When Chris reviewed the Samsung Gear S3 last year he was fairly impressed with it but wished it ran Android Wear. Right about now, Samsung are probably thinking the same. An Israeli security researcher has found no less than 40 previously unknown zero-day security vulnerabilities in Tizen.
Yes, the heading says Gear S3 but that is not the only device running Tizen but it is the most relevant to us here at Ausdroid at the moment. The vulnerabilities affect all devices running Tizen including some Samsung phones, the Gear S2, the Gear Fit 2, Samsung TVs, etc. You get the picture, there are a lot of devices out there running Tizen.
At Kaspersky Lab’s Security Analyst Summit Israeli security researcher Amihai Neiderman said of Tizen:
It’s the worst code I’ve ever seen. Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.
Wow. Neiderman found no less than 40 zero-day vulnerabilities that allow the hackers to take control of the Tizen devices (Gear S3 included) remotely. The worst vulnerability revolves around the Tizen Store because it has the most permissions on the device. The Tizen Store is used to push updates to devices thus needs to have these permissions.
The researcher found that he could update a Tizen system with any malicious code he wanted. He said that a lot of the Tizen code base is old and borrows from previous Samsung codes. Funnily enough though, most of the vulnerabilities were found in the Tizen code written specifically for Tizen in the last couple of years.
After ignoring the researcher after he contacted them (automated responses only), Samsung eventually started working with him on fixes once the article in Motherboard was published. It is a bit of a worry that Samsung seemingly did not care about a vulnerability until it become public and a PR nightmare (especially after the news that the CIA had managed to hack Samsung TVs recently).
This is bad news for Samsung as we all suspect they may want to eventually roll out Tizen to their Galaxy phones. They need a massive overhaul of Tizen it seems before proceeding any further with it. In the meantime maybe they could install Android Wear 2.0 onto the Gear S3. Wishful thinking?
They need to piss off Tizen and use Android Wear 2. As it is now, the Gear S3 can never be used for EFTPOS payments because no Aussie bank is going to allocate resources to accepting Samsung Pay when Android Pay already has the market. If they put Tizen on more phones those devices will also be locked out of the EFTPOS payment market.
If they switch to Tizen for their phones I’ll no longer be purchasing Samsung phones and that would be a shame.