Linked by Thom Holwerda on Tue 4th Apr 2017 21:42 UTC
OSNews, Generic OSes

But the operating system is riddled with serious security vulnerabilities that make it easy for a hacker to take control of Tizen-powered devices, according to Israeli researcher Amihai Neiderman.

"It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."

Raise your hand if you're surprised.

Order by: Score:
Question is why...
by leech on Wed 5th Apr 2017 07:06 UTC
leech
Member since:
2006-01-10

What use is it to hack a TV?

While for the most part I think the Tizen phones are only sold in specific markets, and then you have their smart watches, which from what I can tell really only have connectivity via bluetooth / wifi. Which I suppose you could try to hack, if you had some sort of way to connect to it.

Reply Score: 1

RE: Question is why...
by sj87 on Wed 5th Apr 2017 07:50 UTC in reply to "Question is why..."
sj87 Member since:
2007-12-16

What use is it to hack a TV?

Every smart TV unit is a computer, so in essence your question is "what use is it to hack a computer?"

I think I don't even have to answer that.

Reply Score: 4

RE: Question is why...
by ssokolow on Wed 5th Apr 2017 08:37 UTC in reply to "Question is why..."
ssokolow Member since:
2010-01-21

The most visible horror of Orwell's 1984 is that every home had a TV through which Big Brother was always watching you.

Smart TV's generally have cameras and microphones.

Does that make things a bit more clear?

Reply Score: 4

RE[2]: Question is why...
by Leszek Lesner on Wed 5th Apr 2017 12:09 UTC in reply to "RE: Question is why..."
Leszek Lesner Member since:
2007-04-08

Even vibrators nowadays have cameras xD.
IoT everywhere and none of those manufacturers have any knowledge about IT-Security.
It is unbelievable that those don't even have upgrade paths for their hidden webservers in dishing washers or other.

https://www.pentestpartners.com/blog/vulnerable-wi-fi-dildo-camera-e...

Reply Score: 1

RE: Question is why...
by RobG on Wed 5th Apr 2017 09:31 UTC in reply to "Question is why..."
RobG Member since:
2012-10-17

That TV could also be recruited to form part of a bot net, used to compromise other systems, as recently used in enormous denial-of-service attacks across various systems.

Reply Score: 3

RE[2]: Question is why...
by leech on Thu 6th Apr 2017 03:50 UTC in reply to "RE: Question is why..."
leech Member since:
2006-01-10

Fair enough for the botnet, but while I'll admit that I have only bought a Samsung TV that was a 2015 model, and it doesn't have any of the fancy voice commands (so no mic), and I know they exist.. but why on earth would you need/want a TV with a camera? Even an always listening TV is terrible, and while I basically bought my TV for one single reason (Plex app), it's not like they have large amounts of space either.

The question isn't so much 'oh my god, there is vulnerable code!' it's "what are the attack vectors? do you need physical access to it, or is ssh/web server available to hack?" Now I want to hack my TV and see... which is the real reason this is interesting, can I have a Debian TV instead? That'd rock...

Reply Score: 3

RE[3]: Question is why...
by ssokolow on Thu 6th Apr 2017 11:53 UTC in reply to "RE[2]: Question is why..."
ssokolow Member since:
2010-01-21

Sony smart TVs have cameras so they can nag you if you're sitting too close to the screen or not "watching in a well-lit environment".

Reply Score: 2

RE[4]: Question is why...
by darknexus on Thu 6th Apr 2017 17:12 UTC in reply to "RE[3]: Question is why..."
darknexus Member since:
2008-07-15

Sony smart TVs have cameras so they can nag you if you're sitting too close to the screen or not "watching in a well-lit environment".

Uh, what? Have we really become such babies that our TV companies feel the need to be nannies? I don't own any TV, haven't for years and have even less intent to do so now.

Reply Score: 2

RE[5]: Question is why...
by ssokolow on Thu 6th Apr 2017 21:37 UTC in reply to "RE[4]: Question is why..."
ssokolow Member since:
2010-01-21

If I need something in that vein, I'll buy a large-format monitor. (Basically, a traditional dumb HDTV without the tuner and with generally higher standards of quality for the LCD panel)

In fact, at some point, if I can budget for it, I'd like to buy a 53" large-format 4K display to replace my spread of three 19" 1280x1024 monitors.

(If I'm going 4K, I want to keep the pixels the same size so that driving roughly twice as many pixels means I can fit roughly twice as many applications in the spread.)

Edited 2017-04-06 21:38 UTC

Reply Score: 2

Well, duh...
by boudewijn on Wed 5th Apr 2017 12:20 UTC
boudewijn
Member since:
2006-03-05

Only 40? Tizen is build on EFL, and that really is the most unsurprisingly notorious codebase ever. Every object is the same type, and string comparisons everywhere to distinguish between the objects. But I guess that Samsung couldn't anything else, after it left Maemo/MeeGo. Intel and Nokia had already used GTK and Qt for that, so they simply _had_ to use something else, of course. And for the same reason -- something else was already using it -- Java was out of the question, too.

Reply Score: 6

RE: Well, duh...
by Nadir on Wed 5th Apr 2017 12:56 UTC in reply to "Well, duh..."
Nadir Member since:
2007-05-09

You just reminded me of

https://what.thedailywtf.com/topic/15001/enlightened/5

where Rasterman himself pitches in and goes on a rant. EFL is indeed horrible.

Reply Score: 3

RE: Well, duh...
by moondevil on Wed 5th Apr 2017 17:23 UTC in reply to "Well, duh..."
moondevil Member since:
2005-07-08

It is worse than that.

You skipped the part where Samsung integrated the Bada OS SDK into Tizen, thus bringing in its Symbian C++ flavour, followed by a rewrite with a more standards compliant C++, only to drop everything and use EFL instead, with the promise that the new C++ API on top of EFL would come.

Now it appears that instead of doing that, they are adding support for .NET Core, Xamarin Forms and Tizen specific APIs for .NET Core apps.

Tizen is a joke, apparently they want to beat the number of times Microsoft has redone their mobile SDK.

Reply Score: 4

RE[2]: Well, duh...
by boudewijn on Wed 5th Apr 2017 17:57 UTC in reply to "RE: Well, duh..."
boudewijn Member since:
2006-03-05

Yeah, well, brevity's sake and so on.

Gosh, I do miss the days of Maemo and Meego, when my company was working with Nokia and doing great stuff.

Reply Score: 2

RE: Well, duh...
by acobar on Thu 6th Apr 2017 21:18 UTC in reply to "Well, duh..."
acobar Member since:
2005-11-15

Really, nuff said.

Granted, I'm not familiar with the state of EFL current iteration but, when I was digging window managers to see what I would like more years ago, Enlightenment was awful, security wise. They kind of wanted to put all effort on performance over almost everything else.

Not the security experts are not known to overstate the risks many times, though.

Reply Score: 2

Tizen smartphones + Samsung Pay
by Em_te on Thu 6th Apr 2017 02:20 UTC
Em_te
Member since:
2014-07-23

Do the Tizen smartphones support Samsung Pay? I think that's a pretty attractive vector for attack.

What about the Tizen watch? Enter a secure area and you may need to hand in your phone at the security checkpoint. But your Tizen watch may be secretly recording everything without you knowing.

Reply Score: 1