Last month, the CIA got a lot of attention when WikiLeaks published internal documents purporting to show how the spy agency can monitor people through their Samsung smart TVs. There was a caveat to the hack, however—the hijack involved older models of Samsung TVs and required the CIA have physical access to a TV to install the malware via a USB stick.
But the window to this sort of hijacking is far wider than originally thought because a researcher in Israel has uncovered 40 unknown vulnerabilities, or zero-days, that would allow someone to remotely hack millions of newer Samsung smart TVs, smart watches, and mobile phones already on the market, as well as ones slated for future release, without needing physical access to them. The security holes are in an open-source operating system called Tizen that Samsung has been rolling out in its devices over the last few years.
Samsung has long sought to reduce its reliance on Google and Android to run its Galaxy smartphones and tablets and other devices. It already has Tizen running on some 30 million smart TVs, as well as Samsung Gear smartwatches and in some Samsung phones in a limited number of countries like Russia, India and Bangladesh—the company plans to have 10 million Tizen phones in the market this year. Samsung also announced earlier this year that Tizen would be the operating system on its new line of smart washing machines and refrigerators too.
"It may be the worst code I've ever seen."
But the operating system is riddled with serious security vulnerabilities that make it easy for a hacker to take control of Tizen-powered devices, according to Israeli researcher Amihai Neiderman.
"It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."
All of the vulnerabilities would allow hackers to take control of a Samsung device from afar, in what's called remote-code execution. But one security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app—Samsung's version of Google Play Store—which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV.
Because the TizenStore software operates with the highest privileges you can get on a device, it's the Holy Grail for a hacker who can abuse it.
"You can update a Tizen system with any malicious code you want," he says.
Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device, Neiderman found a heap-overflow vulnerability that gave him control before that authentication function kicked in.
Although researchers have uncovered problems with other Samsung devices in the past, Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.
Neiderman, who is head of research at Equus Software in Israel, where he focuses on Android phone research, began analyzing the code eight months ago after purchasing a Samsung TV with Tizen installed on it. At the time Samsung was only installing the operating system on new televisions and smart watches and a limited line of smartphones sold in a few countries.
"You can update a Tizen system with any malicious code you want."
The first Tizen phones were sold in India, but have since expanded to South Africa, Nepal, parts of Africa and Indonesia, And there are signs that Samsung plans to soon sell Tizen phones in Latin America and the Middle East, parts of Europe, and eventually the United States. The company has also begun a push to expand the catalogue of Tizen applications by offering $10,000 to the developers with the 100 most downloaded mobile apps.
It didn't take long for Neiderman to notice how bad the Tizen code was on his TV, which caused him to purchase a few Tizen phones to see what he could do with them as well.
He says much of the Tizen code base is old and borrows from previous Samsung coding projects, including Bada, a previous mobile phone operating system that Samsung discontinued.
"You can see that they took all this code and tried to push it into Tizen," Neiderman says.
But most of the vulnerabilities he found were actually in new code written specifically for Tizen within the last two years. Many of them are the kind of mistakes programmers were making twenty years ago, indicating that Samsung lacks basic code development and review practices to prevent and catch such flaws.
One example he cites is the use of strcpy() in Tizen. "Strcpy()" is a function for replicating data in memory. But there's a basic flaw in it whereby it fails to check if there is enough space to write the data, which can create a buffer overrun condition that attackers can exploit. A buffer overrun occurs when the space to which data is being written is too small for the data, causing the data to write to adjacent areas of memory. Neiderman says no programmers use this function today because it's flawed, yet the Samsung coders "are using it everywhere."
He also found that the programmers failed to use SSL encryption for secure connection when transmitting certain data. They use it on some data transmissions but not others, and usually not on ones that need it most.
"They made a lot of wrong assumptions about where they needed encryption," he says, noting that "it's extra work to move between secure connections and unsecure connections." This indicates that they didn't do it inadvertently but were making conscious decisions not to use SSL in those places, he says.
Neiderman contacted Samsung months ago to report the problems he found but got only an automated email in response. When Motherboard contacted the Korean company, a Samsung spokesperson sent a boilerplate response via email: "Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue."
After this article was published, the company sent another statement reading: "We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities. Through our SmartTV Bug Bounty program, Samsung is committed to working with security experts around the world to mitigate any security risks."
Neiderman says he has been in contact with Samsung in recent days and shared snippets of the vulnerabilities he uncovered with the company. He also says Samsung needs to reconsider deploying Tizen in phones before doing a major overhaul of the code.
"Tizen is going to be Samsung's biggest thing. We might see the new Galaxies running Tizen, it could happen that soon. But right now Tizen is not safe enough for that."
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.