For the past few years, Samsung and McAfee have been broadening a strategic partnership to use McAfee software to secure various Samsung products. That partnership is expanding further in 2019. According to Samsung, all of its smart TVs sold this year will use McAfee Security and ship with the software preloaded on the device.
The two firms have been partnering together for several years, even though the actual benefits of running McAfee on a television haven’t been demonstrated to the best of our knowledge. AV scanners running on smartphones are generally worthless. On the one hand, all of Samsung’s televisions run Tizen, an OS not generally known for being interesting or relevant to anyone. On the other hand, an audit two years ago found that Tizen had an absolutely terrible security implementation.
Back in 2017, researcher Amihai Neiderman spoke about his research into Tizen at the Security Analyst Summit on St. Maarten. “It may be the worst code I’ve ever seen,” he told Motherboard. “Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”
There were even flaws in the Tizen App Store that allowed Neiderman to hijack it and deliver malicious software to his TV. According to the McAfee Security for TV page, the app can be uninstalled at any time.
Despite the fact that this story is breaking today, there’s nothing new about the Samsung-McAfee collaboration; the two companies agreed to work together on a range of products starting in 2017. What appears to be new is that the collaboration has spread across the entire product family of Smart TVs from Samsung. The company has also added more devices of other types to be covered by the same joint agreement, like the Galaxy S10.
As to whether this agreement is doing anything to protect your devices, that’s unclear. Android antivirus scanners aren’t as useful in the first place as their PC counterparts, and we don’t appear to know anything about how Tizen is structured or if the plethora of security holes in the OS were ever patched. Frankly, it seems unlikely that the OS would go from literally one of the least-secure products ever shipped to being locked down and safe in just two years. The problem is, no security suite on earth can defend you from a broken operating system.
Despite searching, I can’t find any evidence that Tizen has been audited or that any third-party security review of the OS has been publicly released since the 2017 reports. Given that Samsung had already clearly decided it was acceptable to ship such products in the first place, the burden of proof is on the company to prove that 1) its OS should be considered secure and 2) that McAfee provides any meaningful improvement to said security.
The best way to handle a Smart TV is to never use its “smart” functions in the first place. No one has published a comprehensive audit of Tizen to demonstrate that its security flaws were fixed, it isn’t clear how much security McAfee provides in the first place, and Smart TVs are a bad idea from start to finish for anyone who cares about security or privacy. The only way to win is not to play, which in this case means using as little “smart” functionality as possible.