HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.
HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

Consumer Reports: Your 'Smart' TV Remains A Privacy & Security Dumpster Fire

from the internet-of-very-broken-things dept

By now it has been pretty well established that the security and privacy of most "internet of things" devices is decidedly half-assed. Companies are so eager to cash in on the IOT craze, nobody wants to take responsibility for their decision to forget basic security and privacy standards. As a result, we've now got millions of new attack vectors being introduced daily, including easily-hacked "smart" kettles, door locks, refrigerators, power outlets, Barbie dolls, and more. Security experts have warned the check for this dysfunction is coming due, and it could be disastrous.

Smart televisions have long been part of this conversation, where security standards and privacy have also taken a back seat to blind gee whizzery. Numerous set vendors have already been caught hoovering up private conversations or transmitting private user data unencrypted to the cloud. One study last year surmised that around 90% of smart televisions can be hacked remotely, something intelligence agencies, private contractors and other hackers are clearly eager to take full advantage of.

Consumer Reports this week released a study suggesting that things aren't really improving. The outfit, which is working to expand inclusion of privacy and security in product reviews, studied numerous streaming devices and smart TVs from numerous vendors. What they found is more of the same: companies that don't clearly disclose what consumer data is being collected and sold, aren't adequately encrypting the data they collect, and still don't seem to care that their devices are filled with security holes leaving their customers open to attack.

The company was quick to highlight Roku's many smart TVs and streaming devices, and the company's failure to address an unsecured API vulnerability that could allow an attacker access to smart televisions operating on your home network. This is one of several problems that has been bouncing around since at least 2015, notes the report:

"The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign."

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."

Roku was quick to issue a blog post stating that Consumer Reports had engaged in the "mischaracterization of a feature," and told its customers not to worry about it:

"Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled."

Roku fails to mention that doing so disables the ability for consumers to control the device with Roku's own app, taking away valuable functionality from the end user (something Consumer Reports mentions in its write up). And Roku doesn't even address the other complaints in the report, including concerns that streaming hardware and TV companies aren't making data collection and third-party sales clear, aren't clearly showcasing their privacy policies, and often don't let users opt out of such collection without losing functionality (much like the broadband ISPs and numerous services and apps these devices are connected to).

Roku's response highlights the SOP approach (somebody else's problem) inherent in the IOT. As experts like Bruce Schneier have repeatedly noted, the tech industry is caught in a cycle of security dysfunction where nobody in the chain has any real motivation to actually fix the problem:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Schneier has repeatedly warned that we need cooperative engagement between governments, companies, experts and the public to craft over-arching standards and policies. The alternative isn't just a few hacks and embarrassing PR gaffes now and again. The influx of millions of poorly secured internet-connected devices (many of which are being automatically integrated into historically-nasty botnets) is a massive dumpster fire with the potential for genuine human casualties. It's easy to downplay these kinds of reports as just "a few minor problems with a television set," but that ignores the massive scope of the problem and the chain of security and privacy apathy that has created it.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Thad, 12 Feb 2018 @ 12:12pm

    I've got an old, pre-"smart" Samsung plasma. So far it's served me well, but of course eventually a day will come when I have to get another TV. It's a pity they all come with security vulnerabilities baked in now.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Feb 2018 @ 12:19pm

      Re:

      If your "pre-smart" TV has ATSC/MPEG decoders, it's probably got vulnerabilities baked in too.

      reply to this | link to this | view in chronology ]

      • identicon
        Machin Shin, 12 Feb 2018 @ 12:24pm

        Re: Re:

        Vulnerabilities might be in my old dumb TV. How are you going to hack it though? It has no internet connectivity, so you would have to hack a device then use that to hack the TV.

        Then what? You have control of a TV that has no microphone, and no account data. Only thing TV could maybe do is tell you what I watch on other devices than the original one you hacked. There isn't really much data to steal from a dumb TV.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Feb 2018 @ 1:32pm

          Re: Re: Re:

          How are you going to hack it though?

          Send an ATSC signal. Maybe by buying an ad?

