Israeli experts found 40 zero-day vulnerabilities in Samsung's Tizen OS

Over the past couple of years, the attention of the entire IT community has attracted the US National Security Agency (NSA) and the Central Intelligence Agency of the same country. As it turned out, both organizations are very actively engaged in cyber espionage even within their own state. To do this, they use sophisticated tools , holes in the protection of software and hardware, and in general all that is possible. Now, information security specialists are cautious about the hardware and software of a number of US companies, because there is a possibility that there are loopholes in the software of the equipment that cyberspies place there.

But it is not always necessary for scouts to put considerable effort into placing such loopholes in the software or hardware. Some manufacturers do it themselves, and then you just need to find a vulnerability. As an example, the development of the South Korean company Samsung - the operating system Tizen. Israeli cybersecurity experts from Equus Software have discovered 40 zero-day vulnerabilities in this OS. Theoretically, all this endangers millions of users of various devices from Samsung - TVs, phones, tablets, smart watches and other devices.

Samsung is planning to ship more than 10 million of its devices to Tizen OS to Russia, India and Bangladesh this year alone. In addition, the company plans to use this software platform for smart home appliances, including washing machines and refrigerators. So the joke "crack the refrigerator" is gradually becoming a reality.
')
Almost all of the detected vulnerabilities allow an attacker to remotely manage a compromised device. An expert involved in the Tizen study says that all the “holes” found in the Samsung software are dangerous, but one of them is as critical as possible. It affects the Tizenstore application, a Samsung application catalog, an analogue of the Google Play Store, from where users of Tizen devices download additional software.

Since TizenStore has the maximum level of access to the device, a hacker who knows about the “hole” in the application can do almost everything with the device where the catalog is installed. Despite the fact that TizenStore uses authentication, experts say that there is a way to take control of the device before starting the authentication procedure.



It is worth noting that this is one of the first large-scale studies of Tizen. Previously, cybersecurity experts paid not too much attention to this OS due to its low prevalence. Now Samsung is promoting Tizen, the popularity of the operating system is increasing, respectively, the software platform attracts the attention of not only information security specialists, but also hackers. In Equus Software decided to study Tizen 8 months ago, after the company bought a smart TV from Samsung with this OS.

Initially, Samsung did not attach too much importance to its operating system. So, the first phones with Tizen went on sale only in South Africa, Nepal, Indonesia. Now, as mentioned above, the South Korean corporation is going to offer its Tizen-devices to Europeans and Americans.

Almost immediately after starting the OS study, Israeli experts discovered many problems with the code for this product. Therefore, it was decided to purchase several more phones with Tizen in order to analyze them. According to the project team, Tizen code contains many developments from other Samsung products, including the Bada OS , the development and support of which is discontinued.

However, most of the vulnerabilities are new, they are contained in code written specifically for Tizen over the past couple of years. Some problems are common programmer mistakes. Equus Software believes that the corporation does not check the code too thoroughly, paying insufficient attention to the issue of cybersecurity. One of the shortcomings of the code of various software products from Samsung is the widespread use of the problematic function Strcpy (), which most modern IT professionals do not work with.

In addition, company programmers use SSL encryption only partially, and it often happens that in those places where encryption is most critical, it is not used. “They make false assumptions when trying to choose where encryption is required,” says cyber security expert Amihai Neiderman.



Upon learning of the problem, Samsung representatives said: “Samsung Electronics pays a lot of attention to security and privacy. We regularly check our systems and if we find a potential vulnerability, we immediately try to fix it. ”

Now Samsung is actively working together with Naderman to solve all the problems found.

Tizen is an open source Linux based operating system . It uses not only Samsung, but also Intel, as well as a number of other companies. She gathered a number of solutions previously used in MeeGo, LiMo and bada. Supports hardware platforms on ARM and x86 processors. It was first presented on September 27, 2011 by the LiMo Foundation and the Linux Foundation. February 9 was published source code Tizen 2.3.