Here’s a bit of warning for you if you own a smart TV or plan to buy one: Millions of the devices have security vulnerabilities that will allow hackers to remotely change the channels, volume level, and more. And the manufacturers of these devices can monitor and collect a lot of information about your viewing habits, probably more than you would like.
The non-profit Consumer Reports made the discovery in a broad privacy and security evaluation of top smart TV brands, which it conducted in cooperation with security firm Disconnect and research institute Ranking Digital Rights.
This is not the first time that security and privacy flaws were found in smart TVs and other smart home appliances. However, with internet-connected TVs accounting for more 60 percent of the devices shipped globally, these concerns are aggravating. So while you enjoy the ability to watch your favorite streaming service on your big-screen TV, you should also beware of the security and privacy concerns it might trail along.
Why smart TVs are vulnerable
Among the several popular smart TVs Consumer Reports examined, televisions made by Samsung and TCL and devices that use the Roku smart TV platform were found to have security flaws.
“We were just looking for good security practices,” says Maria Rerecich, who oversees electronics testing at Consumer Reports. “Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.”
The researchers found that Samsung and TCL devices had vulnerabilities that could allow hackers to “pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.” However, the exploits won’t let attackers spy on users or collect information from their TVs, the report states.
In case of TCL devices, the flaws were found in the application programming interfaces (APIs) of the underlying Roku TV platform, which is also used in devices made by other companies such as Sharp, Hisense, LG, and Roku’s own streaming devices. APIs are a set of functions that enable interactions between different software and hardware. Companies and developers use the Roku API to create applications for their devices.
The lack of security in Roku’s platform remote API calls without security checks. “This means that even extremely unsophisticated hackers can take control of Rokus,” says Eason Goodale, Disconnect’s lead engineer. “It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.”
To exploit the vulnerability, a hacker would need access to the target TVs Wi-Fi. This can happen if the user of a laptop or smartphone on the same network is tricked into installing a malware-infected app or visiting a webpage with malicious code.
The Samsung exploit is a bit trickier and would only work on a device that had previously interacted with and gained access to the target TV.
“Smart TVs are no different than any other generic [Internet of Things (IoT)] devices running on well-known software containing its own weakness and vulnerabilities,” says Kestas Malakauskas, SVP of cybersecurity at CUJO AI, a company that provides security and network solutions. “It is just a matter of time when a new vulnerability will be identified in software X and exploits will be developed and made available in the wild for every criminal or hacker out there.”
Malakauskas points out that almost all smart TVs have built-in browsers, which he calls “just another vector to download and execute malicious code.” And unlike our laptops and smartphones, the hardware and software restrictions in smart home appliances prevent them from running antivirus and antispyware tools.
However, not everyone agrees that the vulnerabilities discovered by Consumer Reports are critical in nature. “The Roku stuff requires a would-be-attacker to be sitting on the same local (Wi-Fi) network. At which point, you’ve got bigger problems,” says Sean Sullivan, security advisor and researcher at cybersecurity firm F-Secure. The Samsung vulnerability involves too many “ifs,” Sullivan says, imposing a very high cost for a hacker that wants to tinker with your smart TV’s volume. “I don’t think hackers will be motived at all by this ‘vulnerability,’” he says.
Malakauskas notes, however, that while smart TVs might not look like a very interesting target for hackers, they can always work as gateways for hackers to get a foothold within your home’s network and move laterally to steal information from other devices.
The privacy risks of smart TVs
All the smart TVs that Consumer Reports reviewed required users to forfeit their viewing data to use the device’s connected features. “We found that it’s not always easy to understand what you’re agreeing to as you proceed through the setup process,” the report says. “And if you decline permissions, you can lose a surprising amount of functionality.”
Most smart TVs use automatic content recognition (ACR), a technology that enables manufacturers to identify and classify the content you’re viewing. This includes cable, over-the-air broadcasts, streaming services, and even DVDs and Blu-ray discs. ACR collects audio, video and metadata samples from your TV and sends it to the manufacturer, which then analyzes the data to understand your preferences and recommend other shows that you might be interested in watching. But it also uses this information for advertising and marketing purposes. “You can’t easily review or delete this data later,” Consumer Report says.
Some of the television sets enable users to disable ACR while still agreeing to a basic privacy agreement. However, even those basic privacy agreements might require you to give up your location, which streaming apps you click on, and more. Not agreeing to the terms will deprive you of your TV’s “smart” features. “You can hook up a cable box or an antenna, but you won’t be able to stream anything from Amazon, Netflix, or other web-based services,” Consumer Report says.
The worst privacy settings were found in the Sony smart TV, which is powered by Google’s Android TV platform. The setup process explicitly requires users to agree to Google’s privacy policy.
“The fact that you had to accept Google’s terms and conditions, like them or not, in order to just setup the device seemed a bigger problem to me than all the rest of [the findings],” F-Secure’s Sullivan says. “Not to mention there are currently reports of Android televisions being compromised in China by a crypto-miner.”
Sullivan says that ACR does not necessarily amount to a privacy concern on devices that don’t require the user to log into a specific online account. “But in the case of Android televisions, I think the requirement (or near requirement) to connect an account could be a problem/vector that allows for unwanted cross-platform targeted ads,” he says.
Consumer Report’s latest research manifests the broader challenges that the consumer IoT industry is facing. In 2016, vulnerable IoT devices enabled hackers to launch the largest distributed denial-of-service (DDoS) attack in history, disrupting access to online services in large areas across the world.
“In this area being first to the market is still much more important than security design principles being applied in each smart TV software,” Malakauskas says.
“Unfortunately, this is a common practice and not only with smart TV,” agrees Yossi Atias, general manager of IoT security at Dojo by Bullguard, an IoT privacy and security startup. “The device vendors are taking advantage of the consumer lack of knowledge and awareness to privacy in general. It is always masked by long complex legal statement that users tend not to ignore. Vendors should not force trading functionality for privacy. That will change only if the regulators will step in and force the device vendors to keep the user’s privacy by default.”
How to protect your smart TV
“Without proper visibility to the network traffic it is very difficult for an average consumer to even know if his device has been compromised,” Atias says.
However, there are some measures that can minimize users’ attack surface, Atias suggests:
- Constantly update your smart TV firmware and the apps running on it (most smart TVs have an auto-update option).
- Prefer wired connections over wireless because they’re more difficult to compromise.
- Only purchase smart TVs from reputable vendors that have a track record of regularly fixing bugs and releasing security updates.
- Avoid connecting USB sticks to the TV because they might contain malware.
CUJO’s Malakauskas recommends making sure you clearly understand the terms and conditions and privacy policies before activating any service on your smart TV. “The upcoming E.U. General Data Protection Regulation (GDPR) will enforce vendors to provide more detailed and clear Privacy Policy statements which will allow consumers to understand what data will be collected and how it will be used,” he says. Of course, that won’t necessarily help consumers in the U.S.
Malakauskas also warns against using generic browsers on smart TVs because they don’t have built-in security controls to protect against malicious web attacks.
Consumers can also install a smart home protection device such as the CUJO, Dojo, or the F-Secure Sense. These devices use a set of techniques such device behavior monitoring and packet inspection to detect and block malicious activity in your home network. The added layer of security smart home security devices provide can make up for the inherent vulnerabilities that exist in IoT devices.
Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983 and his updates on Facebook.
Editor’s note: This article has been updated for clarity.