Security Researcher Says Samsung's Tizen OS Is The Worst Code He's Ever Seen (vice.com) 109
Samsung has been working on its Tizen operating system for several years now, implementing it into its various televisions and smartwatches. According to a report from Motherboard, the OS isn't receiving a lot of praise in the security department. Israeli researcher Amihai Neiderman has found 40 unknown zero-day vulnerabilities in Tizen, adding that it may be the worst code he's ever seen. From the report: "It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software." All of the vulnerabilities would allow hackers to take control of a Samsung device from afar, in what's called remote-code execution. But one security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app -- Samsung's version of Google Play Store -- which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV. Because the TizenStore software operates with the highest privileges you can get on a device, it's the Holy Grail for a hacker who can abuse it. Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device, Neiderman found a heap-overflow vulnerability that gave him control before that authentication function kicked in. Although researchers have uncovered problems with other Samsung devices in the past, Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.
Found the LUDDITE! (Score:1, Funny)
This just means Tizen is the appiest apperating app! Only LUDDITES would hate app-day apps!
Apps!
Asian corporate culture... (Score:3)
Re:Asian corporate culture... (Score:5, Insightful)
It's an engineering problem.
Engineering proof of correctness: Does it work when I try to use it as designed?
Security proof of correctness: Does it fail open when I try to use it not as designed?
I've seen the same thing with firewalls; does it (the thing you're trying to access) work now? Ok the rules must be right then: "Allow any any" usually does it.
Re: (Score:3)
Actually, this is "bad engineering", because good engineering also looks at how it behaves under non-standard conditions and then you get security as a characteristic that can be tested and verified. I see the same thing when doing security evaluations and IT security engineering. People stop thinking when "it works" (not that many developers think a lot in the first place). A consequence is that you find, for example, all the "Web Application Worst Practices" in (custom) enterprise software. Add to that th
Re: (Score:2)
Yeah, I was a little unkind...
Re: (Score:2)
Given that what you described is often accurate, no problem.
Re: (Score:2)
I can tell by your writing that you're a natural coder. And, I can tell by your last sentence that that gets in the way when you're dealing with people.
Actually, it does not. The trick is to be an expensive consultant, and suddenly people listen to you and make sure you can work. Of course, in order to be that type of consultant, you must have pretty good people skills as well. I do know people for which your analysis is completely accurate though.
Re: (Score:3)
I suspect that hitting a price point and a market date, something not unique to Asian manufacturers, does far more damage than any regional corporate culture. Money spent on the Tizen OS, beyond something that works well enough to sell, makes Samsung no more money and gets funded accordingly (up-front and afterward to fix the mess).
Re: Asian corporate culture... (Score:3)
Re: (Score:2)
To be fair, the Samsung OS comes, sort of free with the device, all they can see is Android. M$ well it comes out crap on purpose so they can sell it again and again, only this time more secure and more stable and more reliable versus prior products original release, the new wrinkle is of course far more privacy invasive and they are now selling you. The next big thing will of course be the Google vs Apple vs M$ VPN wars (M$ is kind of screwed right from the outset, impossible for them to sell privacy now,
Re: Asian corporate culture... (Score:1)
I wrote the code that lets you see AC's real names, Darren.
Re: (Score:1)
This has nothing to do with Asian, but with EVERY corporate culture, Microsoft, apple had the same problem, they just had to get their shit together after many many years of criticisms, and outrage from their customers...
Also, stupid statements like "worst code he's ever see" only makes me know that such "expert" has not seen much code actually.
More than half OS projects on GitHub are a stinking pile of shit, If they let me see that Tizen code, I can show at least a 100 projects with demonstrably consistent
Re: (Score:2)
Also, stupid statements like "worst code he's ever see" only makes me know that such "expert" has not seen much code actually.
More than half OS projects on GitHub are a stinking pile of shit, If they let me see that Tizen code, I can show at least a 100 projects with demonstrably consistent worst code.
While I sort-of agree to that, keep in mind that a security expert that understands security _and_ can code and read code with a reasonable level of expertise is already part of a small elite of the field. Yes, it is that bad.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Asian corporate culture seems to get in the way of cranking-out good code
It does nothing of the sort. There's plenty good code from various Asian countries (most of which have very varied corporate culture by the way).
Just nothing good from Samsung. But then I'm not surprised either. Samsung seem to be fantastic at bogging down their hardware with their code. Their TVs are the only ones with quad core processors and still the longest to actually start when you turn them on. The majority of exploits seem to come on them. And I won't ever forget their attempts at coding their own
One question answered (Score:2)
We now know where Samsung falls on the H-1B question.
News, Not-news (Score:2)
A major multinational corporation is pushing cut-rate garbage?
Maybe if the outcry is loud enough, Samsung will either fix it or abandon it.
They built the crap in the first place, so it's clear they won't bother without some outside pressure.
Re: (Score:2)
Re: (Score:2)
It's a corporation successfully trying to kill off the Linux component in phones.
With software in TVs?
