Samsung Gear S3 software, Tizen, is said to be riddled with security holes. Security researcher Amihai Neiderman has found 40 unknown zero day security vulnerabilities in Tizen, the operating system Samsung uses to power its Samsung Gear S3 smartwatch, TVs and many other electronics.
It’s the worst code I’ve ever seen, Neiderman told Motherboard in advance of a talk about his Tizen research at Kaspersky Lab’s Security Analyst Summit.
Samsung Gear S3 Frontier gets an update: Add ‘Jansky Wearable’ Feature
The whole thing you can do wrong there, they do it. You can see that nobody with any considerate of security looked at this code or wrote it. It’s like taking an apprentice and letting him program your software.
All 4o vulnerabilities would supposedly allow hackers to take control of Gear S3 smartwatches such as the Gear S3 and other Tizen-powered Samsung devices remotely.
The worst of them, according to Neiderman, revolved around the Tizen Store, which Samsung uses to push updates to devices and act as an app store.
Because Tizen Store requires the highest user permissions on a device, exploiting its vulnerabilities makes it a juicy target for hackers.
Neiderman was able to exploit a Tizen Store flaw that allowed him to take control of the store prior to its authentication process, enabling him to deliver wicked code to his TV.
While Neiderman focused his research efforts on phones and TVs, Tizen’s vulnerabilities extend to Samsung Gear S3 smartwatches.
The Tizen Store framework is used to allow Gear users to download apps and receive updates for their smartwatch.
Other major flaws include a failure point where Tizen can’t check whether there’s enough storage space to write new data and a lack of SSL encryption when transmitting data.
While Neiderman notes that some of Tizen’s code is from Samsung’s failed Bada operating system, most of the vulnerabilities are from code written in the past two years.
Samsung says it’s “fully committed” to working with Neiderman to fix any vulnerabilities, and Neiderman himself says he’s been in contact with Samsung, sharing “snippets” of the vulnerabilities with the company.
The Tizen Vulnerability news comes on the heels of news that the CIA allegedly hacked Samsung Tv, potentially allowing the government agency to listen in and capture conversations.
While it’s a good thing that Samsung is made aware of these vulnerabilities, so that it can work on fixing them, it’s a bit alarming that its flagship line of smartwatches is vulnerable.