Samsung and Roku smart TVs vulnerable to unsophisticated hacks [Update]

One of the big things in smart TVs today is apps like Netflix, YouTube, Hulu and more. And while you may have no problem inputting your information into these sets, Consumer Reports says you should be concerned that more is being captured about you than you might be aware. And some of those sets are even susceptible to hackers.

In a look at five different smart TV models - Samsung, LG, Sony, Vizio, and TCL, the primary maker of Roku platform - Consumer Reports found that all sets captured an alarming amount of information, and that the Samsung and TCL sets could even be hacked by individuals with an unsophisticated level of expertise.

First, the hacking. Consumer Reports found that both sets could be hacked with minimal effort, allowing an individual to take over control of the TV's volume, change channels, install apps, and even play objectionable content.

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

Working with engineers from security firm Disconnect, Consumer Reports found the flaws rather easily. “Roku devices have a totally unsecured remote control API enabled by default,” said Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.”

As for Samsung, the vulnerability was a bit more intricate, but still there. “Samsung smart TVs attempt to ensure that only authorized applications can control the television,” Goodale said. “Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.”

As for the privacy concerns and data collection, Consumer Reports found that all the streaming sets collected information on viewing habits, what and how you watch, and save the information to be able to target ads or even recommend similar shows. You can opt out of this, but then the TV reverts to "dumb" status preventing you from using any streaming services.

The consumer group offered a variety of ways to keep information from being collected, but cautioned that a lot of what makes smart TVs valuable to users requires some form of data collection. And with smart TVs becoming more readily available - only 16 of more than 200 midsize to large sets rated by Consumer Reports are of the dumb variety - it more important that consumers are aware of what they are getting themselves into when purchasing these types of devices.

Update: Roku responded to Consumer Reports findings, saying that the findings were incorrect. According to Roku's Gary Ellison:

This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled.

In addition the article discusses the use of ACR (Automatic Content Recognition). We took a different approach from other companies to ensure consumers have the choice to opt-in. ACR is not enabled by default on Roku TVs. Consumers must activate it. And if they choose to use the feature it can be disabled at any time. To disable consumers have to uncheck Settings > Privacy > Smart TV experience > Use info from TV inputs.

Ellison said that the company takes security and privacy very seriously and that users should not be worried by the Consumer Reports findings.

Source and image: Consumer Reports

Report a problem with article
Next Article

New fake tech support alert can freeze up Google Chrome on Windows

Previous Article

Microsoft releases Xbox One version 1802 to everyone

19 Comments - Add comment