Smart TVs have become so prevalent these days that it's getting harder and harder to find a “dumb” TV. Market research firm GFK reports that half of all television sales in 2017 were smart TVs. Indeed, a recent trip to a local department store revealed that they did not carry one single set that was not WiFi-enabled. As with all connected devices on the IoT, security concerns are at the forefront.
That is why Consumer Reports tested five of the top-selling brands of smart televisions — Samsung, LG, Sony, TCL and Vizio — and the results were not unexpected. All five TVs tracked users' viewing habits, even when they were not streaming. This was something that most of us knew was going on already.
Tracking sounds ominous but most of the information gathering going on is harmless. We put up with it to a certain extent every day when we visit Amazon, Facebook, Netflix and other popular websites and services. What is more concerning is the potential for abuse or other security concerns like vulnerabilities to hacking.
Two of the brands were concerning in terms of security — Samsung and TCL Roku-enabled TVs. Consumer Reports was able to hack into both of the Roku-branded sets easily. In fact, it was the Roku functionality itself that allowed the unauthorized access.
“What we found most disturbing about this, was the relative simplicity of [gaining access],” said Glenn Derene, Consumer Report's senior director of content. They were able to fully control the TVs — raising the volume, changing the channel, pulling up "objectionable" content, and even booting the device via WiFi. He said that the relative ease of hacking the devices was due to “basic security practices not being followed.”
"Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products."
The security risk involves a Roku functionality that is also present in its set-top boxes. The feature allows users to control the TV (or Roku box) using their smartphone or tablet.
When told of the vulnerability, both Roku and Samsung said they would look into the matter but this morning, Roku fired back saying that “Consumer Reports got it wrong.”
Roku calls CR’s report “a mischaracterization of a feature.”
“It is unfortunate that the feature was reported in this way,” said Gary Ellison, a Roku vice president. “We want to assure our customers that there is no security risk.”
Ellison explains that the feature in question is an open API that it uses to allow third-party developers to create control apps. He seems to ignore the possibility of the API being misused and reasons that the vulnerability is not really a risk since the consumer can disable it.
He also denounces the tracking capabilities of the Roku TVs and boxes saying, “Consumers have the choice to opt-in. ACR [Automatic Content Recognition] is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time.”
So I guess it's not a vulnerability if you don't use it?
Personally, I avoid all of this nonsense by simply not connecting my TV to the Internet in the first place. I used to but after a bad firmware update that never got fixed, I quit connecting and haven’t looked back.