Consumer Reports: Your smart TV is tracking you and so are hackers

By Cal Jeffrey · 33 replies
Feb 7, 2018
Post New Reply
  1. Smart TVs have become so prevalent these days that it's getting harder and harder to find a “dumb” TV. Market research firm GFK reports that half of all television sales in 2017 were smart TVs. Indeed, a recent trip to a local department store revealed that they did not carry one single set that was not WiFi-enabled. As with all connected devices on the IoT, security concerns are at the forefront.

    That is why Consumer Reports tested five of the top-selling brands of smart televisions — Samsung, LG, Sony, TCL and Vizio — and the results were not unexpected. All five TVs tracked users' viewing habits, even when they were not streaming. This was something that most of us knew was going on already.

    Tracking sounds ominous but most of the information gathering going on is harmless. We put up with it to a certain extent every day when we visit Amazon, Facebook, Netflix and other popular websites and services. What is more concerning is the potential for abuse or other security concerns like vulnerabilities to hacking.

    Two of the brands were concerning in terms of security — Samsung and TCL Roku-enabled TVs. Consumer Reports was able to hack into both of the Roku-branded sets easily. In fact, it was the Roku functionality itself that allowed the unauthorized access.

    “What we found most disturbing about this, was the relative simplicity of [gaining access],” said Glenn Derene, Consumer Report's senior director of content. They were able to fully control the TVs — raising the volume, changing the channel, pulling up "objectionable" content, and even booting the device via WiFi. He said that the relative ease of hacking the devices was due to “basic security practices not being followed.”

    "Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products."

    The security risk involves a Roku functionality that is also present in its set-top boxes. The feature allows users to control the TV (or Roku box) using their smartphone or tablet.

    When told of the vulnerability, both Roku and Samsung said they would look into the matter but this morning, Roku fired back saying that “Consumer Reports got it wrong.”

    Roku calls CR’s report “a mischaracterization of a feature.”

    “It is unfortunate that the feature was reported in this way,” said Gary Ellison, a Roku vice president. “We want to assure our customers that there is no security risk.”

    Ellison explains that the feature in question is an open API that it uses to allow third-party developers to create control apps. He seems to ignore the possibility of the API being misused and reasons that the vulnerability is not really a risk since the consumer can disable it.

    He also denounces the tracking capabilities of the Roku TVs and boxes saying, “Consumers have the choice to opt-in. ACR [Automatic Content Recognition] is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time.”

    So I guess it's not a vulnerability if you don't use it?

    Personally, I avoid all of this nonsense by simply not connecting my TV to the Internet in the first place. I used to but after a bad firmware update that never got fixed, I quit connecting and haven’t looked back.

    Permalink to story.

     
  2. wiyosaya

    wiyosaya TS Evangelist Posts: 2,131   +897

    I only need a dumb display for my HTPC. In any future display that I buy, it will not be hooked up to the internet.

    It does not surprise me as the article says "basic security practices not being followed" and the push-back from Roku is also trying to tell everyone that there is no security risk. Fake news has become a rallying cry these days, and it would cost them money to fix the problem, so what else would we expect them to say, or would we even expect that they would think that an open, unprotected API would be misused.

    The thing about it is that it would be almost trivial to require a password to access the API that a user could easily set themselves.

    I am glad that I built an HTPC rather than relying on a device from a company that could care less about my network's security.
     
  3. SirChocula

    SirChocula TS Addict Posts: 125   +115

    General Patraeus said so himself in an interview...the CIA can track people through their "smart" home devices (a dishwasher to be specific in this instance). Getting such future devices that's always connected to the IoT is one of the dumbest decisions people can make in the future and unfortunately, many people will without knowing the full consequences. Freedom in America has been long gone.

    I'd advise anyone reading to stick to the unconnected devices and that includes your future electric meter. They will sell those smart devices to you as "save electricity on your bill each month".
     
    JaredTheDragon likes this.
  4. Lionvibez

    Lionvibez TS Evangelist Posts: 1,291   +451

    You won't have a choice as eventually every device will be IoT.

    unless you plan on keeping an old CRT tv for the next 50 years.
     
