Consumer Reports discovers smart TVs vulnerable to trivial hacks

Posted Feb 9, 2018 by James Walker
Popular smart TVs are vulnerable to simple hacks that can be used to obtain personal information or remotely control the device. The warning comes from Consumer Reports which found "unsophisticated" techniques can be used to extract "very detailed" data.
Samsung smart TV at CES 2018
Samsung smart TV at CES 2018
Affects most models
Consumer Reports conducted an investigation into smart TVs to ascertain how much data they collect and whether they're vulnerable to attack. The findings may be of concern to owners of models from some of the most popular smart TV brands. In its evaluation, Consumer Reports identified problems with TVs from companies including Samsung, Roku, LG, Sony and Vizio.
The five models used for testing were intended to offer a broad representation of the smart TV market. Each uses a different platform to display its smart content. Many of the security concerns raised will be reproducible across all TVs using the same platform, which could extend to dozens of different sets.
Consumer Reports' detailed write-up explains their findings at length. The essence of the report is that trivial problems affect all five competing systems. Not one of the trial models managed to pass the organisation's new standards for personal information collection and built-in security capabilities.
Remote control
Samsung's model was found to have a vulnerability whereby researchers could remotely control the volume, change the channels or open installed apps. Similar issues were present on the Roku device, which includes an unsecured remote control API that anyone could use.
When asked about the finding, Roku insisted "there is no security risk" before pointing out the "feature" can be disabled. However, turning it off also disables access through the app.
This was another recurring theme during the testing. The televisions do generally allow you to disable their most concerning "features" and turn off the data collection. Doing so tends to also disable the smart features though, leaving the TV with no more features than a regular dumb one. Consumer Reports noted the detailed data collection isn't required for the features to work properly, so the TV brands are effectively forcing users to share info in order to their use their product.
READ NEXT: Apple confirms iOS source code got leaked on GitHub
"All these TVs raised privacy concerns by collecting very detailed information on their users," said Consumer Reports. "Consumers can limit their data collection. But they have to give up a lot of the TVs' functionality – and know the right buttons to click and settings to look for."
Consumer Reports also pointed out it's getting harder to purchase a "dumb" TV that stands a chance of being secure out of the box. TV makers are increasingly steering consumers towards purchasing feature-filled "smart" sets designed to collect as much information as possible. Refusing this request leaves you unable to use the device you just bought.
Sony summarised the situation in an emailed response to Consumer Reports, providing information on the info sharing options for its Internet-connected TVs. "If a customer has any concerns about sharing information … they need not connect their smart TV to the Internet," the company suggested as its best advice.