Consumer Reports: Your smart TV is tracking you and so are hackers

[Cal Jeffrey]

Smart TVs have become so prevalent these days that it's getting harder and harder to find a “dumb” TV. Market research firm GFK reports that half of all television sales in 2017 were smart TVs. Indeed, a recent trip to a local department store revealed that they did not carry one single set that was not WiFi-enabled. As with all connected devices on the IoT, security concerns are at the forefront.

That is why Consumer Reports tested five of the top-selling brands of smart televisions — Samsung, LG, Sony, TCL and Vizio — and the results were not unexpected. All five TVs tracked users' viewing habits, even when they were not streaming. This was something that most of us knew was going on already.

Tracking sounds ominous but most of the information gathering going on is harmless. We put up with it to a certain extent every day when we visit Amazon, Facebook, Netflix and other popular websites and services. What is more concerning is the potential for abuse or other security concerns like vulnerabilities to hacking.

Two of the brands were concerning in terms of security — Samsung and TCL Roku-enabled TVs. Consumer Reports was able to hack into both of the Roku-branded sets easily. In fact, it was the Roku functionality itself that allowed the unauthorized access.

“What we found most disturbing about this, was the relative simplicity of [gaining access],” said Glenn Derene, Consumer Report's senior director of content. They were able to fully control the TVs — raising the volume, changing the channel, pulling up "objectionable" content, and even booting the device via WiFi. He said that the relative ease of hacking the devices was due to “basic security practices not being followed.”

"Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products."

The security risk involves a Roku functionality that is also present in its set-top boxes. The feature allows users to control the TV (or Roku box) using their smartphone or tablet.

When told of the vulnerability, both Roku and Samsung said they would look into the matter but this morning, Roku fired back saying that “Consumer Reports got it wrong.”

Roku calls CR’s report “a mischaracterization of a feature.”

“It is unfortunate that the feature was reported in this way,” said Gary Ellison, a Roku vice president. “We want to assure our customers that there is no security risk.”

Ellison explains that the feature in question is an open API that it uses to allow third-party developers to create control apps. He seems to ignore the possibility of the API being misused and reasons that the vulnerability is not really a risk since the consumer can disable it.

He also denounces the tracking capabilities of the Roku TVs and boxes saying, “Consumers have the choice to opt-in. ACR [Automatic Content Recognition] is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time.”

So I guess it's not a vulnerability if you don't use it?

Personally, I avoid all of this nonsense by simply not connecting my TV to the Internet in the first place. I used to but after a bad firmware update that never got fixed, I quit connecting and haven’t looked back.

Permalink to story.

https://www.techspot.com/news/73167-consumer-reports-smart-tv-tracking-you-hackers.html

 

[wiyosaya]

I only need a dumb display for my HTPC. In any future display that I buy, it will not be hooked up to the internet.

It does not surprise me as the article says "basic security practices not being followed" and the push-back from Roku is also trying to tell everyone that there is no security risk. Fake news has become a rallying cry these days, and it would cost them money to fix the problem, so what else would we expect them to say, or would we even expect that they would think that an open, unprotected API would be misused.

The thing about it is that it would be almost trivial to require a password to access the API that a user could easily set themselves.

I am glad that I built an HTPC rather than relying on a device from a company that could care less about my network's security.

 

[SirChocula]

General Patraeus said so himself in an interview...the CIA can track people through their "smart" home devices (a dishwasher to be specific in this instance). Getting such future devices that's always connected to the IoT is one of the dumbest decisions people can make in the future and unfortunately, many people will without knowing the full consequences. Freedom in America has been long gone.

I'd advise anyone reading to stick to the unconnected devices and that includes your future electric meter. They will sell those smart devices to you as "save electricity on your bill each month".

 

[Lionvibez]

General Patraeus said so himself in an interview...the CIA can track people through their "smart" home devices (a dishwasher to be specific in this instance). Getting such future devices that's always connected to the IoT is one of the dumbest decisions people can make in the future and unfortunately, many people will without knowing the full consequences. Freedom in America has been long gone.

