Samsung
Over the past couple of years, the IT community was attracted by the US National Security Agency (NSA) and the Central Intelligence Agency of the same country. As it turned out, both organizations are very actively engaged in cyber espionage even inside their own state. Samsung To do this, they use complex tools, holes in the protection of software and hardware, and generally all that is possible. Now to the hardware and software of a number of companies from the United States, information security specialists are cautious, since there is a possibility that the software in the equipment has loopholes placed there by cyber-spies.
But it is not always necessary for scouts to make significant efforts to place such loopholes in software or hardware. Some manufacturers do this themselves, and then you just need to find a vulnerability. An example is the development of the South Korean company Samsung – the operating system Tizen. Cybersecurity specialists from Israel, representing the company Equus Software, found in this OS 40 zero day vulnerabilities. Theoretically, all this jeopardizes millions of users of various devices from Samsung – televisions, phones, tablets, smart clocks and other devices.
In Russia, India and Bangladesh, Samsung plans to ship more than 10 million of its devices to the Tizen OS this year alone. In addition, the company plans to use this software platform for smart home appliances, including washing machines and refrigerators. So the joke “crack the refrigerator” is gradually turning into reality.
Almost all of the vulnerabilities detected allow an attacker to remotely manage a compromised device. An expert who researched Tizen says that all the “holes” found in Samsung software are dangerous, but one of them is as critical as possible. It affects the Tizenstore application, the application catalog from Samsung, the Google Play Store analogue, from where users of devices on Tizen download additional software.
Since TizenStore has the maximum level of access to the device, the cracker who knows about the “hole” in the application can do almost everything with the device where the directory is installed. Despite the fact that TizenStore uses authentication, experts say that there is a way to intercept device management even before the authentication procedure is started.
It is worth noting that this is one of the first large-scale studies of Tizen. Previously, cybersecurity specialists did not pay too much attention to this OS because of its low prevalence. Now Samsung is promoting Tizen, the popularity of the operating system is increasing, accordingly, the software platform attracts the attention not only of information security professionals, but also of burglars. In Equus Software decided to study Tizen 8 months ago, after the company bought a clever TV from Samsung with this OS.
Initially, Samsung did not attach too much importance to its operating system. So, the first phones with Tizen went on sale only in South Africa, Nepal, Indonesia. Now, as indicated above, the South Korean corporation is going to offer its Tizen devices to Europeans and Americans.
Almost immediately after the study of the OS, Israeli experts discovered many problems with the code of this product. Therefore, it was decided to purchase more and more phones with Tizen to analyze them. According to the project team, Tizen code contains a lot of developments from other Samsung products, including Bada OS, development and support of which has been discontinued.
However, most of the vulnerabilities are new, they are contained in code written specifically for Tizen over the past couple of years. Some problems are the usual errors of programmers. In Equus Software believe that the corporation does not carefully check the code, giving insufficient attention to the issue of cybersecurity. One of the drawbacks of the code of various software products from Samsung is the ubiquitous use of the problematic function Strcpy (), with which most modern IT professionals do not work.
In addition, the company’s programmers use SSL-encryption only partially, , That in those places where encryption is most critical it is not used. “They make false assumptions, trying to choose where to encrypt,” says cyber security expert Amihai Neiderman.
After learning about the problem, Samsung officials stated the following: “Samsung Electronics pays much attention to security and privacy. We regularly check our systems and if we find a potential vulnerability, we immediately try to fix it. ”
Now Samsung is working with Neiderman to solve all the problems.
Tizen is an open operating system based on the Linux kernel. It is used not only by Samsung, but also by Intel, as well as by a number of other companies. It has collected a number of solutions previously used in MeeGo, LiMo and bada. Supports hardware platforms on ARM and x86 architecture architectures. It was first presented on September 27, 2011 by the LiMo Foundation and the Linux Foundation. On February 9, the source code for Tizen 2.3 was published.
