Tag Archive for Smart TV

| December 11, 2019
Comments Off on Your Smart TV is Spying On You

Your Smart TV is Spying On You

Your Smart TV is Spying On YouMany people will find a smart TV under their tree this year. Smart TVs are like regular televisions but with an internet connection. The global smart TVs market is expected to reach 249.9M units by 2024. And all those smart TVs may be spying on you. A while ago I wrote about Vizio (VZIO) getting caught invading your privacy by collecting and selling your personal data. Despite the fact that Vizo had to pay a $2.2M fine, smart TV manufacturers continue to spy on their customers.

Data leakZDNet reports that that smart TVs send user data to tech titans including Facebook (FB), Google (GOOG), and Netflix. These devices are spying on you even when they are idle. U.S. and UK researchers say smart television sets produced by popular vendors including Samsung (005930), Apple (AAPL), and LG (LGLD), alongside content and app streaming devices such as Amazon (AMZN) FireTV, and Roku, are sending out information potentially without the knowledge or consent of users.

Smart TV's sharing users' personal data

Financial Times

Your Smart TV is Spying On You

In a paper titled, “Information Exposure From Consumer IoT Devices” (PDF), the team said that 34,586 controlled experiments found that 88% of devices send information to firms other than the device manufacturer; 56% of U.S. devices and 83.8% of UK devices send your info overseas. They also report every device they studied exposed some kind of information in plain-text.

eavesdroppingThe researchers from Northeastern University and Imperial College London found that 37% could “reliably inferred” user and device behavior from eavesdropping on the user’s interactions with television sets and other household IoT products.

The study found that almost half of the tested devices contacted Amazon. That includes devices not manufactured by Amazon. David Choffnes, one of the authors of the paper warns that Amazon has a lot of information about what you are doing in your home.

According to the paper location data and IP addresses were commonly sent by our IoT devices to third parties in the cloud including Netflix, Spotify, Microsoft (MSFT), Akamai (AKAM), and Google.

Netflix logoWhen it came to smart TVs, however, almost all of the devices included in the study would contact Netflix — whether or not a TV was configured with an account for the content streaming service. “This, at the very least, exposes information to Netflix about the model of [a] TV at a given location,” the paper reads.

Some of the tech titans collecting your data responded to the researchers.

  • Facebook said that it was “common” for services with Facebook integrated into them to send data to third-party services.
  • Netflix said that data transfers were “confined to how Netflix performs and appears on screen,” and
  • Google said user preferences and consent levels dictate how publishers “may share data with Google’s that’s similar to data used for ads in apps or on the web.”

Internet-connected smart TVs combined with streaming services like Netflix and Hulu seem to be a cord-cutter’s dream. But like anything else that connects to the internet, it opens up smart TVs to security vulnerabilities and hackers. But as is the case with most other internet-connected devices, manufacturers often don’t put security as a priority. Not only that, many smart TVs come with a camera and a microphone that attackers can access.

FBI warning

FBI issued a warning about smart TVsBecause manufacturers don’t put security as a priority, the FBI issued a warning about the risks that smart TVs pose. The FBI warned that hackers can take control of your unsecured smart TV and in worst cases, take control of the camera and microphone to watch and listen in.

… TV manufacturers and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home … your unsecured TV can give him or her an easy way in the backdoor through your router.

TechCrunch notes that some of the biggest attacks targeting smart TVs were developed by the CIA, but were stolen. The files were later published online by WikiLeaks.

rb-

If you are interested in inspecting the IoT network traffic in your smart home, Princeton University has developed and released an open source tool called IoT Inspector. The software uses ARP spoofing to analyze what IoT devices are connected to the Internet, how much data is exchanged, and how often information is traded.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| November 24, 2015
Comments Off on Television Sells Your Viewing Habits

Television Sells Your Viewing Habits

– Updated 03-26-2017 –  Vizio will pay $2.2 million to the FTC and the state of New Jersey to settle a lawsuit alleging it collected customers’ television-watching habits without their permission.

In addition to the $2.2 million in payments, Vizio will now have to get clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016 according to the Verge.

Television Sells Your Viewing HabitsJust in time for the Black Friday consumerism orgy of spending, Help Net Security reports that you are giving away more than cash when you buy a Smart Television from Best Buy or whoever. It turns out that owners of Smart TVs manufactured by California-based consumer electronics company Vizio (VZIO) viewing habits are being tracked and sold to third parties. The Vizio privacy policy says;

Vizio logo… VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements … delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV.

