According to security researchers at the Kaspersky Security Analyst Summit this week, Tizen has more than 40 security vulnerabilities, all of which would allow an attacker to remotely access and gain control of the device to then do whatever they want – such as switching on cameras, accessing data or installing any other malicious software.
In the case of the Samsung TVs accessible by government agencies, physical access to the device is required; these Tizen holes, however, allow for remote access, and represent a potentially far larger long-term problem for the company.
If Tizen was only used on TVs, the amount of personal data potentially at risk – putting aside the risks of ransomware, for now – would be somewhat more limited, but as it’s used on Samsung’s flagship smartwatches, which link up with smartphones, the home of all your digital life, it’s more of a concern.
Still, smartwatch sales are relatively low in comparison to smartphones. Now imagine if the software had been rolled out on its flagship smartphones already. Android has its fair share of issues with security and privacy, but it’s a long way from “maybe the worst code I’ve ever seen”, which is how the researchers described Tizen to Motherboard.
The old and the new
Part of the problem with Tizen, they say, is that code has been lifted wholesale from Samsung’s abandoned Bada efforts but that most of the issues are in new code that has been written in the last two years, so it can’t be blamed on legacy code or integrating it into a new platform.
“Everything you can do wrong there, they do it,” Amihai Neiderman, one of the researchers that found the flaws, said. “You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”
That’s a pretty damning statement of a platform that’s currently on Samsung’s freshly launched S3 smartwatches, as well as other models – and not to forget, TVs.
Samsung started building towards replacing Android back in 2010 with Bada, before merging that project into Tizen in 2012. Five years later – seven years since Bada launched – and though a far superior and more successful platform, Samsung still looks like it’s a long way off replacing Android on its smartphones for the visible future.
Trust is tough to build and easy to lose in consumer electronics, and given last year’s Note 7 meltdown, Samsung is already still putting out metaphorical fires – a security issue around its homegrown OS definitely isn’t going to help.
The company is relatively lucky that it doesn’t use Tizen on its smartphones yet – yes, yes, I know the Z1, Z2 and Z3 exist, but most people don’t, and the average buyer on the street almost certainly doesn’t. They probably don’t know what OS their TV uses, either.
I didn’t know that Samsung has phones running Tizen, like the Z2
What do you think?
Samsung’s taking the long, slow route with Tizen, so this latest news that the platform needs retooling to be more secure probably won’t make much of a difference to its timeline for device releases and updates; the last handset announced was the Z2 – the first 4G phone to run the OS.
While it might not make much of a difference to timelines, it’s not going to help sales of those shiny, new Gear smartwatches much and it’s a little disheartening to see so many zero-day vulnerabilities in a product that has been in development for at least five years.
Let’s just hope it’s not another five years before it’s really ready for smartphones, even if it’s never really going to replace Android on premium devices.
Would you consider a Tizen smartphone? Let us know in the comments below.
Thank you for your visit on this page Samsung’s long-term plan beyond Android still needs work