Your Smart TV Is Watching You Watching It
The phrase “TV viewing” took on a double meaning when TVs got smart: you’re not the only one doing the watching. Your set is watching too. According to an assessment from nonprofit organization Consumer Reports, smart TVs open the door to various degrees into your privacy, forcing you to give the manufacturer or its partner(s) information about what runs on the screen.
Consumer Reports points to the automatic content recognition (ACR) technology as the main culprit for collecting and passing on viewing information related to everything you play on the TV, including cable, over-the-air broadcasts, streaming services, DVDs and Blu-Ray discs. You can turn off ACR, but you won’t receive recommendations of what to watch and it does not stop collecting other data.
“ACR helps the TV recommend other shows you might want to watch. But it’s also used for targeting ads to you and your family, and for other marketing purposes. And you can’t easily review or delete this data later,” says Consumer Reports.
If you want your privacy locked down, the conclusion of the report is off-putting: take away the “smart” by disconnecting the device from the internet. For anyone who views this as too drastic, you have alternatives that reduce the impact on privacy. Apart from turning off ACR, sometimes you can also agree only to some privacy policies. Unfortunately, this is possible only on TV sets that integrate services from multiple third parties, and each provider sets its own terms.
Consumer Reports tested the top-selling TV models from Samsung, LG, TCL, Sony and Vizio, further revealing some security issues in two of them, which give a remote attacker control over the functions of the device. The independent group says it found vulnerabilities in products from Samsung and Roku TV platform present in TV sets from TCL, Hisense, Hitachi, Insignia, Philips, RCA, and Sharp.
The issue lies with the application programming interface (API) – a set of methods that governs interaction between software components, for remote control of the TV platform. The organization found that the API from Roku is unsecured, while Samsung’s comes with a faulty authorization mechanism. To take advantage of this, an attacker would have to make the TV owner run a malicious piece of code from a device on the same network as the TV set.
In both cases, the associated risk is limited to mischief like changing channels, playing content from online video platforms, cranking up the volume or accessing the TV settings. Exploiting the devices this way does not enable data exfiltration.
Image credit: MICHAEL A. SMITHdata data collection privacy Smart TV terms of service ToS viewing information