Samsung's IoT devices are a hacker's dreamland

Samung’s Linux based Tizen has more than 40 zero day vulnerabilities, and there are millions of Tizen OS-powered smart devices in the wild

I love IoT. I also love mixed reality, and I can see how the two will transform the world around us and take us out of this ugly mess of laptops and smartphones, etc. But IoT vendors like Samsung are ruining it for me, and for everyone else.

Samsung makes its money by manufacturing and selling devices. I love Samsung hardware and an own couple of their IoT devices, but I despise their software. Their attempt to create their own crappy and substandard replacement of Google software is hurting the company.

Samsung is ruining IoT for me.

According to Israeli researcher Amihai Neiderman, Samsung's Linux-based Tizen OS has more than 40 zero-day flaws. Many of these allow an attacker to remotely compromise Tizen OS powered devices. Tizen OS powers Samsung’s smart devices, including my 4K TV. There are millions of IoT devices running on Tizen OS, and all of these devices are vulnerable, including my Smart TV.

Neiderman gave Samsung months to respond before going public with it. According to Motherboard, all Neiderman received from Samsung was an automated email response. When Motherboard contacted the company they got a stock response: "Samsung Electronics takes security and privacy very seriously. We regularly check our systems and if at any time there is a credible potential vulnerability, we act promptly to investigate and resolve the issue."

I have been critical of hardware vendors not taking software updates seriously and I wrote a story about why you must never buy a smart fridge. When I contacted both Samsung and LG for inputs, Samsung declined to comment on a simple question: how long do these so-called smart devices get software updates.

It's quite clear that none of these so-called IoT vendors have any strategy for sustainable software updates despite claims that they take users' security seriously. If they did, there are three things they must do:

  1. Move to some standard Linux-based operating system for IoT that's designed ground up for automated software updates. We already have one, it's called Ubuntu Snappy Core.
  2. Stop writing their own operating systems.
  3. Either stop selling IoT devices or immediately switch all of your devices to secure operating systems like Ubuntu Core.

We don't have a pro-people government anymore, otherwise, I would have expected heavy regulations in place to protect people, forcing these companies to secure these devices. There must be massive class action lawsuits to kick many IoT vendors out of existence if they fail to offer secure devices.

What's sad is that Tizen is a Linux Foundation project and was often seen as a fully open source OS for IoT devices, but it’s security holes gives it a bad rep.

So my message to Samsung, LG, and all those IoT vendors is this: Stop ruining IoT for us, stop creating your own crappy operating systems and adopt something like Ubuntu Snappy Core.

My advice to anyone planning to buy a smart device is to avoid Tizen OS based devices for now. Also when you do go to buy a smart device, ask this question and expect a firm answer: “For how long will my smart TV or fridge get software updates?”. If they don’t have a concrete answer, don’t buy it.

IoT should stand for Internet of Things and not Insecure, Outdated Things!

Copyright © 2017 IDG Communications, Inc.