SINT MAARTEN—Samsung’s Tizen operating system, a strategic stronghold for the company as it attempts to grow its line of homegrown mobile devices, isn’t such a vanguard when it comes to security.
An independent researcher has discovered dozens of vulnerabilities in the OS that puts devices such as mobile phones, smart TVs, home appliances and wearables at risk to attack.
“It feels like 2005 in terms of the vulnerabilities I found,” said Amihai Neiderman at the Security Analyst Summit. “Tizen is not mature enough to be sent to the public like this. I found a few vulnerabilities in the first few hours of research. A dedicated Tizen researcher could find way more.”
Under the hood, Neiderman said, Tizen is essentially Linux with some proprietary add-ons by Samsung around networking and messaging; it has the look and feel of Android on mobile devices.
“Samsung is gambling a lot of its success on Tizen,” Neiderman said. “They are laying the groundwork for greater expansion.”
While Android is still the primary OS for Samsung phones and tablets, Tizen is creeping on to more connected devices such as smart TVs, and will be at the core of an eventual Tizen-based phone built on Samsung hardware. If Samsung has plans to branch away from Google and compete with it and Apple for mobile share, it will do so on Tizen’s back.
The operating system’s security, however, may be an issue it needs to iron out first.
Neiderman said that there are zero CVEs for Tizen, and part of his intellectual curiosity around the OS was to be the first to be credited with one. He started with two Tizen-based phones he purchased on eBay from India. The phones are sold only in India, Bangladesh and Nepal for now, but Neiderman said Samsung has already added language support for Sri Lanka, South Africa, Nigeria, Kenya, Indonesia and Ghana.
Neiderman said that the Tizen store—Samsung’s version of Google Play—was the first worrisome area since its communication protocol contains a check called IsSecureConnectionNeeded?, and that not all messages are sent over SSL. He also found common programming vulnerabilities such as heap overflows, obsolete functions, failures to check array bounds, null dereferences, no stop conditions, no validations of return values and path traversal vulnerabilities. SQL injection vulnerabilities, however, were properly checked and prevented, the researcher said.
“Nobody even tried doing a proper code review to this code, if any was done at all,” Neiderman said.
“I found 40 bugs, and most of them look exploitable,” Neiderman said.
A request for comment from Samsung was not returned in time for publication.