Vizio’s competitors Samsung (005930) and LG Electronics (LGLD) can also track users’ viewing habits via their smart TV offerings, ProPublica‘s Julia Angwin pointed out, but the feature has to be explicitly turned on by the users. The collection of viewing data by Vizio’s Smart TVs is turned on by default, as is the Smart Interactivity feature that manages it.

Data miningAccording to the IEEE, Vizio smart TVs can track data related to whatever TV programming and related commercials you’re watching and link such data with the time, date, channel, and TV service provider. On most of the over 15 million Smart TVs sold, Vizio will also track whether you view TV programs live or later on. Vizio knows what you’re watching even if it’s a DVD being played on a gaming console or a show being watched via cable TV. The identification tracking technology can differentiate between 100 billion data points.

While, in theory, IP addresses are not personal information, they actually can be linked to individuals if there is enough information (specific attributes like age, profession, etc.) tied to it.

Data collectionProPublica‘s Angwin’s sources, tell her that Vizio has been working with data broker Neustar to combine viewing data with this type of information about the user.

Even though users can turn off the spy technology, which will not won’t affect the device’s performance, the problem is that many, many users won’t bother reading the privacy policy or change the default settings once they set up the TV and start using them.

TechHive reports that backlash against intrusive spying has started. Two lawsuits (Reed v. Cognitive Media Network, Inc. (PDF) and David Watts et. al. v Vizio Holdings Inc et. al. (PDF)) have been filed in California against Vizio and their partners about their data collection habits.

The suits accuse Vizio and Cognitive of secretly installing tracking software on the former’s smart TVs in a way that violates various federal and state laws.

Legal systemThe suits allege that Vizio violated the Video Privacy Protection Act. The Video Privacy Protection Act prohibits any company engaged in rental, sale, or delivery of audio-visual content and not necessarily just videotapes from divulging any personally identifiable information about its customer to a third party, except where the customer has clearly consented to such data sharing.

Of course, Vizio has previously argued it’s not a videotape service provider at all, and so this particular law doesn’t apply to it.

rb-

I pointed out as far back as 2011 that Smart TVs are a dumb idea for privacy.

Consumer Reports offers tips on how to stop your Smart TV from spying on you here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| December 29, 2012
Comments Off on Smart TVs Dumb Security

Smart TVs Dumb Security

Smart TVs Dumb SecurityWhen a device gets connected to the web without any security it leaves the users vulnerable. This is a trend as the Internet of Things evolves. In this case, Samsung Smart TVs seem to have no security, a dumb TV. Dailywireless.org reports that 40% of Americans have connected their TV to the Internet.

Samsung Smart TVAt the same time, The Security Ledger is reporting that a “Security Hole in Samsung Smart TVs Could Allow Remote Spying.” The Malta-based firm ReVuln, says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners’ social media credentials. Attackers could also spy on those watching the TV using compatible video cameras and microphones.

ReVuln is a security research firm that offers information on security holes it discovers only to subscribers. However, it did confirm the previously unknown (“zero-day”) hole with Security Ledger. The zero-day affects Samsung Electronics Co. (005930) Smart TVs running the latest version of the company’s Linux-based firmware. It could give an attacker the ability to get access to any file on the remote device, As vulnerable are external devices (such as USB drives) connected to the TV.

In an Orwellian twist, the hole could be used to use cameras and microphones attached to the Smart TVs. Granting remote attackers the ability to spy on those viewing a compromised set. Luigi Auriemma of ReVuln told ComputerWorld via email, “If the attacker has full control of the TV … then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to ‘watch’ the victim.

Dumb TVSecurity Ledger says that the Smart TVs offer no native security features, such as a firewall, user authentication, or application whitelisting. More critically: there is no independent software update capability, Which means that, barring a firmware update from Samsung, the exploitable hole can’t be patched without “voiding the device’s warranty and using other exploits,” ReVuln said.

The company posted a video of an attack on a Samsung TV LED 3D Smart TV online. It shows an attacker gaining shell access to the TV. Copying the contents of its hard drive to an external device and mounting them on a local drive. This gave them access to photos, documents, and other content. ReVuln said an attacker would also be able to lift credentials from any social networks or other online services accessed from the device.

rb-

DIY securityThere is no patch for people. Until there is, Smart TV users will have to wait for Samsung to fix this huge security hole or fix it for themselves and risk voiding their warranty. Smart TV with a complete lack of security features, Smart TV Dumb Security.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| December 27, 2012
Comments Off on F-Secure Top Security Predictions for 2013

F-Secure Top Security Predictions for 2013

F-Secure Top Security Predictions for 2013As the new year looms, all kinds of firms start making predictions, mostly to boost their sales next year, I will be looking at a number of firm’s predictions for next year, a let’s see how smart they are this time next year. Here are the top security predictions for 2013 from Finland-based F-Secure Labs shared with Help Net Security.

