Samsung Tizen OS: 40 new vulnerabilities


By Alex Drozhzhin

For several years the biggest smartphone developer, Samsung, has been heavily promoting the Tizen operating system. This experiment began in 2013, when the market saw two new Samsung cameras that worked on Tizen OS. Later, the company released smartwatches that were also based on Tizen.

Nowadays, tens of millions of devices, the vast majority of which are Smart TVs, use Tizen. It looks like Samsung is going to continue implementing and using the same OS in other consumer electronic goods, so this number will increase substantially quite soon.

It’s high time to ask: Is Tizen secure?

Here’s the answer: It isn’t. At all. At the Security Analyst Summit 2017 security expert Amihai Neiderman reported 40 zero-day vulnerabilities — yes, the unknown, unpatched vulnerabilities that are used to hack into the device and gain control over it. What’s especially nasty is that the list includes security holes in Tizen’s Store and the Tizen Browser. The Store has the highest privileges in the system, so the vulnerability in it can be used to push malware to Tizen devices.

“I found about 40 different bugs, most of them looked exploitable. It felt like 2005 in terms of the vulnerabilities I found: You open a book about vulnerability research, and it might be a first example you see,” says Neiderman. “Right now Tizen isn’t mature enough, isn’t ready enough to be sent to the public like this. If those vulnerabilities I found in a few hours of research, then somebody who’s really going to dedicate himself to be a Tizen researcher will find way more vulnerabilities.”

In 2015, the OS landed on smartphones, starting with the relatively cheap Samsung Z1 phone. In 2016 the Korean giant switched all of its smart TVs to Tizen. Finally, in 2017, during the Consumer Electronics Show, the company presented a washing machine, a refrigerator, and a vacuum cleaner, all working on Tizen.

(This post was first published on the Kaspersky Lab blog on April 5, 2017).