Security Researcher Says Samsung's Tizen OS Is The Worst Code He's Ever Seen (vice.com)

← Back to Stories (view on slashdot.org)

Security Researcher Says Samsung's Tizen OS Is The Worst Code He's Ever Seen (vice.com)

Posted by BeauHD on Tuesday April 4, 2017 @10:40AM from the bold-statements-and-accusations dept.

Samsung has been working on its Tizen operating system for several years now, implementing it into its various televisions and smartwatches. According to a report from Motherboard, the OS isn't receiving a lot of praise in the security department. Israeli researcher Amihai Neiderman has found 40 unknown zero-day vulnerabilities in Tizen, adding that it may be the worst code he's ever seen. From the report: "It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software." All of the vulnerabilities would allow hackers to take control of a Samsung device from afar, in what's called remote-code execution. But one security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app -- Samsung's version of Google Play Store -- which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV. Because the TizenStore software operates with the highest privileges you can get on a device, it's the Holy Grail for a hacker who can abuse it. Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device, Neiderman found a heap-overflow vulnerability that gave him control before that authentication function kicked in. Although researchers have uncovered problems with other Samsung devices in the past, Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.

13 of 109 comments (clear)

Min score:

Reason:

Sort:

Asian corporate culture... by Type44Q · 2017-04-04 10:46 · Score: 2

Asian corporate culture seems to get in the way of cranking-out good code; I wonder of that's because their management fails to realize that programming is as much an art as a science...
1. Re:Asian corporate culture... by Zaelath · 2017-04-04 10:55 · Score: 5, Insightful
  
  It's an engineering problem.
  Engineering proof of correctness: Does it work when I try to use it as designed?
  Security proof of correctness: Does it fail open when I try to use it not as designed?
  I've seen the same thing with firewalls; does it (the thing you're trying to access) work now? Ok the rules must be right then: "Allow any any" usually does it.
2. Re:Asian corporate culture... by GumphMaster · 2017-04-04 11:01 · Score: 2
  
  I suspect that hitting a price point and a market date, something not unique to Asian manufacturers, does far more damage than any regional corporate culture. Money spent on the Tizen OS, beyond something that works well enough to sell, makes Samsung no more money and gets funded accordingly (up-front and afterward to fix the mess).
  
  --
  Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
3. Re: Asian corporate culture... by Type44Q · 2017-04-04 11:11 · Score: 2
  
  That would certainly explain the "quality" of Microsoft products.
4. Re:Asian corporate culture... by gweihir · 2017-04-04 14:10 · Score: 2
  
  Actually, this is "bad engineering", because good engineering also looks at how it behaves under non-standard conditions and then you get security as a characteristic that can be tested and verified. I see the same thing when doing security evaluations and IT security engineering. People stop thinking when "it works" (not that many developers think a lot in the first place). A consequence is that you find, for example, all the "Web Application Worst Practices" in (custom) enterprise software. Add to that that management often stops funding when "it works" and hence cleanup is not performed at all, and you have a disaster in the making. Not that security is the only thing were this is going on. Performance, reliability, recovery from problems, documentation, maintenance, etc. are all done pretty badly and often with minimal or no understanding of what is important and what is not.
  A lot of that is due to "follow the ritual" (without understanding) mind-sets, were rituals are things like programming languages and paradigms, OSes, frameworks, interface technologies, etc. In the end, to an actual engineer, concrete technologies matter little (basically they can stand in your way more or less so and that may make them harder to use or even prevent reaching some goals, but that is it), what you do with them is all-important. Most developer these days seem to think that it is the opposite, i.e. just pray at the altar of the right tech and the result will be good. That is of course very far from the truth, and an approach that is is founded in belief, not observation of reality. It is religious in nature, not scientific. Until that changes fundamentally, the practice of creating software cannot be considered an engineering-discipline, although some people manage to use it as one even today. These people tend to not put up with bad working conditions, low salaries and incompetent bosses though.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Not surprised by gman003 · 2017-04-04 11:14 · Score: 5, Interesting

I was once asked by my boss to tinker with Tizen, see if it was usable, since a client was soliciting bids for an app they wanted to run on Samsung's smartwatch.
After a few day's experimentation, I reported that the Tizen SDK was basically unusable to write any app except the ones Samsung already wrote, and that the specific app the client was hoping for was literally impossible. The SDK itself was one of the worst programs I've used in many years - horrendously slow, crash-prone and cluttered in the way typical of early-00s Windows apps.
Needless to say, I am not surprised on multiple levels. First, that Tizen is insecure in addition to being slow and useless. Second, that nobody's taken a serious look at its security, since most people stop looking at it far before security starts to matter.
Embedded computing and security by Opportunist · 2017-04-04 11:25 · Score: 5, Interesting

