We wouldn’t blame Samsung for feeling snake-bit.  With the recent Galaxy 7 phone disaster, exploding appliance scandal and the arrest of its vice-chairman, the Korean manufacturing giant would be the first to admit to a rough patch over the last year.  So the recent news that Samsung’s OS (operating systems) are riddled with serious zero-day flaws is probably not a surprise, but it is a very unwelcome surprise.  A zero day vulnerability is a big deal; it refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the fact that software companies have literally NO time to fix the vulnerability before it begins to affect customers.

For example, in October 2016, hackers used a massive army of hundreds of thousands, perhaps even more than a million, hacked devices—likely internet-connected surveillance cameras and DVRs—to flood the website of the independent security journalist and blogger Brian Krebs with a reportedly record-breaking amount of bogus traffic. It was an attempt to take the site down.  It’s a huge headache for the Internet – referred to by some in the business as World War Zero because of the cyberwarfare that can be conducted by exploiting zero day vulnerabilities.

It’s even a big deal in a lot of ways that you’d not consider.   Retired Army general Keith Alexander, who formerly headed both the NSA and U.S. Cyber Command, has been reported to have described China’s ongoing electronic theft of American intellectual property “the greatest transfer of wealth in history.” And it isn’t any secret – especially to President Trump, that the Russian government has been systematically hacking the U.S.’s energy infrastructure since at least 2012. According to IBM’s security division, the average American company fielded a total of 16,856 attacks in 2013.

Internet giants like Google, Apple and Facebook deal with these exploits on a daily basis and have teams of experts patching software vulnerabilities when they are identified.   Samsung, one of the largest consumer goods manufacturers in the world, apparently have been caught ignoring some serious software flaws by a researcher in Israel.  Amihai Neiderman, who is head of research at Equus Software in Israel has reportedly uncovered 40 unknown “zero days”, that would allow someone to remotely hack millions of newer Samsung smart TVs, smart watches, and mobile phones already on the market, as well as ones slated for future release. Neiderman, who is head of research at Equus Software in Israel, began analyzing the code eight months ago after purchasing a Samsung TV with Tizen installed on it.   The security holes are in an open-source operating system called Tizen that Samsung has been rolling out in its devices over the last few years.

Neiderman is quoted as saying: “It may be the worst code I’ve ever seen……..everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”   What’s worse, when Neiderman contacted Samsung to report the problems he found but got only an automated email in response.

According to Motherboard, Samsung has long sought to reduce its reliance on Google and Android to run its Galaxy smartphones and tablets and other devices. It already has Tizen running on some 30 million smart TVs, as well as Samsung Gear smartwatches and in some Samsung phones in a limited number of countries like Russia, India and Bangladesh—the company plans to have 10 million Tizen phones in the market this year. Samsung also announced earlier this year that Tizen would be the operating system on its new line of smart washing machines and refrigerators too.

Samsung was initially dismissive of Neiderman’s allegations but recently has indicated that it is work with the researcher to fix the problems.   However, given Samsung’s size, its initial rejection of Neiderman’s findings and its efforts to create its own OS system,  consumers have to be very concerned about buying ANYTHING from Samsung.   Until Samsung announces that it has fixed the identified zero-day vulnerabilities and has demonstrably increased the size and capabilities of its software security apparatus, we can’t recommend that you purchase any IoT devices from the Korean giant.