ITU WCIT in Dubai could mean the end of the Internet1. The end of the Internet as we know it? – Secure Labs predicts that the ITU WCIT in Dubai could mean the end of the Internet (which I covered here and here). Sean Sullivan, Security Advisor at F-Secure Labs says that the World Conference on International Telecommunications could have a major impact on the Internet as we know it. “The Internet could break up into a series of smaller Internets,” Sullivan says. “Or it may start to be funded differently, with big content providers like Facebook and Google/YouTube having to pay taxes for the content they deliver.

rb- WCIT has concluded with the U.S. and most of Europe refusing to sign the treaty due to language backed by Russia and China that could have large-ranging impacts on Internet freedom.

2. Leaks will reveal more government-sponsored espionage tools – “It’s clear from past leaks about Stuxnet, Flame, and Gauss that the cyber arms race is well underway,” says Mikko Hypponen, Chief Research Officer at F-Secure Labs. While we may not always be aware of nation-states’ covert cyber operations, we can expect that governments are more and more involved in such activity.

mobile malware will increase3. Commoditization of mobile malware will increase – The Google (GOOG) Android operating system has solidified in a way that previous mobile operating systems haven’t, extending from phones to tablets to TVs to specialized versions of tablets. The more ubiquitous it becomes, “the easier to build malware on top of it and the more opportunities for criminals to innovate business-wise,” Sullivan says. Mobile malware will become more commoditized, with cyber-criminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.

4. Another malware outbreak will hit the Mac world – First it was Mac Defender and then Flashback that attacked Apple.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| December 20, 2011
2 comments

Web Connected Television New Source of Threats

Web Connected Television New Source of ThreatsYou may want to consider the security of the fancy new 55-inch high-def LCD Television that Santa Claus brings you. Surprise, surprise, surprise they may have security holes that could allow hackers to take over your home network. Consumer appetite for on-demand and online video content will drive sales of Internet-connectable TV devices to nearly 350 million units worldwide by 2015 reports ITnewsLink.

Parks AssociatesConnected Living Room: Web-enabled TVs and Blu-ray Players forecasts worldwide sales of Internet-connectable HDTVs, Blu-ray players, game consoles, and digital video players like Apple‘s (AAPL) Apple TV will grow about fourfold from 2010.

Parks Associates says all major manufacturers are debuting new models with innovations in content aggregation, apps development, and user interfaces. Content options are finally catching up to the hardware innovations, and growing libraries of on-demand movies and TV available are starting to unlock the potential of connected TV devices as multifunction online entertainment and communications platforms.

The growth of these devices will increase opportunities for apps developers – including third-party developers and giants such as Google (GOOG), Samsung, and Yahoo (YHOO), and one other group, hackers.

Mocana logo Mocana, a company that focuses on securing the “Internet of Things”, released a study that highlights digital security flaws in Internet-connected HDTVs reports ITnewsLink. The Mocana researchers believe that the security flaws exist in many Internet TVs and recommend that consumers seek out third-party security tests before they purchase and install them in their homes.

Mocana’s CEO Adrian Turner told ITnewsLink: “…manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them … consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet.”

Computer securityMocana’s research shows that attackers may be able to leverage Internet-connected TVs to hack into consumers’ home networks. Researchers found that the Internet interface failed to confirm script integrity before those scripts were run. Mocana was able to show that JavaScript could then be injected into the normal data stream, allowing attackers to obtain total control over the device’s Internet functionality. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques. The security holes could allow attackers to:

  • Present fake credit card forms to fool consumers into giving up their private information.
  • Create a man-in-the-middle attack on the HDTV to dupe consumers into thinking that “imposter” banking and commerce websites were legitimate.
  • Steal the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engines, video streaming, and photo sharing sites.
  • Monitor and report on consumers’ private Internet usage habits without their knowledge.

The flaws Mocana uncovered should raise questions about the security of consumer electronics in general-which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board.

Alfred E. NewmanMocana’s CEO Adrian Turner continued: “While much public discussion … on the recent explosion of smartphones … the vast majority of new devices coming onto the Internet aren’t phones at all: they are devices like television sets, industrial machines, medical devices, and automobiles – devices representing every conceivable industry. And the one thing that all these manufacturers have in common is that, unlike the computing industry, they don’t have deep experience in security technology.”

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,