Samsung's squashing of Tizen smart-TV bugs is turning messy

Credit to Author: Agam Shah| Date: Fri, 07 Apr 2017 11:08:00 -0700

After 40 critical vulnerabilities on Samsung’s Tizen — used in smart TVs and smartwatches — were exposed this week by Israeli researcher Amihai Neiderman, the company is scrambling to patch them.

But Samsung still doesn’t know many of the bugs that need to be patched. It’s also unclear when Tizen devices will get security patches, or if older Tizen devices will even get OS updates to squash the bugs.

Beyond Samsung’s smart TVs, Tizen is also used in wearables like Gear S3 and handsets like Samsung’s Z-series phones, which have sold well in India. Samsung wants to put Tizen in a range of appliances and IoT devices. Tizen also has been forked to be used in Raspberry Pi.

Samsung is now trying to resolve the issues, but progress has been slow because the company says it doesn’t have full details about the vulnerabilities, according to a post in the Tizen developers forum.

“The researcher has not provided a clear list of the 40 issues he claimed so far,” Samsung’s Carsten Haitzler, said while responding to a developer email seeking an update from Tizen on patching the vulnerabilities. Haitzler stressed that securing the OS was extremely important.

Neiderman, in an email, said he sent Tizen handpicked vulnerabilities, but he also sent a presentation that provides all the clues about what needs to be fixed in the OS.

“I sent them about four different vulnerabilities and a list of common types of problems they have all over their code,” Neiderman said.

There wasn’t enough time to review all the major exploits with Samsung, Neiderman said. “It seems they are only interested in the ones who affect their smart TV and not in the smartphones” in developing countries, he said.

Neiderman may have a point. Email exchanges in the Tizen developer forum cast doubt on when fixes will be made or whether they will even reach all devices using either the full Tizen OS or parts of it.

Updating is difficult because the Tizen development team is decentralized, and the OS has an Android-like defragmentation. While smart TVs and wearables may get patched, it’s not known if an OS update will come to Raspberry Pi 3 or other devices.

Many developers take the open-source Tizen code and modify it for their devices. Updating their devices with the patches would be up to them, and it’s possible some Tizen devices may not get updated code. Older Tizen devices remain especially susceptible to the bugs.

“Products take Tizen and modify it and then ship a product and whatever group does that is in charge. The platform maintainers have limited influence or control over this,” Haitzler said in a forum post

Tizen can fix the platform bugs “but can’t guarantee if an update will ship for devices or if it will be changed by the time it ships for a device,” Haitzler added. “That’s how all of this is structured. I wish I was able to change this.”

The OS showed promise early on, but the developer base has dwindled as programmers moved over to Android, iOS, or Windows platforms. The Tizen team has patched bugs and updated the OS, but the pressure has been growing on developers to address a growing list of issues. Tizen has provided a website for reporting bugs. 

The Tizen development community is much smaller than Android’s. Samsung has been releasing previews of Tizen 4.0, with a first public milestone release coming in May. That coincides with Samsung’s Tizen Developer Conference, which will be held in San Francisco on May 16 and 17.

http://www.computerworld.com/category/security/index.rss