I'd advise anyone reading to stick to the unconnected devices and that includes your future electric meter. They will sell those smart devices to you as "save electricity on your bill each month".

You won't have a choice as eventually every device will be IoT.

unless you plan on keeping an old CRT tv for the next 50 years.

 

[Evernessince]

General Patraeus said so himself in an interview...the CIA can track people through their "smart" home devices (a dishwasher to be specific in this instance). Getting such future devices that's always connected to the IoT is one of the dumbest decisions people can make in the future and unfortunately, many people will without knowing the full consequences. Freedom in America has been long gone.

I'd advise anyone reading to stick to the unconnected devices and that includes your future electric meter. They will sell those smart devices to you as "save electricity on your bill each month".

You won't have a choice as eventually every device will be IoT.

unless you plan on keeping an old CRT tv for the next 50 years.

Computer monitors are still free of this "smart" security risk and can easily act as a TV. In fact Computer monitors are in general better, thanks to there being good industry standards.

 

[McMurdeR]

General Patraeus said so himself in an interview...the CIA can track people through their "smart" home devices (a dishwasher to be specific in this instance). Getting such future devices that's always connected to the IoT is one of the dumbest decisions people can make in the future and unfortunately, many people will without knowing the full consequences. Freedom in America has been long gone.

I'd advise anyone reading to stick to the unconnected devices and that includes your future electric meter. They will sell those smart devices to you as "save electricity on your bill each month".

You won't have a choice as eventually every device will be IoT.

unless you plan on keeping an old CRT tv for the next 50 years.

Like the author, you can always leave it unconnected. For me, Chromecast removed the need for any and all Smart TV features.

 

[captaincranky]

...[ ]....unless you plan on keeping an old CRT tv for the next 50 years.

CRT, really? I bought a Vizio 55" 4K "dumb TV" from Walmart in December 2017, for $398.99.

Using an upscaling dumb DVD player, DVD looks pretty good after the TV gets done with it.

So, we're dumb here, from seat to screen, and living happily in the middle ages, (Without a blessed CRT in the house, anywhere).

I still do however, have my daddy's 70 year old vacuum tube audio signal generator.

 

[captaincranky]

Computer monitors are still free of this "smart" security risk and can easily act as a TV. In fact Computer monitors are in general better, thanks to there being good industry standards.

Well, TVs in general have a higher light output. More nits, equals more opportunity for high color saturation and plenty of contrast. So in general, it's easier to "candy up" the screen output.

While computer monitors are calibrated to the max, those with CCFL back lights, still dull and color shift with age.

There's also a major issue with the newest, "energy saving monitors". Starting at 250 nits max output, is just barely passable, the contrast sucks, the C-sat sucks, and it only goes downhill from there.

Believe it or not VA panels generally have at least 300 nits output, and the color rendition is difficult to distinguish from IPS.

There's also a "4th dimension hurdle", trying to get a decent picture from broadcast and other sources. Every feed has a different color profile, so it's really a wild guess trying to figure out which source is the, "most natural", to balance against.

 

[captaincranky]

I'd advise anyone reading to stick to the unconnected devices and that includes your future electric meter. They will sell those smart devices to you as "save electricity on your bill each month".

OK, realistically speaking, don't the imbeciles who buy internet connected light bulbs, deserve what ever they get?

I have yet to be able to fathom the logic which sees people signing up for burglar alarms accessible from their smart phones.
I'm pretty sure you can't watch your house on your phone 8 hours a day at work, without being fired. Then too, if your phone gets hacked, the hackers will know when your house is empty. Or is that too paranoid?.

 

[OcelotRex]

Personally, I avoid all of this nonsense by simply not connecting my TV to the Internet in the first place. I used to but after a bad firmware update that never got fixed, I quit connecting and haven’t looked back.

