Tizen, the operating system installed by Samsung on millions of smartphone, watches and other internet-connected devices like televisions and fridges, is deeply insecure, a cyber security researcher has claimed.
The software was found to have 40 un-patched vulnerabilities by a computer security analyst who described Tizen as potentially "the worst code I've ever seen."
The discovery comes in the wake of documents published by the whistleblowing organisation Wikileaks claiming the US Central Intelligence Agency (CIA) had monitored people through the cameras and microphones of their Samsung televisions.
But unlike the spy agency's need to have physical access to compromise the televisions and their Tizen software, Israel-based researcher Amihai Neiderman claims he has discovered ways to remotely hack into them.
He also claims the flaws he discovered are present in devices far newer than those exploited by the CIA, and believes the hacks could even be performed on Tizen devices yet to go on sale. Described in some quarters as Samsung's replacement for Google's Android, Tizen is set to appear on multiple new smartphones in 2017 and beyond.
Over 30 million smart Samsung televisions currently use Tizen, along with the company's recent Gear smartwatches and entry-level smartphones sold in Russia and India. Upcoming washing machines and smart fridges with touch screens will also be running Tizen.
Speaking to Motherboard ahead of a presentation about his research, Neiderman said of Tizen: "It may be the worst code I've ever seen...Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code and wrote it. It's like taking an undergraduate and letting him programme your software."
The researcher says he contacted Samsung "months ago" to report the problems but only received an automated reply. When contacted by Motherboard, which broke the news of Neiderman's research, Samsung said it "takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue."
A Samsung spokesperson told IBTimes UK: "We continually provide software updates to consumers to safeguard their products. We are fully committed to cooperating with Mr. Amihai Neiderman, to mitigate any potential vulnerabilities.Through our Bug Bounty program and internal security safeguards, Samsung continuously patches any would-be vulnerabilities."
Neiderman, who is head of security at Equus Software in Israel, claims every one of the dozens of vulnerabilities he found would let a hacker take remote control of a device from afar, with no need for physical access via a malware-ridden USB stick. One, relating to the Tizen app store, let him deliver malicious code to his own Samsung television via an app he uploaded to the store.
This means a hacker could create an attractive and legitimate applications, convince the owner of a Samsung smart TV to download it, then issue an update to the app at a later date to inject malware into the TV, potentially taking control of it and the camera and microphone normally used for Skype video calls. "You can update a Tizen system with any malicious code you want," Neiderman added.
Some of Tizen's code, Neiderman found, was inherited from Bada, an old Samsung mobile operating system which is no longer used, but other code was much newer and also badly written. It was also discovered that encryption was only used occasionally and often when it was least needed. "They made a lot of wrong assumptions about where they needed encryption," he said, adding: "Tizen is going to be Samsung's biggest thing. We might see the new Galaxy [smartphones] running Tizen, it could happen that soon. But right now Tizen is not safe enough for that."
Professor Giovanni Vigna, founder of cyber defense company Lastline, said: "It seems that Samsung, in its rush to come to market with a product to substitute Android, has not performed the relevant code analyses that would have prevented these flaws from being shipped with the Tizen OS."
Paul Calatayud, chief technology office at FireMon, an IT firewall company, said: "This recent discovery of the level of details in code quality within Samsung is alarming given that recently it was also discovered the NSA was researching exploits against smart TVs to support various programs."