  5. Evernessince

    Evernessince TS Evangelist Posts: 2,244   +1,371

    Computer monitors are still free of this "smart" security risk and can easily act as a TV. In fact Computer monitors are in general better, thanks to there being good industry standards.
     
  6. McMurdeR

    McMurdeR TS Enthusiast Posts: 60   +49

    Like the author, you can always leave it unconnected. For me, Chromecast removed the need for any and all Smart TV features.
     
    SirChocula and Cal Jeffrey like this.
  7. captaincranky

    captaincranky TechSpot Addict Posts: 13,356   +2,850

    CRT, really? I bought a Vizio 55" 4K "dumb TV" from Walmart in December 2017, for $398.99.

    Using an upscaling dumb DVD player, DVD looks pretty good after the TV gets done with it.

    So, we're dumb here, from seat to screen, and living happily in the middle ages, (Without a blessed CRT in the house, anywhere).

    I still do however, have my daddy's 70 year old vacuum tube audio signal generator.
     
    Last edited: Feb 8, 2018
  8. captaincranky

    captaincranky TechSpot Addict Posts: 13,356   +2,850

    Well, TVs in general have a higher light output. More nits, equals more opportunity for high color saturation and plenty of contrast. So in general, it's easier to "candy up" the screen output.

    While computer monitors are calibrated to the max, those with CCFL back lights, still dull and color shift with age.

    There's also a major issue with the newest, "energy saving monitors". Starting at 250 nits max output, is just barely passable, the contrast sucks, the C-sat sucks, and it only goes downhill from there.

    Believe it or not VA panels generally have at least 300 nits output, and the color rendition is difficult to distinguish from IPS.

    There's also a "4th dimension hurdle", trying to get a decent picture from broadcast and other sources. Every feed has a different color profile, so it's really a wild guess trying to figure out which source is the, "most natural", to balance against.
     
    Last edited: Feb 8, 2018
    senketsu, wiyosaya and Charles Olson like this.
  9. captaincranky

    captaincranky TechSpot Addict Posts: 13,356   +2,850

    OK, realistically speaking, don't the imbeciles who buy internet connected light bulbs, deserve what ever they get?

    I have yet to be able to fathom the logic which sees people signing up for burglar alarms accessible from their smart phones.
    I'm pretty sure you can't watch your house on your phone 8 hours a day at work, without being fired. Then too, if your phone gets hacked, the hackers will know when your house is empty. Or is that too paranoid?.
     
    JaredTheDragon likes this.
  10. OcelotRex

    OcelotRex TS Guru Posts: 488   +251

    I am not sure its a good idea to employ a Luddite at a technology news site (kidding....a little).

    The API's vulnerability requires the hacker to be on the same network as the device:
    This is the same API that lets the Roku App control the device along with 3rd party controllers like the Logitech Harmony. If you're concerned you can turn off this functionality and only use the remote.

    As to the content gathering that's par for the course for any digital content consumption. While the TVs may add an additional layer back to the manufacturers this is happening on your other devices when you can consumer content. The only way to avoid it would be to purchase all your media on disc and play them on a player not connected to the internet. No Youtube, Netflix, Cable, etc. Break out the antennas!
     
    Cal Jeffrey likes this.
  11. SirChocula

    SirChocula TS Addict Posts: 125   +115

    Lol, yea those who buy those light bulbs is getting exactly what they deserve. The future is bleak from here with IoT devices in everything.
     
  12. tipstir

    tipstir TS Ambassador Posts: 2,525   +133

    Nothing get out of my network I know what's coming in and out. CR fails to report you can control your network yeah script kiddies can do crazy things but be one step ahead of the game. Someone attacks you new Smart HDTV or Smart UDTV then you have the power to tell your router disable the connection to that network device or power cycle your modem or and router. You can also spend tons of money on Bluecoat Proxy Device. Still just be careful.
     
    drjekelmrhyde likes this.
  13. wiyosaya

    wiyosaya TS Evangelist Posts: 2,131   +897

    You have quite a bit of technical knowledge; however, most of the readers here can count themselves in that class. Yet I am willing to bet that the average user of these devices has no clue what a proxy device is, or a firewall is, or a router, or anything like that. That is where the problem comes in. Take my father-in-law, for example. He is in the "has very little clue" what he is doing class, and in some cases needs my wife or myself to literally operate his computer for him.
     