I am not sure its a good idea to employ a Luddite at a technology news site (kidding....a little).

The API's vulnerability requires the hacker to be on the same network as the device:

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.

This is the same API that lets the Roku App control the device along with 3rd party controllers like the Logitech Harmony. If you're concerned you can turn off this functionality and only use the remote.

As to the content gathering that's par for the course for any digital content consumption. While the TVs may add an additional layer back to the manufacturers this is happening on your other devices when you can consumer content. The only way to avoid it would be to purchase all your media on disc and play them on a player not connected to the internet. No Youtube, Netflix, Cable, etc. Break out the antennas!

 

[SirChocula]

OK, realistically speaking, don't the imbeciles who buy internet connected light bulbs, deserve what ever they get?

I have yet to be able to fathom the logic which sees people signing up for burglar alarms accessible from their smart phones.
I'm pretty sure you can't watch your house on your phone 8 hours a day at work, without being fired. Then too, if your phone gets hacked, the hackers will know when your house is empty. Or is that too paranoid?.

Lol, yea those who buy those light bulbs is getting exactly what they deserve. The future is bleak from here with IoT devices in everything.

 

[tipstir]

Nothing get out of my network I know what's coming in and out. CR fails to report you can control your network yeah script kiddies can do crazy things but be one step ahead of the game. Someone attacks you new Smart HDTV or Smart UDTV then you have the power to tell your router disable the connection to that network device or power cycle your modem or and router. You can also spend tons of money on Bluecoat Proxy Device. Still just be careful.

 

[wiyosaya]

Nothing get out of my network I know what's coming in and out. CR fails to report you can control your network yeah script kiddies can do crazy things but be one step ahead of the game. Someone attacks you new Smart HDTV or Smart UDTV then you have the power to tell your router disable the connection to that network device or power cycle your modem or and router. You can also spend tons of money on Bluecoat Proxy Device. Still just be careful.

You have quite a bit of technical knowledge; however, most of the readers here can count themselves in that class. Yet I am willing to bet that the average user of these devices has no clue what a proxy device is, or a firewall is, or a router, or anything like that. That is where the problem comes in. Take my father-in-law, for example. He is in the "has very little clue" what he is doing class, and in some cases needs my wife or myself to literally operate his computer for him.

 

[tipstir]

You have quite a bit of technical knowledge; however, most of the readers here can count themselves in that class. Yet I am willing to bet that the average user of these devices has no clue what a proxy device is, or a firewall is, or a router, or anything like that. That is where the problem comes in. Take my father-in-law, for example. He is in the "has very little clue" what he is doing class, and in some cases needs my wife or myself to literally operate his computer for him.

Yes I know my stuff thank you! Yes a lot of people don't have a clue to what all this means. Tech wise I am very savvy been like this when I was kid. Router is the key, but not all Routers are the same and a lot or not equip to protect to the highest degree of safety.
You do what you can for your parents they need your help where they don't understand the computer lingo or how things really work in technology. I do what I can for years here to help everyone out of a jam. Take care my friend!

 

[p51d007]

Oh gee, something is tracking you. Pretend you are "outraged".
Man, ever since Apple came out with the iPhone, people have been tracked, and even before that.
The concept of privacy? Build yourself a house in the woods, off the grid, like a faraday cage or
something.

 

[DelJo63]

In your personal gateway router

• disable remote management
• disable port 8080

to isolate your PC from the TV, set your ISP connection to PUBLIC and thus kill Print/File Sharing (and thereby protect the TV from Driveby hacks).

 

[tipstir]

In your personal gateway router

• disable remote management
• disable port 8080

to isolate your PC from the TV, set your ISP connection to PUBLIC and thus kill Print/File Sharing (and thereby protect the TV from Driveby hacks).

