Equus Software security researcher Amihai Neiderman recently uncovered several major security flaws in Samsung’s Linux-based Tizen operating system, which the company uses in its Galaxy Gear smartwatches and Z1, Z2 and Z3 phones (as well as some refrigerators and TVs), Motherboard reports.
“It may be the worst code I’ve ever seen,” Neiderman told Motherboard, not pulling any punches. “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”
Several vulnerabilities Neiderman found enabled remote code execution, and a heap overflow vulnerability allowed him to hijack Samsung’s TizenStore app to deliver malware to his Samsung television. “You can update a Tizen system with any malicious code you want,” he said.
Neiderman told Motherboard he contacted Samsung months to report the vulnerabilities, but only received automated responses.
Once Motherboard published its article, Samsung stated, “We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities. Through our SmartTV Bug Bounty program, Samsung is committed to working with security experts around the world to mitigate any security risks.”
“Tizen is going to be Samsung’s biggest thing,” Neiderman said. “We might see the new Galaxies running Tizen, it could happen that soon. But right now Tizen is not safe enough for that.”
Building Security Into the Development Process
Rubicon Labs vice president Rod Schultz told eSecurity Planet that the vulnerabilities Neiderman uncovered are an example of what happens when security is addressed at the end of product creation. “For many years, security was viewed as a cleanup job that was done after a product was built, and for a long time that was okay,” he said.
But security flaws are now like weaknesses in bank vaults waiting to be attacked, Schultz said. “Security is hard because the tools and languages that exist to build software make it easy to make mistakes, and you must constantly evaluate the design and the implementation of software,” he said. “We are nowhere close to fixing this pandemic digital problem, but Samsung definitely has the resources, and now the motivation, to contribute to a long-term solution for IoT security.”
According to Skycure’s Mobile Threat Intelligence Report for Q4 2016, more than four times as many Android vulnerabilities were identified in 2016 than were discovered the previous year. “Almost half of those vulnerabilities allowed excessive privileges, while others allowed other bad effects like leaked information, corrupted memory, or arbitrary code execution,” the report states.
What’s more, according to the report, 71 percent of all Android devices in use on the five major U.S. carriers are running security patches that are more than two months old (despite the fact that Google releases Android security patches monthly), and six percent are running patches that are six or more months old.
“Malware, network attacks and advanced exploitation campaigns many times depend on unpatched vulnerabilities to be successful,” Skycure co-founder and CTO Yair Amit said in a statement. “It’s essential that users and companies know the moment that a device is able to remove these risks to reduce the window of vulnerability.”
Photo courtesy of Shutterstock.