          Then what?

          Dunno. Brick it? Maybe stick a logo on the screen? Depends how much like a computer it is. If it's software running on a CPU, maybe there's a way to turn it into a useful transmitter (transmit a virus over ATSC?).

          You have control of a TV that has no microphone

          Any speaker is a microphone. Not necessarily a useful one if there's no way to get the data out or the amplifier interferes.

          reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 12 Feb 2018 @ 12:35pm

      Re:

      The good news for Samsung owners is Consumer Reports found the TVs by themselves to be secure. It's when you start using their remote control app on a mobile device that security breaks down.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Feb 2018 @ 1:38pm

        Re: Re:

        The good news for Samsung owners is Consumer Reports found the TVs by themselves to be secure.

        Not sure how much I'd trust it. They worked with Disconnect, who seem more focused on privacy than reverse-engineering/security. (“We were just looking for good security practices,” Rerecich says. “Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.”)

        That's good but who knows about uncommon vulnerabilities? Contests like Pwn2Own (that involve good money) find some esoteric shit.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Feb 2018 @ 12:36pm

      Re:

      Just don't connect it to a network and you'll probably be fine.

      reply to this | link to this | view in chronology ]

  • identicon
    Machin Shin, 12 Feb 2018 @ 12:19pm

    What annoys me is the pretty much total lack of modern "dumb" TVs. Is there such a thing as a dumb 4K tv?

    Why doesn't anyone just make a dumb TV with 10 or more HDMI ports? I can't be the only person that would just toss wads of money at any company who made that.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Feb 2018 @ 12:37pm

      Re:

      If you never connect the TV to a network, it will probably remain dumb enough for your purposes.

      reply to this | link to this | view in chronology ]

      • identicon
        Machin Shin, 12 Feb 2018 @ 12:52pm

        Re: Re:

        That is true. Of course then I am in effect encouraging their bad behavior. Also, still doesn't help the fact that TV makers are far to stingy with their HDMI ports. I have lot more than 3 devices and those external HDMI switches are just an added annoying complexity.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Feb 2018 @ 2:36pm

          Re: Re: Re:

          Amazingly, my 4k tv came with 5 HDMI ports... and one of them is connected to my AV receiver which provides additional options :)

          But I agree with you, 10 would be sweet!

          reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 12 Feb 2018 @ 12:39pm

      Re:

      The seller of a dumb TV only makes money on the sale of what is now pretty much a low margin commodity item.

      If they sell you a 'smart' TV with spy features, not only do they get the small profit from the sale of the TV, they get a continuing income stream from selling all of that data they collect on what you watch, when, with whom, etc. Plus they can get yet more money feeding you targeted ads based on that data.

      reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 12 Feb 2018 @ 12:50pm

      Re:

      Anyone who would want 10 HDMI ports is probably going to want Ethernet and "smart" features. Whether for streaming off services like Netflix or off their own network drive via DLNA.

      reply to this | link to this | view in chronology ]

      • identicon
        Machin Shin, 12 Feb 2018 @ 12:58pm

        Re: Re:

        That is not the case when you slow down and think about it some. TV's are very poorly supported. Updates are slow and often the TV "smart" features are laggy as %$@#%.

        On the other hand I am hooking up playstation3, playstation4, xbox360, wii, wiiu, ouya, and so on. Almost every single one of those does a better job providing the "smart features" than even the best "smart TV".

        reply to this | link to this | view in chronology ]

        • icon
          Roger Strong (profile), 12 Feb 2018 @ 2:16pm

          Re: Re: Re:

          Lag makes no difference when watching a movie streamed from Netflix or DLNA.

          If you're using an external box - like an XBox360 or Roku device - for your smart features, then you have to contend with THEIR security issues and leaking of your personal data and watching habits.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymouse Coward, 12 Feb 2018 @ 2:48pm

            Re: Re: Re: Re:

            If you're using an external box - like an XBox360 or Roku device - for your smart features, then you have to contend with THEIR security issues and leaking of your personal data and watching habits.