Funny coincidence, I work in embedded in my spare time and am a security researcher by trade, so I think I can say with some confidence that they don't mix well. For many reasons.
First of all, there is no history of security in embedded. Because until very recently, there was absolutely no reason or need to even consider security an issue. You were dealing with closed, if not hermetically sealed systems. They could more often than not not even receive updates, let alone communicate with other embedded devices. Even "sophisticated" devices like TVs, not even talking about the "dumb" ones like washing machines or dishwashers. It's been only about a decade that TVs have a connection that's bidirectional. And "real" internet on TVs only arrived a generation of TVs ago.
And for all the other embedded gadgets, that whole "connectivity" thing is still very much bleeding edge.
And all that in devices for which until very recently, again, every byte mattered. Computer programmers are used to Mega- and Gigabytes of ram at their disposal, with embedded, you're in some areas still talking KB. Especially when it comes to low-cost devices where you can't just stuff in more ram and faster ICs because they'd simply cost too much. Yes, a part costing maybe a buck or two is "too expensive" here.
Put that together and add exactly ZERO experience with security among embedded developers (for all the reasons above) and you most likely understand why this is a HUGE problem that will bite us in the rear. Actually, it's already biting.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Embedded computing and security by Snotnose · 2017-04-04 13:11 · Score: 3, Interesting
  
  Funny coincidence, I work in embedded in my spare time and am a security researcher by trade, so I think I can say with some confidence that they don't mix well. For many reasons.
  I beg to differ. I've been an embedded software engineer since the early 80s. In 2000 I got a contract from the guy who owned the George Foreman Grill. He wanted an appliance that would mount to the underside of kitchen cabinets, have internet, CD/DVD playback, HiFi quality sound, and connect to a recipe database via 802.11. One of the first things we worried about was security. 802.11 was new back then, nobody really knew how it would work out. The screen would fold down so the user could watch the videos.
  Security came up in every meeting. We knew about it, understood the risks, and didn't know what the hell to do but knew we needed to try.
  
  Project crashed and burned because he wanted to sell it for $999.95, and we couldn't get the BOM under $1k.
  
  Every project I've worked on since has had security as a high priority. Lessee, what have I done since then? Um, cellphone base station, cellphone games, electronic ticketing system (take a ticket, now serving #32, you have #38), automated IC testing, muxing MPEG2 streams from multiple satellites into a custom stream, cellphones. Every one of these security has been a top issue.
Enlightenment WM author ? by Hall · 2017-04-04 11:29 · Score: 3, Interesting

Going way to this site's "nerd" days, people should be familiar with the window-manager-then-a-desktop-environment-under-development-for-a-decade-and-a-half called Enlightenment. It's main developer - Rasterman - worked at Samsung and had a lot to do with this OS. I don't know if he's still involved or not but I haven't heard anything about this OS since he mentioned it years ago.
Similar experience by Ecuador · 2017-04-04 12:00 · Score: 4, Informative

Similar experience, I thought maybe I'd look up at Tizen apps "for fun" and after about a day or so I was certain it was not going to be any sort of fun! Well, unless S&M is your thing... And here is an educational article about the EFL libraries you get to use when designing native Tizen apps.

--
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
1. Re:Similar experience by TheRaven64 · 2017-04-04 21:34 · Score: 4, Informative
  
  Actually, the Daily WTF article is not particularly educational when it comes to EFL. It covers the obvious surface detail of what the developers do dangerously wrong. There are far worse things under the surface.
  I had a chat to some of the Enlightenment devs at FOSDEM a few years ago. They were very proud of their new object system and IDL, which they thought would make it easy to bridge higher-level languages with their libraries. Unfortunately, their IDL exposed C types and nothing but C types as arguments. Their example had a char* parameter and a char* return. I asked them a few questions:
  How do I know if it's and input or output (or both) parameter?
  Is its length another argument (and, if so, in what units) or is it NULL-terminated?
  Is there ownership transfer involved (i.e. is the caller still responsible for freeing the argument or does the callee take that responsibility? Is the caller responsible for freeing the return value and if so must they call free() or some other cleanup function)?
  Is this an array of bytes or a string (i.e. should I map it to a string or data object in another language), if it's a string, what encoding does it expect and is that a global property or specified explicitly?
  Apparently none of these questions had occurred to them and they didn't even understand why you'd want to know the answers to about half of them. The worst thing for me is that not only are these all important for bridging with higher-level languages, you need to know most of this information to be able to correctly use a C API, and they weren't putting it in the documentation and didn't even have consistent conventions (and therefore only need to document the exceptions). That was when I learned to avoid EFL like the plague. It may have improved since then, but I doubt it - good developers only reinvent the wheel after they've looked at existing ones and understood their flaws. The EFL developers are vaguely aware of square wheels and decided to try triangular ones as a replacement.
  
  --
  I am TheRaven on Soylent News
Tizen is summed up nicely by this TheDailyWTF post by fistacorpse · 2017-04-04 12:35 · Score: 5, Interesting

https://what.thedailywtf.com/t...
Re:This story seems suspicious by Megane · 2017-04-05 00:46 · Score: 2

This is Tizen, see above discussion about the TDWTF thread. The amazing part is that he found 40 of them without going insane. It may be fish in a barrel, but it's fish in a barrel made out of wood spat from the very mouth(s) of Cthulhu. That's how bad Tizen is.

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }