Five smart TVs tested for security, privacy issues
As more and more smart TVs are sold worldwide, consumers should be aware of the risks associated with this technology.
Consumer Union, a US-based nonprofit organization dedicated to
unbiased product testing, has conducted a privacy and security
evaluation of five smart TVs from the most widely sold TV brands in the
US:
- Samsung UN49MU8000, running the company’s Tizen OS
- LG 49UJ7700, which uses LG’s webOS
- TCL 55P605, which uses the Roku streaming platform
- Sony XBR-49X800E, running Google’s Android TV OS
- Vizio P55-E1 SmartCast TV, which uses Google’s Chromecast platform.
Security issues
The testers found that remote attackers can take control of the
Samsung and TCL TVs by exploiting flaws in the setups, allowing them to
change channels, change volume levels, open disturbing content, and so
on.
Samsung smart TVs attempt to ensure that only authorized applications
can control the television, but the mechanism they use to ensure that
applications have previously been authorized is flawed and exploitable,
researchers with Disconnect, a maker of privacy-enhancing software for
consumers and Consumer Reports partner, discovered.
TCL’s problem stems from the fact that the Roku platform has an unsecured remote control API enabled by default.
“To become a victim of a real-world attack, a TV user would need to
be using a phone or laptop running on the same WiFi network as the
television, and then visit a site or download a mobile app with
malicious code. That could happen, for instance, if they were tricked
into clicking on a link in a phishing email or if they visited a site
containing an advertisement with the code embedded,” Consumer Reports noted.
Privacy issues
When it comes to user privacy, all of the tested TVs have been found wanting.
“Every smart TV we evaluated asked for permission to collect viewing data and other kinds of information,” the testers noted.
“But we found that it’s not always easy to understand what you’re
agreeing to as you proceed through the setup process. And if you decline
permissions, you can lose a surprising amount of functionality.”
In general, consumers will either permit the collection of viewing
data and it being shared with third-parties or won’t get
recommendations. Also, if they say no to a basic privacy policy, they
won’t be able to stream anything web-based services such as Netflix or
Amazon. In fact, with Sony XBR-49X800E, consumers must agree to a
privacy policy and terms of service just to be able to complete the
setup of the TV!
Vendors say that consumers can prevent any data sharing by not
connecting the smart TV to the Internet but, again, that makes it
impossible to stream content from it. Essentially, you get a “dumb” TV.
“If you do buy a new smart TV, decide whether you want to block the
collection of viewing data. If so, pay close attention during setup.
There, you can agree to the basic privacy policy and terms of
service—which still triggers a significant amount of data
collection—while declining ACR [automatic content recognition],” the
publication advises.
For those who have already set up the TV but would now like to
restrict the collection of data, resetting the TV to factory settings is
a good first step, followed by a careful setup process and tweaking of deeply buried settings.
Comments
Post a Comment