Advertisement

Samsung's in-house OS is a security nightmare

Tizen makes a number of rookie mistakes.

engadget

Samsung's Tizen platform might give the company the technological independence it wouldn't have if it stuck to outside software like Android, but it's apparently a security disaster. Researcher Amihai Neiderman tells Motherboard he has discovered 40 unpatched vulnerabilities in Samsung's operating system, exposing many of its smartphones, smartwatches and TVs to remote attacks. Reportedly, it's the "worst code" the expert has "ever seen" -- it was designed by a team that had no real understanding of security concepts, and makes mistakes that virtually anyone else would avoid.

A key example is the Tizen Store. While the portal does authenticate to make sure that you're only installing approved apps, there's an exploit that lets you take control before authentication kicks in. Use that and you can send whatever malware you want to a device. Samsung is also inconsistent in its use of encryption, often foregoing that protection at the very moment it's most needed. And did we mention that many of the flaws appear to have been introduced in the past 2 years, so they weren't just inherited from legacy code?

Neiderman says he disclosed the flaws to Samsung months ago, but didn't get more than an automated response until recently. The tech giant, meanwhile, says it's "fully committed" to working with the researcher and points to its SmartTV Bug Bounty program as an example of efforts it takes to patch holes. Don't be surprised if many of the immediate vulnerabilities are fixed before long. However, the findings suggest that the company also needs to rethink the very basics of Tizen's security strategy if it's going to keep you safe going forward.