  14. tipstir

    tipstir TS Ambassador Posts: 2,525   +133

    Yes I know my stuff thank you! Yes a lot of people don't have a clue to what all this means. Tech wise I am very savvy been like this when I was kid. Router is the key, but not all Routers are the same and a lot or not equip to protect to the highest degree of safety.
    You do what you can for your parents they need your help where they don't understand the computer lingo or how things really work in technology. I do what I can for years here to help everyone out of a jam. Take care my friend!
     
  15. p51d007

    p51d007 TS Evangelist Posts: 1,334   +662

    Oh gee, something is tracking you. Pretend you are "outraged".
    Man, ever since Apple came out with the iPhone, people have been tracked, and even before that.
    The concept of privacy? Build yourself a house in the woods, off the grid, like a faraday cage or
    something.
     
    Tanstar and Kibaruk like this.
  16. jobeard

    jobeard TS Ambassador Posts: 11,383   +1,063

    In your personal gateway router
    • disable remote management
    • disable port 8080
    to isolate your PC from the TV, set your ISP connection to PUBLIC and thus kill Print/File Sharing (and thereby protect the TV from Driveby hacks).
     
    senketsu likes this.
  17. tipstir

    tipstir TS Ambassador Posts: 2,525   +133

    Good advice Joe, I like to add disable all NAT, and any other firewall in any routers you use as Access point. Like Joe as mentions too in the main router. If you feel your a victim to a hacker taking over your gear just pull out the network cord or turn off your modem to end that connection. Smart TV or with laptop or desktop to HDTV or UDTV you get the same feature but with those you can get on Proxy. TV manufactures need to think security more than the features of a Internet TV.
     
  18. jobeard

    jobeard TS Ambassador Posts: 11,383   +1,063

    We all need to disable UpNP also in the gateway router - - see this

    Windows needs PnP, but that's not the same as UpNP
     
  19. wiyosaya

    wiyosaya TS Evangelist Posts: 2,131   +897

    And that is where the CR article helps to educate those who are not tech savvy.


    For me, as I run a custom firewall on a dedicated Linux server, I would give my TV a static IP, then block that IP from internet access.

    NetBIOS ports should also be blocked, both incoming and outgoing, from internet access.
     
  20. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,324   +928

    What's wrong with connected light bulbs?
     
  21. jobeard

    jobeard TS Ambassador Posts: 11,383   +1,063

    great idea
    help me out - - what systems have TCP/UPD ports in the BIOS??
     
  22. captaincranky

    captaincranky TechSpot Addict Posts: 13,356   +2,850

    What's right or even needed about them? From a marketing standpoint though, they serve a valuable purpose. That would be to prove, "a fool and his money are soon parted company".

    Gee, I hope that was politically correct, by my only mentioning the male gender.
     
  23. Evernessince

    Evernessince TS Evangelist Posts: 2,244   +1,371

    Higher brightness != higher contrast. It does lead to brighter colors as you were explaining. The contrast range is actually decreased once you go over 220 cd/m2 as the display is no longer able to show darker shades. TVs are expected to be viewed in rooms with light, so most sets have to make a compromise of better viewing conditions by increasing the brightness but they loose contrast as a result.

    The energy saving features of every monitor I've ever had could be turned off in the OSD but I admittedly only purchase higher end displays.

    Could you elaborate on that last bit? I'm not sure if you are trying to say if this is a problem for just monitors or something else. TV shows are broadcast in a variety of formats and may use a variety of color spaces but that issue has been solved for some time now. Any video player on the market can already correctly translate them all to your PC monitor accurately and compensate for things like interlacing. The only thing that is going to alter the colors is going to be your monitor, assuming it's un-calibrated and/or low quality.
     
  24. drjekelmrhyde

    drjekelmrhyde TS Addict Posts: 259   +67

    They have to be on your network to fark your Roku TV.
     
  25. jobeard

    jobeard TS Ambassador Posts: 11,383   +1,063

    Only due to firewall set a Private/Home which allows Print/file sharing. In this configuration, a driveby browser hack can get to the TV. Reset the network to PUBLIC and that would not be possible.
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...