Wednesday, April 5, 2017

Samsung "Smart" devices: "It may be the worse code I've ever seen."

Samsung is making all their devices "smart" - not just phones, but TVs and appliances like dishwashers and the like.  All of these will be connected on your home network.  They have shipped something like 30 million of these devices, so this is in all kinds of things.  You may even have one of these and not know about it.

Samsung naturally wants to avoid licensing costs, so their software is not built on top of Android.  Instead, they have created their own operating system called Tizen.

Long time readers already know where I'm going.  I keep saying that when it comes to the IoT, security wasn't an after thought, it wasn't thought of at all.  Well, it's not just me saying it - Samsung's Android Replacement Is A Hacker's Dream:
Last month, the CIA got a lot of attention when WikiLeaks published internal documents purporting to show how the spy agency can monitor people through their Samsung smart TVs. There was a caveat to the hack, however—the hijack involved older models of Samsung TVs and required the CIA have physical access to a TV to install the malware via a USB stick.
But the window to this sort of hijacking is far wider than originally thought because a researcher in Israel has uncovered 40 unknown vulnerabilities, or zero-days, that would allow someone to remotely hack millions of newer Samsung smart TVs, smart watches, and mobile phones already on the market, as well as ones slated for future release, without needing physical access to them. The security holes are in an open-source operating system called Tizenthat Samsung has been rolling out in its devices over the last few years.
The researcher was horrified at the security holes:
"It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."
And the icing on the cake?
Neiderman contacted Samsung months ago to report the problems he found but got only an automated email in response. When Motherboard contacted the Korean company, a Samsung spokesperson sent a boilerplate response via email: "Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue."
After this article was published, the company sent another statement reading: "We are fully committed to cooperating with Mr. Neiderman to mitigate any potential vulnerabilities. Through our SmartTV Bug Bounty program, Samsung is committed to working with security experts around the world to mitigate any security risks."
Riiiiiight.  Good Security followup.

Quite frankly, the situation looks like a complete security disaster, with security holes everywhere up to and including the "Samsung Online Store" that would let you install your own hacker 'sploit (not that you would ever do that, Gentle Reader).  It's Amateur Hour at Samsung, from the coders to the testers, all the way to the PR droids.

If you add in other great reasons not to use their "Smart" devices, all I can recommend is that you do NOT buy from this company.  I don't think I've ever had 4 posts saying not to buy products from a particular vendor because of blatant security fails.  I guess that Samsung is an overachiever here.

1 comment:

Unknown said...

So what you are telling us is that the same OS that allowed governments to spy on us via our Samsung TV – operating the camera for visual surveillance – is the OS running in our Samsung microwave oven also?

I once had a thought experiment/discussion in a pub about how many normal things in a domestic living room were (or could be adjusted to be) microphonic -- and were also fairly directly connected to wiring accessible from outside the room.

I really don't think that there is a way to get a visual via a hacked microwave, but seeing how vacationing parents have been able to tell when the left-alone teens are having a party based upon signatures of fridge and HVAC in the power usage graph provided as an app by their solar company, I'm not sure I would treat any "smart" appliance as benign