Experts Warn Samsung Tizen OS Could Put You At Risk
The Tizen operating system used in virtually all Samsung smart devices including phones, TVs and even refrigerators allegedly could be loaded with security vulnerabilities that could open those products to hackers looking to spy on you and steal your data.
The CEO of a network traffic monitoring company for major businesses is warning the public these vulnerabilities, which were recently exposed by an Israeli security researcher, are potentially very serious and may not be limited to Samsung alone.
Michael Patterson, CEO of Plixer International, told HD Guru that a spate of recent leaks and reports exposing Samsung smart TVs and other devices for being prone to hacking make clear that consumer electronics users are at risk and need to make their data and lifestyle security a priority in their consumer electronics buying decisions. This extends to smart phones, tablets, smart TVs and less obvious devices like connected refrigerators and even washers.
The risk of malware attacks and hacks extend to all brands and models, but as the recent reports have found, some might be worse than others.
The latest case in point concerns a recent report on Motherboard about an Israeli security researcher Amihai Neiderman who issued a report stating he has discovered 40 vulnerabilities in Samsung’s operating system known as Tizen. The OS runs on Samsung’s smart TVs, smartwatches, phones and even some washers and refrigerators. The vulnerabilities could allow a hacker to take over the devices, gain administrative rights and even rewrite system software to perform a wide variety of invasive and potentially criminal tasks from spying on users or stealing their identity.
Read more on Samsung’s at-risk Tizen platform and other threats after the jump:
Patterson’s company, Plixer International, works primarily with businesses, measuring network traffic analytics, behavior analysis and forensic data in support of incident response. He advocates that businesses and device manufacturers begin to use services like his to monitor traffic around their businesses and devices to discover exploited vulnerabilities and quickly address them.
An outspoken advocate for consumer privacy rights and a critic of manufacturers who embed tracking systems in their products to monitor consumer viewing habits without their knowledge, Patterson said the recent vulnerabilities exposed by Neiderman in the Tizen platform are potentially very serious.
“Technology consumers have an unspoken trust that new technology purchases are shipped from the manufacturer with the latest security features and functionality embedded. If Amihai Neiderman’s findings are accurate, it is alarming that Samsung is shipping smart TV’s, smartwatches and mobile phones with many serious security flaws. Given that Tizen is currently running on 30 million devices (smart TVs and smartwatches) and that Samsung plans to have 10 million Tizen phones this year, the potential for these devices to become members of the next big botnet is very real.”
Responding to the alleged vulnerabilities, a Samsung spokesman told HD Guru: “Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue. We continually provide software updates to consumers to safeguard their products. We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities.”
One of the newer threats to Plixer’s clients is the Bring Your Own Device (BYOD) movement that creates an environment encouraging employees to use their personal electronics devices on employers’ networks.
When misused these devices can be used to hack into a company’s network through a mobile device and/or a smart TV placed in a common room or cafeteria. According to Neiderman’s report, Samsung smart TVs and phones running Tizen software can open the door to attacks on these BYOD-enabled networks.
Bob Noel, Plixer strategic relationships and marketing director, said “the really concerning thing is that Samsung has announced Tizen is their operating system of the future. As a general rule of thumb consumers should realize that smart TVs do have Internet access and they should be aware that there are some known vulnerabilities in that.”
The Plixer executives said they were not simply piling on Samsung. They point out that other consumer electronics makers could have similar vulnerabilities, or worse, have been actively engaged in datamining end-user viewing behavior, sometimes without their knowledge. They pointed to recent reports on lawsuits against Vizio’s datamining activities as an example.
Noel also referred to the recent WikiLeaks report that alleges the CIA and the United Kingdom’s MI5 had developed a program called Weeping Angel to exploit Samsung smart TVs and take over their microphones to spy on users of interest, even after the devices have been turned off.
“Unfortunately, consumers are reliant in this case on the manufacturer and as a consumer of such devices you have an inherent trust that the manufacturer is doing what they can to protect and secure those devices,” Noel said. “In this particular case, given the vast variety of vulnerabilities and the researchers’ brutal response that it is the worst code he had ever seen, I think it has potential impact on consumer trust for Samsung.”
The danger, Patterson added, is that as more and more manufacturers are found to have exploitable software vulnerabilities and engage in more-or-less invisible datamining activities, consumers are becoming complacent and continue to purchase from these brands without a second thought.
“Am I concerned about certain TVs because they are more likely to be infected? I don’t think so, and the reason why is because a lot of these TVs are being OEMed [manufactured by one company for another brand] by several different manufacturers and if you lift the hood it’s the same engine,” Patterson said. “The other thing is, everyone’s getting hacked — Samsung, Sony, Panasonic, whatever, they all get hacked.”
As a precaution against malware attacks on smart TVs, in particular, Patterson recommends people get in the habit of unplugging their smart TVs when not in use or connecting them to a power strip that can be switched off. Patterson explained that most TVs build in ROM memory that won’t support long-term storage of software. As long as the TV is plugged in, it will have enough stand-by power to keep that software stored, but when the television is forced to reboot via a disruption of power, any potentially dangerous or unwanted malware is wiped from the set’s ROM.
He also suggests television shoppers consider buying a television or monitor without a smart TV platform, and then add an external media adapter or a connection to a PC to perform their streaming activities.
Unfortunately, removing malware or hacks from smartphones and tablets isn’t as easy.
Noel pointed out that “there is certainly no lack of vulnerabilities that get announced on the Android and Android TV side as well. The bad guys are looking at and monitoring all operating systems. But with this research on Tizen, there is such a vast variety of vulnerabilities and one massively important one was that [Samsung’s] Tizen Store had a vulnerability that would allow a hacker to gain full control of an account and essentially gain administrative access to any Tizen device that’s on that account to push any software that they want.”
“There also were some decisions made with regard to SSL encryption in some of the connections specifically not to encrypt that data,” Noel said. “That’s a pretty strong vulnerability too.
“Certainly, there is no operating system out there that’s bullet proof. No question. But the lack of embedded security in this particular [Tizen] operating system is alarming, and perhaps more so than other operating systems out there. At least according to the researcher’s notes.”
Meanwhile, another report surfaced this week that the Chrysaor infection, which was once written to infect iOS devices, has now been adapted to spread to Android based systems, as well. It is one of the worst forms of malware uncovered so far, according to Patterson.
“Seeing how it was found to be compiled in 2014, it has likely evolved with even more features since then. Consumers need to be aware that both the good guys and the bad guys are looking to make sure that they can leverage our mobile phones as surveillance bots,” said Patterson. “For those engaged in confidential conversations, a heightened sense of awareness must be maintained at all times when their personal device is within range. Infections like this are becoming the norm. Companies concerned about this type of leak need to make sure they have network traffic analysis systems in place to help uncover active surveillance.”
By Greg Tarr
Have a question for the HD Guru? HD GURU|Email
Copyright ©2017 HD Guru Inc. All rights reserved. HD GURU is a registered trademark.