Jordan O'BrienIt’s not just the CIA who supposedly have unfettered access to data collected by Samsung’s TVs, with a report now circling claiming that there are around 40 vulnerabilities in the software used by the company’s range of smart TVs.
There are currently around 30 million TVs running the Tizen OS and Samsung has plans to ship 10 million phones running the software by year-end. That’s excluding the countless smartwatches currently on the wrists of consumers worldwide.
Samsung has prided itself on security in the past, promoting the gold-standard in Android security with Samsung Knox. Unfortunately, it seems that the same consideration for security didn’t reach the team behind Tizen. Israeli research Amihai Neiderman claims that Tizen “may be the worst code” he’s ever seen.
“You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software,” he noted in an interview with Motherboard.
That’ll be a damaging blow to Samsung who has to contend with several scandals in recent months. It all began when the company’s line of Galaxy Note 7’s suddenly began exploding, then the vice-chairman of Samsung Electronics was arrested in February over corruption, while the CIA’s reported back-door into Samsung TVs concerned privacy advocates.
While the CIA exploit only affected older products and required physical access to the tV to install malware via a USB stick, the vulnerabilities identified by Amihai gives hackers the ability to exploit Samsung’s TVs remotely. That means physical access is no longer necessary.
Amihai claims that he found more than 40 vulnerabilities lurking in the Tizen OS code. There was one notable issue that stood out to him, however, and that was all to do with the TizenStore app.
As the TizenStore app’s primary function is to allow users to install third-party software on their devices, it comes with almost limitless privileges – meaning any potential exploit can affect just about every aspect of the device. Unfortunately, Amihai says that there is an exploit present in the TizenStore app, allowing hackers to hijack the software and deliver malicious code to Samsung TVs.
TizenStore does have security protocols in place to ensure that only Samsung software can be installed on the device, although that can easily be circumvented according to Amihai. That’s thanks to a heap-overflow vulnerability that gives hackers control before any authentication takes place.