In an interview with Motherboard, Israeli engineer Amihai Neiderman said Tizen “may be the worst code I’ve ever seen.” Neiderman found dozens of flaws in the inner workings of the platform, uncovering weaknesses that could let attackers take complete control.
The most serious of the issues concerns Samsung’s TizenStore app store. It allows Tizen-compatible devices to download and install app updates. TizenStore is granted the highest privileges offered by the Tizen system so any successful hijacking would give an attacker unlimited access. Inevitably, Neiderman found a critical flaw that facilitates the installation of malicious software to infect the core of Tizen appliances.
Neiderman managed to bypass Samsung’s authentication mechanism that ensures only approved software is installed. He discovered it’s possible to abuse the company’s badly written code to create a heap-overflow vulnerability, causing internal data structures to be overwritten. The authentication procedure ends up being skipped so the device will accept any update package.
“Everything you can do wrong there, they do it,” Neiderman said to Motherboard. “You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”
The discovery casts doubt on Samsung’s plans to promote its Tizen platform above alternative operating systems. It intends to ramp up its use of Tizen over the next couple of years, intending the OS to reduce its reliance on Android devices.
Tizen is currently used on TVs, smartwatches and a limited number of smartphones. Samsung plans to use the OS on future ranges of Internet of Things appliances such as fridges and lighting systems.
Neiderman’s findings suggest Samsung is accelerating Tizen development to speed up its plans. The researcher said that much of Tizen’s code is borrowed from previous Samsung operating system projects that have since been abandoned or discontinued.
Even the new sections of code contain inexcusable weaknesses though. Samsung’s development process appears to lack any substantial code review process. Lines of code with security risks documented two decades ago were found in the source, such as the use of the data replication function “strcpy()” that’s now shunned by programmers.
The function contains a well-known fatal flaw that can cause it to overwrite in-memory data, leading to its deprecation years ago. Modern software development tools even throw warnings when compiling code that includes strcpy(), alerting programmers that it shouldn’t be used. Despite this, strpcy() makes an appearance in multiple places throughout Tizen.
Samsung initially responded to Neiderman’s concerns with a generic email stating its commitment to building secure software. It has since clarified the action it’s taking in light of his report. The company will cooperate with Neiderman “to mitigate any potential vulnerabilities.” There’s no stated timeframe for when patches will be available.