Re: (Score:2)
Unknown zero-day vulnerabilities (Score:2)
Re: Unknown zero-day vulnerabilities (Score:1)
You joke, but it's true. I can guarantee someone on that team knew this code had a vulnerability and we're ignored.
Re: (Score:2)
Not surprised (Score:5, Interesting)
I was once asked by my boss to tinker with Tizen, see if it was usable, since a client was soliciting bids for an app they wanted to run on Samsung's smartwatch.
After a few day's experimentation, I reported that the Tizen SDK was basically unusable to write any app except the ones Samsung already wrote, and that the specific app the client was hoping for was literally impossible. The SDK itself was one of the worst programs I've used in many years - horrendously slow, crash-prone and cluttered in the way typical of early-00s Windows apps.
Needless to say, I am not surprised on multiple levels. First, that Tizen is insecure in addition to being slow and useless. Second, that nobody's taken a serious look at its security, since most people stop looking at it far before security starts to matter.
Similar experience (Score:5, Informative)
Similar experience, I thought maybe I'd look up at Tizen apps "for fun" and after about a day or so I was certain it was not going to be any sort of fun! Well, unless S&M is your thing... And here is [thedailywtf.com] an educational article about the EFL libraries you get to use when designing native Tizen apps.
Re:Similar experience (Score:5, Informative)
I had a chat to some of the Enlightenment devs at FOSDEM a few years ago. They were very proud of their new object system and IDL, which they thought would make it easy to bridge higher-level languages with their libraries. Unfortunately, their IDL exposed C types and nothing but C types as arguments. Their example had a char* parameter and a char* return. I asked them a few questions:
How do I know if it's and input or output (or both) parameter?
Is its length another argument (and, if so, in what units) or is it NULL-terminated?
Is there ownership transfer involved (i.e. is the caller still responsible for freeing the argument or does the callee take that responsibility? Is the caller responsible for freeing the return value and if so must they call free() or some other cleanup function)?
Is this an array of bytes or a string (i.e. should I map it to a string or data object in another language), if it's a string, what encoding does it expect and is that a global property or specified explicitly?
Apparently none of these questions had occurred to them and they didn't even understand why you'd want to know the answers to about half of them. The worst thing for me is that not only are these all important for bridging with higher-level languages, you need to know most of this information to be able to correctly use a C API, and they weren't putting it in the documentation and didn't even have consistent conventions (and therefore only need to document the exceptions). That was when I learned to avoid EFL like the plague. It may have improved since then, but I doubt it - good developers only reinvent the wheel after they've looked at existing ones and understood their flaws. The EFL developers are vaguely aware of square wheels and decided to try triangular ones as a replacement.
Re: (Score:2)
After a few day's experimentation, I reported that the Tizen SDK was basically unusable to write any app except the ones Samsung already wrote,
Moblin (which Intel put as much effort into ripping out all the non-intel support from as doing anything else) begat Meego (which was never usable) which begat Tizen. It would be shocking if it weren't a complete clusterfuck.
Not widely used on phones "yet" (Score:1)
Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.
"Yet" - and now "never will be" - we hope.
Embedded computing and security (Score:5, Interesting)
Funny coincidence, I work in embedded in my spare time and am a security researcher by trade, so I think I can say with some confidence that they don't mix well. For many reasons.
First of all, there is no history of security in embedded. Because until very recently, there was absolutely no reason or need to even consider security an issue. You were dealing with closed, if not hermetically sealed systems. They could more often than not not even receive updates, let alone communicate with other embedded devices. Even "sophisticated" devices like TVs, not even talking about the "dumb" ones like washing machines or dishwashers. It's been only about a decade that TVs have a connection that's bidirectional. And "real" internet on TVs only arrived a generation of TVs ago.
And for all the other embedded gadgets, that whole "connectivity" thing is still very much bleeding edge.
And all that in devices for which until very recently, again, every byte mattered. Computer programmers are used to Mega- and Gigabytes of ram at their disposal, with embedded, you're in some areas still talking KB. Especially when it comes to low-cost devices where you can't just stuff in more ram and faster ICs because they'd simply cost too much. Yes, a part costing maybe a buck or two is "too expensive" here.
Put that together and add exactly ZERO experience with security among embedded developers (for all the reasons above) and you most likely understand why this is a HUGE problem that will bite us in the rear. Actually, it's already biting.
Re:Embedded computing and security (Score:4, Interesting)
Funny coincidence, I work in embedded in my spare time and am a security researcher by trade, so I think I can say with some confidence that they don't mix well. For many reasons.
I beg to differ. I've been an embedded software engineer since the early 80s. In 2000 I got a contract from the guy who owned the George Foreman Grill. He wanted an appliance that would mount to the underside of kitchen cabinets, have internet, CD/DVD playback, HiFi quality sound, and connect to a recipe database via 802.11. One of the first things we worried about was security. 802.11 was new back then, nobody really knew how it would work out. The screen would fold down so the user could watch the videos.
Security came up in every meeting. We knew about it, understood the risks, and didn't know what the hell to do but knew we needed to try.
