Samsung’s plans to have 10 million smartphones running Tizen, an open-source operating system, may be delayed, as an Israel-based security researcher has uncovered 40 zero-day vulnerabilities that would allow anyone to remotely hack these devices and take control of them.
Speaking with Vice, Amihai Neiderman, head of research at Equus Software, said, “It may be the worst code I’ve ever seen.” He will talk in more detail about the security holes he discovered at Kaspersky Lab’s Security Analyst Summit on the island of St. Maarten on Monday.
One of the biggest security vulnerabilities relates to Samsung’s TizenStore app, Samsung’s version of Google Play. The app delivers apps and software updates to Tizen devices. Neiderman discovered a design flaw that allowed him to hack the software and deliver malicious code to his Samsung TV running Tizen.
After noticing the vulnerability in the TV software, he purchased dozens of Tizen smartphones to check if these security holes were also present in the handsets. He didn’t elaborate on whether he found the same flaws in these devices, but the Vice article seems to suggest that.
Neiderman says the problem is with the new code written for Tizen over the past two years. From his perspective, the mistakes are similar to those programmers were making twenty years ago, which indicates that Samsung lacks basic code development and review practices to prevent and catch such security flaws.
Neiderman reported these problems to Samsung months ago but received only automated replies. That changed just days ago, and after the Vice article went live Samsung sent a statement saying it is committed to cooperating with Neiderman to mitigate any potential vulnerabilities, but referred only to the SmartTV Bug Bounty program, which seems to suggest that the flaws are mostly related to Smart TVs. Still, Neiderman says, Samsung needs to reconsider deploying Tizen in phones before doing a major overhaul of the code.