Samsung's Tizen operating system contains more than 40 security flaws, claims Kaspersky

Re-use of code from earlier Samsung efforts help make Tizen "the worst code I've ever seen", says security researcher

Samsung's home-grown Tizen operating system has been blasted for containing a series of serious security flaws - making smartwatches, televisions and smartphones based on the operating system equally insecure.

That is the claim of Amihai Neiderman, a security researcher speaking at the Kaspersky Security Analyst Summit this week. It contains more than 40 known weaknesses, he claims, making it "maybe the worst code I've ever seen", according to Motherboard.

The number of security flaws all compromise the security of the devices they run on, but Neiderman says the TV implementation of the software is particularly poor, as the TizenStore module with the highest security privileges enables attackers to install any malicious software on demand, once the devices have been compromised.

One part of the problem is code being repurposed and re-used from earlier ‘Bada' projects, but Neiderman says that many of the more severe issues, which include buffer overrun exploits and incorrectly implemented encryption, are found in new code written in the last two years.

For Samsung, Tizen is its attempt to push beyond Google's Android confines for the future of its devices. It wants more control over both the hardware and software it creates, as well as higher profits from mobile and other devices.

But Neiderman argues that the South Korean company needs to reconsider a large-scale rollout of Tizen on smartphones until the overall security of the platform has been improved.

While it's worrying enough for Tizen-based TVs, putting an operating system on tens of millions of smartphones with these sorts of vulnerabilities could result in a lot of potential headaches for the company considering how much more personal info is stored on a phone compared to a TV.

Niederman says he tried to contact Samsung "months ago" but got a standard automated response.

In a bland statement provided to Motherboard, Samsung says it is "committed to working with security experts around the world to mitigate any security risks", through its smart TV bug bounty programme.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

_Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, [Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons](https://www.computing.co.uk/ctg/feature/2478896/how-gdpr-

and-the-network-and-information-systems-security-directive-will-

complicate-cloud-computing "Computing - How GDPR and the

Network and Information Systems Security Directive will complicate

cloud computing")._

_Attendance is free to qualifying IT professionals and IT leaders - [register now](http://events.computing.co.uk/cybersecurity "Computing Cyber

Security Strategy Briefing 2017 for the Financial Sector")!_