Samsung Tizen OS as leaky as a sieve, over 40 zero-days discovered

An Israeli security researcher spend some time with the Samsung Tizen operating system and discovered it's a hacker's dream. Designed by Samsung as an Android replacement, the OS is used on millions of Samsung products including smart TVs, smart watches and some mobile phones.

Unfortunately, the Tizen code appears to be one giant mess. Amihai Neiderman, the head of Equus Software, told Motherboard it may be the worst code he's ever seen and that Tizen appears to have been created by a group of people with zero understanding of security.

"It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."

Tizen has escaped the focus of the security community because it's not widely used. Neiderman began analyzing Tizen about eight months ago and he says he has already discovered a whopping 40 zero-day vulnerabilities in Tizen, including one that allows attackers to hijack the TizenStore app to deliver malicious code to a Samsung TV. Neiderman claims Samsung recycled a lot of bad code from previous projects like Bada, and notes the company seems to lack basic code development and review practices:

But most of the vulnerabilities he found were actually in new code written specifically for Tizen within the last two years. Many of them are the kind of mistakes programmers were making twenty years ago, indicating that Samsung lacks basic code development and review practices to prevent and catch such flaws.