Good advice Joe, I like to add disable all NAT, and any other firewall in any routers you use as Access point. Like Joe as mentions too in the main router. If you feel your a victim to a hacker taking over your gear just pull out the network cord or turn off your modem to end that connection. Smart TV or with laptop or desktop to HDTV or UDTV you get the same feature but with those you can get on Proxy. TV manufactures need to think security more than the features of a Internet TV.

 

[DelJo63]

We all need to disable UpNP also in the gateway router - - see this

Windows needs PnP, but that's not the same as UpNP

 

[wiyosaya]

Yes I know my stuff thank you! Yes a lot of people don't have a clue to what all this means.

And that is where the CR article helps to educate those who are not tech savvy.

In your personal gateway router

• disable remote management
• disable port 8080

to isolate your PC from the TV, set your ISP connection to PUBLIC and thus kill Print/File Sharing (and thereby protect the TV from Driveby hacks).

Good advice Joe, I like to add disable all NAT, and any other firewall in any routers you use as Access point. Like Joe as mentions too in the main router. If you feel your a victim to a hacker taking over your gear just pull out the network cord or turn off your modem to end that connection. Smart TV or with laptop or desktop to HDTV or UDTV you get the same feature but with those you can get on Proxy. TV manufactures need to think security more than the features of a Internet TV.

For me, as I run a custom firewall on a dedicated Linux server, I would give my TV a static IP, then block that IP from internet access.

NetBIOS ports should also be blocked, both incoming and outgoing, from internet access.

 

[Kibaruk]

OK, realistically speaking, don't the imbeciles who buy internet connected light bulbs, deserve what ever they get?

What's wrong with connected light bulbs?

 

[DelJo63]

I would give my TV a static IP, then block that IP from internet access.

great idea

NetBIOS ports should also be blocked, both incoming and outgoing, from internet access.

help me out - - what systems have TCP/UPD ports in the BIOS??

 

[captaincranky]

What's wrong with connected light bulbs?

What's right or even needed about them? From a marketing standpoint though, they serve a valuable purpose. That would be to prove, "a fool and his money are soon parted company".

Gee, I hope that was politically correct, by my only mentioning the male gender.

 

[Evernessince]

Well, TVs in general have a higher light output. More nits, equals more opportunity for high color saturation and plenty of contrast. So in general, it's easier to "candy up" the screen output.

While computer monitors are calibrated to the max, those with CCFL back lights, still dull and color shift with age.

There's also a major issue with the newest, "energy saving monitors". Starting at 250 nits max output, is just barely passable, the contrast sucks, the C-sat sucks, and it only goes downhill from there.

Believe it or not VA panels generally have at least 300 nits output, and the color rendition is difficult to distinguish from IPS.

There's also a "4th dimension hurdle", trying to get a decent picture from broadcast and other sources. Every feed has a different color profile, so it's really a wild guess trying to figure out which source is the, "most natural", to balance against.

Higher brightness != higher contrast. It does lead to brighter colors as you were explaining. The contrast range is actually decreased once you go over 220 cd/m2 as the display is no longer able to show darker shades. TVs are expected to be viewed in rooms with light, so most sets have to make a compromise of better viewing conditions by increasing the brightness but they loose contrast as a result.

The energy saving features of every monitor I've ever had could be turned off in the OSD but I admittedly only purchase higher end displays.

Could you elaborate on that last bit? I'm not sure if you are trying to say if this is a problem for just monitors or something else. TV shows are broadcast in a variety of formats and may use a variety of color spaces but that issue has been solved for some time now. Any video player on the market can already correctly translate them all to your PC monitor accurately and compensate for things like interlacing. The only thing that is going to alter the colors is going to be your monitor, assuming it's un-calibrated and/or low quality.

 

[drjekelmrhyde]

They have to be on your network to fark your Roku TV.

 

[DelJo63]

They have to be on your network to fark your Roku TV.

Only due to firewall set a Private/Home which allows Print/file sharing. In this configuration, a driveby browser hack can get to the TV. Reset the network to PUBLIC and that would not be possible.