            Maybe so, but there's a much higher probability that the external devices will receive security updates at all, let alone well after the purchase of the TV. It's also more cost-effective to replace a plugged-in device if it's found to be insecure than to replace the whole damned TV when the manufacturer can't be bothered to patch known vulnerabilities.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Feb 2018 @ 2:59pm

          Re: Re: Re:

          Those device still suffer from the problem that their manufacturers think they have the right to gather data on your use of the device, and sell it to the highest bidder.

          reply to this | link to this | view in chronology ]

    • identicon
      michael, 13 Feb 2018 @ 3:16pm

      Re:

      I don't have a TV, but I use a dumb, ceiling-mounted projector for all my TV/movie viewing. It connects to an HTPC via in-wall HDMI that took me about 20 minutes to wire. 4K screen and 100". What more could you want?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Feb 2018 @ 1:02pm

    Don't connect "internet of things" to the Internet.

    reply to this | link to this | view in chronology ]

  • identicon
    Jason, 12 Feb 2018 @ 2:03pm

    Roku's response highlights the SOP approach (somebody else's problem) inherent in the IOT.

    Shouldn't it be "SEP"?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Feb 2018 @ 2:53pm

    Much like we pollute our environment, IOT is pollution of the internet. Some will shirk their responsibilities in order to get rich while others are left with the consequences.

    Privatized profits, socialized pollution.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 12 Feb 2018 @ 4:23pm

    Ummm

    DONT NEED A SMART TV..
    There have already been TV's that monitor you with camera..they removed the function AFTER finding anyone could watch you at 200' away..

    GET A REAL COMPUTER, PROTECT YOURSELF..

    reply to this | link to this | view in chronology ]

  • identicon
    JuddSandage, 12 Feb 2018 @ 6:33pm

    Insert Subject Here

    ah... "Roku's response highlights the SOP approach (somebody else's problem) inherent in the IOT" should be SEP, also the best way to describe this is,

    The S in IoT stands for Security.

    reply to this | link to this | view in chronology ]

  • icon
    AngelQC (profile), 13 Feb 2018 @ 5:23am

    It's not every day that I read a post on the internet and the first two sentences are exactly what I think. And in this specific case, exactly what I repeat ad-nauseam when this subject comes in a discussion.

    IoT -- we're not there yet. No smart TV, bulb or whatever for me. I'd love that, but once the security concern is tackled. We're soooo not there yet, thanks to greed.

    reply to this | link to this | view in chronology ]

  • icon
    John85851 (profile), 13 Feb 2018 @ 10:30am

    Vendors don't care because customers don't care

    I agree with Bruce Schneier that this is a problem that won't have a solution any time soon.

    For the most part, vendors don't care about privacy because customers don't care about privacy or security. And many customers don't care about privacy because they don't know any better.

    How many people realize that the "Which Harry Potter character are you" quizzes at Facebook allow the quiz-company full access to their public profile, including posts and photos?
    And how many people realize a "bad guy" can easily create one of these quizzes and then data-mine everyone who answers... right down to the person's street address, elementary school, and the name of their dog. In other words, the answers to many sites' "recover your password" security questions.

    If people don't care about privacy and security on Facebook, then convincing them to care about their TV's is a much harder process.

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 13 Feb 2018 @ 12:42pm

      Re: Vendors don't care because customers don't care

      they dont understand or know what it is, does, or how to stop it..
      PART of this goes back to Snail mail and the change to computers..
      How much SPAM have you ever gotten in snail mail??
      How much SPAM do you get in EMAIL??
      THERE IS NO DIFFERENCE.

      Iv seen email accounts getting over 100 emails per day, and they get overwhelmed. Iv seen SMART person divide email into sections..which works pretty well. only Email they want goes to the sections THEY WANT.. DUMP it before you even see it..

      reply to this | link to this | view in chronology ]

  • identicon
    USTV, 6 Jun 2018 @ 5:37am

    Smart TV users are growing day by day. Now you can watch all live TV channels for free on your Android devices using USTV app.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.