But the window to this sort of hijacking is far wider than originally thought because a researcher in Israel has uncovered 40 unknown vulnerabilities, or zero-days , that would allow someone to remotely hack millions of newer Samsung smart TVs, smart watches, and mobile phones already on the market, as well as ones slated for future release, without needing physical access to them. The security holes are in an open-source operating system called Tizen that Samsung has been rolling out in its devices over the last few years.

Last month, the CIA got a lot of attention when WikiLeaks published internal documents purporting to show how the spy agency can monitor people through their Samsung smart TVs . There was a caveat to the hack, however—the hijack involved older models of Samsung TVs and required the CIA have physical access to a TV to install the malware via a USB stick.

"It may be the worst code I've ever seen," he told Motherboard in advance of a talk about his research that he is scheduled to deliver at Kaspersky Lab's Security Analyst Summit on the island of St. Maarten on Monday. "Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It's like taking an undergraduate and letting him program your software."

But the operating system is riddled with serious security vulnerabilities that make it easy for a hacker to take control of Tizen-powered devices, according to Israeli researcher Amihai Neiderman.

"It may be the worst code I've ever seen."

Samsung has long sought to reduce its reliance on Google and Android to run its Galaxy smartphones and tablets and other devices. It already has Tizen running on some 30 million smart TVs, as well as Samsung Gear smartwatches and in some Samsung phones in a limited number of countries like Russia, India and Bangladesh—the company plans to have 10 million Tizen phones in the market this year. Samsung also announced earlier this year that Tizen would be the operating system on its new line of smart washing machines and refrigerators too.

A Samsung Z1 with the Tizen operating system on display at the Mobile World Congress 2015 in Barcelona, Spain. (Image: Kārlis Dambrāns/Flickr)

Because the TizenStore software operates with the highest privileges you can get on a device, it's the Holy Grail for a hacker who can abuse it.

All of the vulnerabilities would allow hackers to take control of a Samsung device from afar, in what's called remote-code execution. But one security hole Neiderman uncovered was particularly critical. It involves Samsung's TizenStore app—Samsung's version of Google Play Store—which delivers apps and software updates to Tizen devices. Neiderman says a flaw in its design allowed him to hijack the software to deliver malicious code to his Samsung TV.

"You can update a Tizen system with any malicious code you want," he says.

Although TizenStore does use authentication to make sure only authorized Samsung software gets installed on a device, Neiderman found a heap-overflow vulnerability that gave him control before that authentication function kicked in.

Although researchers have uncovered problems with other Samsung devices in the past, Tizen has escaped extensive scrutiny from the security community, probably because it's not widely used on phones yet.

Neiderman, who is head of research at Equus Software in Israel, where he focuses on Android phone research, began analyzing the code eight months ago after purchasing a Samsung TV with Tizen installed on it. At the time Samsung was only installing the operating system on new televisions and smart watches and a limited line of smartphones sold in a few countries.

"You can update a Tizen system with any malicious code you want."

The first Tizen phones were sold in India, but have since expanded to South Africa, Nepal, parts of Africa and Indonesia, And there are signs that Samsung plans to soon sell Tizen phones in Latin America and the Middle East, parts of Europe, and eventually the United States. The company has also begun a push to expand the catalogue of Tizen applications by offering $10,000 to the developers with the 100 most downloaded mobile apps.