Samsung's Tizen warned experts that hackers will be delighted with amateur-written level code cords



Samsung is a mobile terminal OS "Tizen"We are independently developing smart phones and smart watch not only to be installed in all IT appliances such as TVplandoing. However, Tizen warns security experts that there is a security problem, "It's full of vulnerabilities that hackers will be delighted with".

Samsung's Android Replacement Is a Hacker's Dream - Motherboard
https://motherboard.vice.com/en_us/article/samsung-tizen-operating-system-bugs-vulnerabilities

Amishei Niderman of Equus Software, Israel's security counterpart, at the Security Analyst Summit hosted by Kaspersky Lab,Motherboard"Tizen OS developed by Samsung is full of vulnerability", pointed out that the situation where Tizen is adopted by smartphone, smart appliances, etc. on the market is dangerous.

A document describing CIA's secret intelligence operations, already published by WikiLeaksVault 7"Although a method to hack Samsung's smart TV using Tizen using USB memory has been clarified, according to Niderman, if you break through the vulnerability of Tizen, you can remotely connect a terminal without physical contact It is possible to operate it. In addition to what was revealed in Vault 7 etc., Tizen says there are 40 vulnerabilities that Mr. Naderman has not confirmed even if Mr. Niderman confirms it.


As an example, Mr. Naderman told TizenHeap overflowWe point out that there is vulnerability concerning. The function "Strcpy ()" that duplicates the data in memory is used for Tizen, but the fundamental defect that it can not be checked whether enough space is available for writing data is It is said that there is. Therefore, Naderman pointed out that an attacker could intentionally create a buffer overrun condition. By the way, According to Niderman, there seems to be no programmer who uses this function now, but it seems that there is a lot of space in Tizen's code.

Tizen also knows that it does not use SSL encryption which makes secure connection with some data transmission / reception. And point out that SSL encryption should be used and that SSL encryption is not done, "Samsung makes many wrong assumptions about the part that needs encryption.Safe connection and safety It is extra work to add and move data back and forth between connections that do not make sense, which suggests that Samsung is making decisions not to dare use SSL in certain places. " doing.


Samsung, who joined the project of Intel and Nokia started Tizen, integrated the code of Bada OS that was developing at that time into Tizen in 2013. However, according to Naderman, code with security problems is not a former legacy, it is Samsung's own code added in the last two years. Mr. Naderman says "Tizen includes everything you can do when thinking" Do not go wrong. "It seems like there is not anyone with an understanding of security while writing Tizen's code. It is like letting amateurs write code, "he says," It may be the worst code I have ever seen ".

Niderman notified Samsung about the vulnerability included in Tizen and shares the vulnerability information. "The number of products that have Tizen is still small, especially because there are few smartphones, security problems have not become obvious, but before Samsung fully introduces Tizen to smartphones, We need to review it, "Nederman warns.

in Mobile,   Software,   Security, Posted by darkhorse_log