Samsung’s Linux Based Tizen OS Is A Security Nightmare

Samsung has been working on Tizen for the last couple of years to be a replacement for Android. However, it appears that the work they’ve been doing is very poorly done.

What is Tizen?

Tizen OS Open Source Mobile Operating System

Tizen is a Linux-based open source mobile operating system that has been around for 5 years. Around 2013, Samsung began development in Tizen in earnest. The goal was to create a viable alternative to Android.

Samsung wants an Android alternative because of Google’s bully-like relationship with device makers. While Android may be free and open source, the Google apps that come on Android devices (and customers can’t live without) are closed source. If device makers want access to the Google apps, they have to join the Open Handset Alliance. The members of the OHA are “contractually prohibited from building non-Google approved devices”.

In fact, this is what Google had to say in a blog post:

While Android remains free for anyone to use as they would like, only Android compatible devices benefit from the full Android ecosystem. By joining the Open Handset Alliance, each member contributes to and builds one Android platform—not a bunch of incompatible versions.

So essentially, Samsung wants a way to continue making money if they have a falling out with Google or Google just goes away.

Lots of Security Issues

Tizen OS Security issues

While Samsung might have good intentions, they have quite a bit of work ahead of them. Recently, Israeli researcher Amihai Neiderman revealed that Tizen is full of security holes. In fact, he revealed that he had discovered 40 previously unknown vulnerabilities that would allow a hacker to take over and Tizen-powered device.

Neidermen stated, “It may be the worst code I’ve ever seen. Everything you can do wrong there, they do it.”

Quite a bit of the Tizen code base is taken from several previous Samsung projects, including a previous mobile operating system named Bada. However, most of the bad code was written in the last two years and contains mistakes that were common twenty years ago.

Another of the problems discovered was that Tizen’s built in app store operated at the highest privilege level. This would allow a hacker to deploy malicious code via the update mechanism. While Tizen has an authentication program built int to prevent this, Neidermen was able to find another vulnerability that gave him control to override the authentication system.

There was also an issue with how communications were secured. Sometimes SSL was used and sometimes not. Often, data was transferred without protection.

How Many Affected?

Thankfully, Tizen has only seen a small deployment thus far. There are currently 30 million smart TVs powered by Tizen, as well as, a number of phones and smartwatches. Most of the phones and watches were sold in India and Russia. At CES 2017, Samsung revealed plans to launch a series of Tizen-powered Internet of Things (IoT) devices, including the Family Hub 2.0 smart refrigerator and the Intelligent Washing machine. Tizen is also available for Raspberry PI.

IoT Security Problems (and a Solution?)

IoT Security funny
Image courtesy: Klossner

As IoT becomes more advanced and more tightly woven into daily life, security must become a priority. Unfortunately, thousands of devices are open to attack. Back in 2013, a white hat hacker named Billy Rios discovered that internet connected medical devices in hospitals, such as infusions pumps or heart monitors were open to attack from hackers. In one instance, a patient’ personal information was discovered on the hard drive of a blood gas analyzer.

Besides identity theft, there is also the worry that hackers could turn unsecured IoT devices into their own bot network. A hacker could use this low-powered bot network to take down websites with denial of service attacks, basically overwhelming servers with too much traffic.

Tech journalist Bob Cringely has a solution to the threat of an undead IoT botnet. He suggests creating a separate protocol that allows IoT devices to address one another but makes them unable to interfere with or even see ordinary Internet traffic. Basically, information packets for bother IoT devices and the regular Internet would pass each other, unaware of the existence of each other. There would be a few gateways between the two groups to allow them to communicate and share information, but not do anything malicious.

Final Thoughts

To paraphrase Full Metal Jacket, Samsung has a major malfunction on their hands. Their Android killer is a hacker’s paradise.

It seems like Samsung is sending mixed signals. They’re positioning Tizen to be an Android replacement on phones, watches, and beyond. But on the other hand, their latest version is full of vulnerabilities and poorly written code. It seems like they got so used to someone else creating the operating system that they can’t deliver competent code.

The question is: Are they really interested in delivering an operating system or is Tizen just supposed to be a stick to hold over Google’s head’?

Personally, I’d like to give Tizen a try because I like playing with new things, but I’ll put that on hold for a while until they get their code problems fixed.

Have you used Tizen? What do you think of this news?

If you found this article interesting, please share it with your friends and family on your favorite social media sites.

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry that something went wrong, repeat again!

3 comments

by Newest
by Best by Newest by Oldest

I'm very unimpressed with Tizen. Forcing customers to use Facebook and its equally pernicious Messenger, as well as Twitter is just not a smart thing. I'm sad to hear Ubuntu just stopped its smartphone OS development and I can only hope Firefox will manage to do something. We need a Debian-like smartphone OS.

Is there a firewall you can run on Tizen?

I can't believe I have to look into rooting my phone! Samsung, get your acts together. Spying on your clients with your TVs and shoddy coding is sub-par for the money you ask.

Firefox can't do anything, they shut down FirefoxOS because it couldn't make money.

use me usee meeeeee