Skip to main content

Security expert: Samsung's Tizen operating system is a hacker's dream

tizen security multiple exploits os samsung suwon south korea 4 1500x1000
Image used with permission by copyright holder
Tizen, Samsung’s open-source operating system, is riddled with vulnerabilities. That’s according to Motherboard, which spoke with an Israel-based Tizen security expert.

Samsung’s Tizen contains as many as 40 unknown bugs, or zero-days, that could allow a cyber criminal to hack devices without needing to physically access them. “It may be the worst code I’ve ever seen,” Amihai Neiderman, a Kaspersky Labs researcher, told Motherboard. “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it.”

One security flaw involving TizenStore, Tizen’s app store, could let a hacker pack malicious code with a software update. TizenStore takes measures to ensure that only verified software is installed on Tizen devices, but those measures can be overridden. “You can update a Tizen system with any malicious code you want,” said Neiderman.

Another flaw exploits buffer overrun, a condition that occurs when the space to which data is being written is too small for the data. Tizen’s protections against it are insufficient, Neiderman said.

And Tizen failed to use encryption for secure connections when transmitting certain data. “They made a lot of wrong assumptions about where they needed encryption,” Neiderman told Motherboard.

The problem stems in part from unwieldy code. Neiderman told Motherboard that much of the Tizen code base is old and borrows from previous Samsung projects, including Bada, a discontinued mobile phone operating system. “You can see that they took all this code and tried to push it into Tizen,” he said.

That’s bad news. Samsung, in a long-running effort to reduce its reliance on Google’s Android operating system, is shipping a growing number of devices with Tizen.

“Tizen is going to be Samsung’s next biggest thing. We might see the new Galaxies running Tizen, it could happen that soon. But right now Tizen is not safe enough for that.”

Tizen powers more than 30 million of the company’s smart TVs, tens of millions of Samsung Gear smartwatches, and prototypical smart washing machines and refrigerators. And it’s in smartphones as well. Samsung has Tizen running on phones in countries like Russia, India, and Bangladesh, and plans to have 10 million Tizen phones in the market this year.

Samsung told Motherboard that it’s working with Niederman to address the bugs. “We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities. Through our SmarTV Bug Bounty program, Samsung is committed to working with security experts around the world to mitigate any security risks.”

Editors' Recommendations

Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Operation Shush: The rise and fall of Samsung’s unloved Bixby assistant
Bixby Galaxy S21 Trending

There’s a silent campaign -- let's call it Operation Shush -- to stop you from using Bixby on your Samsung phone. The virtual assistant was once heralded as the future of control for connected Samsung devices, and the answer to Apple’s Siri and Google's Assistant. Today, just like the Galaxy Home — a Bixby-focused product that has never been released — Bixby isn’t mentioned much at all, almost as if it’s hoped we forget it ever existed.

What happened? And does Bixby deserve to be silenced?
Lofty expectations
“The possibility of what Bixby can become is endless,” Injong Rhee, Samsung’s head of research and development, wrote in the original 2017 announcement, arguably setting Bixby up for failure right from the start. We were told Bixby was “a new intelligent interface on our devices” and “fundamentally different from other voice agents or assistants in the market.”

Read more
There’s a major Android bluetooth security flaw. Here’s how to fix it

Looks like it's time to check if you have an Android security update available to your phone. A new security flaw has been discovered in Android -- and this time, it uses Bluetooth to allow access to your phone.

The flaw, called BlueFrag, takes advantage of Bluetooth in Android 8 and 9, and it basically allows hackers to execute code on your device. The result? Hackers can fully access anything stored on your phone, and install malware without your knowledge.

Read more
The Galaxy Watch Ultra may have one of the best smartwatch displays ever
Samsung Galaxy Watch 7 Ultra with a square dial leaked render.

The anticipated launch of the Samsung Galaxy Watch Ultra -- along with the company's rumored Galaxy Ring, Galaxy Buds 3, Z Fold 6, and Z Flip 6 -- is just weeks away, but that hasn’t stopped leaks from continuing to trickle in. The latest comes from kro_roe on X (formerly Twitter) and claims that the Galaxy Watch Ultra is expected to feature an anti-reflective coating on its display.

Read more