A security researcher is preparing to reveal 40 zero-day exploits that affect Samsung's Tizen operating system. Commenting on the finds, Amihai Neiderman said Tizen “may be the worst code I've ever seen,” he continued on to slate the code by saying it looks like the handy-work of an undergraduate, rather than that of someone with an understanding of security.
While the criticisms are harsh towards Tizen, it should be made clear that no software is ever perfect and there are always exploitable bugs in every nook and cranny. Samsung will be keen to ensure that it quickly patches the OS, though, because it powers 30 million TVs and hopes to run on 10 million Samsung phones by the year's end.
In an interview regarding the exploits, Neiderman said:
“It may be the worst code I've ever seen. Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software.”
So what exactly do the exploits allow for? Firstly there are vulnerabilities that allow a hacker to control a device remotely in what is known a remote-code execution. Another exploit allowed Neiderman to hijack the TizenStore app and deliver malicious code to a Tizen device – namely his Samsung TV.
Last month, WikiLeaks released its first Vault7 leak which showed that the CIA could hack Samsung TVs and listen to conversations even if you thought the TV was switched off; there's every chance that the CIA used one of these newly uncovered vulnerabilities. Samsung has said that it's fully committed to working with Neiderman to fix the vulnerabilities.