd be "doomed".
  • Reply 14 of 88
    palegolaspalegolas Posts: 1,362member
    Ouch..
    watto_cobra
  • Reply 15 of 88
    iushnt1iushnt1 Posts: 12member
    adm1 said:
    waits for mainstream media to run anti-samsung/android security scare stories... oh, nothing? if this were apple, they'd be "doomed".
    No need to wait. Already out everywhere including here.
  • Reply 16 of 88
    frantisekfrantisek Posts: 761member
    Good to know that I have to look for another TV. Thanks God this was a present.
    caliwatto_cobra
  • Reply 17 of 88
    gatorguygatorguy Posts: 24,651member
    *Sigh*  And the Stagefright FUD rolls on. So much for honesty. Quoting the ACLU as your source of security news is a nice touch too. 

    Only at AI does every discussion of any OS (this one was supposedly Tizen) somehow morph into "yeah but... but... ANDROID!". There's nearly as much discussion about them as iOS here on some days. Weird. Well maybe not when certain editors seem to have a fixation with them. Must be slow on the Apple news front at the moment. 
    edited April 2017 calibrucemcsingularity
  • Reply 18 of 88
    gatorguygatorguy Posts: 24,651member
    Not a good day. If you're Samsung or Google, that is.

    Another exploit discovered is the one Apple literally just patched in 10.3.1 whereby the Broadcom WiFi chip could be hacked without any intervention by the user.

    Of course Google will patch it quickly. Just don't expect it to arrive on your device any time soon.
    You neglected to thank Google for discovering it and letting Apple know. 
  • Reply 19 of 88
    palominepalomine Posts: 363member
    zoetmb said:
    Well..Samsung is the company that made a washing machine that caught fire, which I would think would be hard to accomplish.    So what do you expect?   

    Ha haha well, when you put it that way...
    thank you for a badly needed chuckle this morning.
    watto_cobra
  • Reply 20 of 88
    xbitxbit Posts: 399member
    sflocal said:
    No software engineers worth anything would even remotely consider ever working for Samsung.  That sham of a company can only hire coders that basically have no real path to greatness.  Those that do show hope would take the next job at a more glamorous "hip" company. 
    What are you basing those statements on? Samsung aren't primarily hiring their coders from the Silicon Valley but from the Republic of Korea. Despite its problems, many Koreans want to work for Samsung. And, once they join Samsung, they're incredibly loyal. 

    Talent isn't the problem, it's a cultural problem.

    (I say this as someone who spent a few years doing software consultancy with Samsung)
    cornchip
Sign In or Register to comment.