Project crashed and burned because he wanted to sell it for $999.95, and we couldn't get the BOM under $1k.
Every project I've worked on since has had security as a high priority. Lessee, what have I done since then? Um, cellphone base station, cellphone games, electronic ticketing system (take a ticket, now serving #32, you have #38), automated IC testing, muxing MPEG2 streams from multiple satellites into a custom stream, cellphones. Every one of these security has been a top issue.
Re: (Score:2)
Re: (Score:2)
First of all, there is no history of security in embedded. Because until very recently, there was absolutely no reason or need to even consider security an issue.
Please don't lump everything "embedded" under one big banner. We've been hooking "embedded" systems to the internet for the best part of 20+ years now. There's always been a requirement to consider security.
Re: (Score:1)
I've always been of the mind that low-resource situations are often *better* for security. If you have a very tight, resource-conservative ecosphere, then there's no reason it can't also be a very tight security-conscious ecosphere. When you start throwing massive pools of memory etc resources, then a lot of people just assume that they'll never hit on limits, so you end up with situations where - instead of doing things to allocate and check sane amounts of memory - you just end up with high limits "hey, l
Re: (Score:2)
That's less a problem than cutting corners when it comes to sanity checks due to timing or program memory constraints.
Re: (Score:1)
True enough, but one would hope that on any "official" modules or API's this stuff isn't done or gets cleaned out.
Enlightenment WM author ? (Score:4, Interesting)
Going way to this site's "nerd" days, people should be familiar with the window-manager-then-a-desktop-environment-under-development-for-a-decade-and-a-half called Enlightenment. It's main developer - Rasterman - worked at Samsung and had a lot to do with this OS. I don't know if he's still involved or not but I haven't heard anything about this OS since he mentioned it years ago.
Re: (Score:1)
He still works there but AFAIK he is just responsible for features/performance of the UI toolkit stuff. I don't think OS-level security is really in his jurisdiction.
Really, The worst? (Score:1)
"Challenge accepted!" - Microsoft, Mozilla, tons of app store (cr)apps, several bloated antivirus companies ...
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
"Tizen OS is the worst code I've ever seen"
"Challenge accepted!" - Microsoft, Mozilla, tons of app store (cr)apps, several bloated antivirus companies ...
Anything that isn't Open Source, would rise to the challenge. When you work as a consultant and see real world production code, you can't sleep well at night.
Tizen OS remote-code execution (Score:1)
Tizen is summed up nicely by this TheDailyWTF post (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Well, looks like a lot of wheels have been reinvented really badly here. The sign of utterly incompetent engineering and utterly incompetent management that does not know how to identify and hire good engineers and then let them work.
Re: (Score:2)
Urgh. My condolences and congratulations for getting out.
Re: (Score:2)
The sign of utterly incompetent engineering and utterly incompetent management that does not know how to identify and hire good engineers and then let them work.
Doesn't this describe most tech companies these days? The open-plan office is proof of incompetent management.
Re: (Score:2)
The Ravenous Bugblatter Beast of Tizen is a mind-bogglingly stupid codebase. It has almost no capacity for Enlightenment and is therefore surprised by virtually everything that happens to it. Here is an example of how stupid it is: it thinks that if you can't see its pointer types, it can't see you.
Its behaviour would be quite endearing if it wasn't spoilt by this one thing: it is the most violently crappy codebase in the Galaxy. A void*, a void*, a void*.
Re: (Score:2)
https://what.thedailywtf.com/t... [thedailywtf.com]
Yeah, the first thing I though when reading the story was:
"SPANK SPANK SPANK! Naughty programmer!"
(a Tizen error code)
Lawsuit in 3.. 2... 1... (Score:2)
Watch Samsung sue said researcher.. Gotta keep those liars err lawyers busy ya know...
Re: (Score:3)
crying to the bank (Score:2)
Rubbish (Score:2)
How can he say such rubbish as a scientist. Has he seen all code of everything? What are his metrics? Don't get me wrong. The Tizen code could be one of the worst code there is. This is a fair hypothesis, but then you have to provide proof. At least some metrics on implementation errors, complexity, patterns etc.
Re: (Score:2)
Your post is the stupidest I've read today. I'm not claiming to have read them all (though I doubt it would change if I did).
Re: (Score:2)
It is nice that you are giving any details to your conclusion. I thought we do not want to indulge in bullshit based on feelings and rather use evidence to come to conclusions. For a summary (even on /.) it is necessary to give a little more than just a "biggest rubbish ever"-claim. If he found flaws he could have provided something like: We found 100 security flaws in the code in 1000 LOC c-code.
Re: (Score:2)
he didn't claim "ever". That's my point, you thick cunt.
Re: Rubbish (Score:1)
Re: (Score:2)
No, he's claiming that your conclusion is wrong because you didn't evaluate every other car in the world, even if your claim was only based on the ones you've seen.
Set theory's clearly not his thing.
Re: Rubbish (Score:1)
Well, it's a Samsung product (Score:2)