by Edd Hardy
Recently a blog post appeared on http://doctorbeet.blogspot.co.uk . This blog which includes some compelling evidence, explains that an LG Smart TV was sending back data to LG.
The TV in Question (and its not clear if its all LG Smart TVs or just this one, or indeed if other brands do the same thing) sends back details of everything that is watched. So every time the user changes the channel it is reported back to LG. More worryingly any files that are played from a USB drive are also reported. The research has captured the packets and it can clearly be seen that he has just started to watch BBC TWO. The information is sent back in plain text, so anyone who has access to the communications channel can intercept it. The same applies to files played of the USB stick.
Rather worryingly when the researcher reported this to LG, they simply referred to the Terms and Conditions. Even more worrying is that if you disable the setting in the settings menu that seems to be connected to this, it makes no difference.
Clearly LG are using this information to tailor ads to the viewers, these ads can be displayed on the interface on the smart TV. Their own literature claims that it analyses programs, online behaviour and search keywords. However it raises a number of questions:
a) How many users actually know this is going on? if they did know, would they care?
b) What are they actually doing with the data ? Is it just adds, or are they storing it, so could copywrite holders ask to see what your watching to see if you have been playing pirated movies ? Are they selling on the statistical data to broadcast advertisers ? What about the authorities, would this data be of any use to them?
c) What else could these devices be doing? We are putting more and more connected devices into our homes, the current buzz phrase is the Internet of Things, the idea that pretty much everything will be online in some way. So what levels of surveillance are we under or could end up under. Some high end smart TVs have cameras, to enable you to make gestures to control the TV or to use Skype. Its not hard to envisage these cameras being used to monitor if your paying attention and what your looking at on screen.
d) Given that the data is sent unencrypted, what other stupid mistakes are these devices making. When you sign up to NetFlix or other paid services, are your credit card details being stored on the device, are they being sent unencrypted?
e) Can the systems be attacked? A smart TV or frankly a smart anything, is a computer, with a network connection, in your house, but you don't patch it or configure it in a secure manner, you simply plug it in and get it working. As these devices are connected to the internet, are they an attack vector into our homes and companies, you might spend time and money securing the computers in your home or office, but these sort of devices could be a simple route in for an attacker. The TV is effectively a black box, you are relying on the manufacturer to build it properly and securely in the first place, and to push out regular patches. Its not like your laptop, you cant put AV on the TV or remove things you don't need, you simply have to trust that its secure.
Smart TVs are inevitably going to become more common, its quite hard to buy a TV that doesn't have an ethernet port and some sort of smart functionality. Lots of people use the functionality, for catch up TV and other streaming services. But most users are simply not aware that their behaviour is being tracked(its not clear at this stage if its just LG or all TVs). Users expect some degree of tracking when they leave their home or go online, but they don't expect it in their sitting rooms. Given the way this was discovered, unless security researches and ordinary users are checking these systems, and working out what exactly they are doing, we simply wont know, the manufactures are not going to make it obvious.
We either need to find ways to block and stop this sort of traffic or simply accept the benefits and risks it brings. I will certainly be blocking as much of the traffic as I possibly can using my firewall and monitoring the situation carefully to see what else is found.
Edd Hardy