Consumer Reports: Your 'Smart' TV Remains A Privacy & Security Dumpster Fire
from the internet-of-very-broken-things dept
By now it has been pretty well established that the security and privacy of most "internet of things" devices is decidedly half-assed. Companies are so eager to cash in on the IOT craze, nobody wants to take responsibility for their decision to forget basic security and privacy standards. As a result, we've now got millions of new attack vectors being introduced daily, including easily-hacked "smart" kettles, door locks, refrigerators, power outlets, Barbie dolls, and more. Security experts have warned the check for this dysfunction is coming due, and it could be disastrous.
Smart televisions have long been part of this conversation, where security standards and privacy have also taken a back seat to blind gee whizzery. Numerous set vendors have already been caught hoovering up private conversations or transmitting private user data unencrypted to the cloud. One study last year surmised that around 90% of smart televisions can be hacked remotely, something intelligence agencies, private contractors and other hackers are clearly eager to take full advantage of.
Consumer Reports this week released a study suggesting that things aren't really improving. The outfit, which is working to expand inclusion of privacy and security in product reviews, studied numerous streaming devices and smart TVs from numerous vendors. What they found is more of the same: companies that don't clearly disclose what consumer data is being collected and sold, aren't adequately encrypting the data they collect, and still don't seem to care that their devices are filled with security holes leaving their customers open to attack.
The company was quick to highlight Roku's many smart TVs and streaming devices, and the company's failure to address an unsecured API vulnerability that could allow an attacker access to smart televisions operating on your home network. This is one of several problems that has been bouncing around since at least 2015, notes the report:
"The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign."
To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."
Roku was quick to issue a blog post stating that Consumer Reports had engaged in the "mischaracterization of a feature," and told its customers not to worry about it:
"Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.
Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled."
Roku fails to mention that doing so disables the ability for consumers to control the device with Roku's own app, taking away valuable functionality from the end user (something Consumer Reports mentions in its write up). And Roku doesn't even address the other complaints in the report, including concerns that streaming hardware and TV companies aren't making data collection and third-party sales clear, aren't clearly showcasing their privacy policies, and often don't let users opt out of such collection without losing functionality (much like the broadband ISPs and numerous services and apps these devices are connected to).
Roku's response highlights the SOP approach (somebody else's problem) inherent in the IOT. As experts like Bruce Schneier have repeatedly noted, the tech industry is caught in a cycle of security dysfunction where nobody in the chain has any real motivation to actually fix the problem:
"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
Schneier has repeatedly warned that we need cooperative engagement between governments, companies, experts and the public to craft over-arching standards and policies. The alternative isn't just a few hacks and embarrassing PR gaffes now and again. The influx of millions of poorly secured internet-connected devices (many of which are being automatically integrated into historically-nasty botnets) is a massive dumpster fire with the potential for genuine human casualties. It's easy to downplay these kinds of reports as just "a few minor problems with a television set," but that ignores the massive scope of the problem and the chain of security and privacy apathy that has created it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, iot, privacy, security, smart tv
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
If your "pre-smart" TV has ATSC/MPEG decoders, it's probably got vulnerabilities baked in too.
[ link to this | view in chronology ]
Re: Re:
Then what? You have control of a TV that has no microphone, and no account data. Only thing TV could maybe do is tell you what I watch on other devices than the original one you hacked. There isn't really much data to steal from a dumb TV.
[ link to this | view in chronology ]
Re: Re: Re:
Send an ATSC signal. Maybe by buying an ad?
Dunno. Brick it? Maybe stick a logo on the screen? Depends how much like a computer it is. If it's software running on a CPU, maybe there's a way to turn it into a useful transmitter (transmit a virus over ATSC?).
Any speaker is a microphone. Not necessarily a useful one if there's no way to get the data out or the amplifier interferes.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
It's all wild speculation until some hacker gets bored/greedy enough to seriously try, but I don't believe that only smart TVs would have vulnerabilities.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Not sure how much I'd trust it. They worked with Disconnect, who seem more focused on privacy than reverse-engineering/security. (“We were just looking for good security practices,” Rerecich says. “Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.”)
That's good but who knows about uncommon vulnerabilities? Contests like Pwn2Own (that involve good money) find some esoteric shit.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Hey, I've got an idea - let's put it in everything!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Why doesn't anyone just make a dumb TV with 10 or more HDMI ports? I can't be the only person that would just toss wads of money at any company who made that.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
But I agree with you, 10 would be sweet!
[ link to this | view in chronology ]
Re:
If they sell you a 'smart' TV with spy features, not only do they get the small profit from the sale of the TV, they get a continuing income stream from selling all of that data they collect on what you watch, when, with whom, etc. Plus they can get yet more money feeding you targeted ads based on that data.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
On the other hand I am hooking up playstation3, playstation4, xbox360, wii, wiiu, ouya, and so on. Almost every single one of those does a better job providing the "smart features" than even the best "smart TV".
[ link to this | view in chronology ]
Re: Re: Re:
If you're using an external box - like an XBox360 or Roku device - for your smart features, then you have to contend with THEIR security issues and leaking of your personal data and watching habits.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Maybe so, but there's a much higher probability that the external devices will receive security updates at all, let alone well after the purchase of the TV. It's also more cost-effective to replace a plugged-in device if it's found to be insecure than to replace the whole damned TV when the manufacturer can't be bothered to patch known vulnerabilities.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Shouldn't it be "SEP"?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Response to: Jason on Feb 12th, 2018 @ 2:03pm
[ link to this | view in chronology ]
Privatized profits, socialized pollution.
[ link to this | view in chronology ]
Ummm
There have already been TV's that monitor you with camera..they removed the function AFTER finding anyone could watch you at 200' away..
GET A REAL COMPUTER, PROTECT YOURSELF..
[ link to this | view in chronology ]
Insert Subject Here
The S in IoT stands for Security.
[ link to this | view in chronology ]
It's not every day that I read a post on the internet and the first two sentences are exactly what I think. And in this specific case, exactly what I repeat ad-nauseam when this subject comes in a discussion.
IoT -- we're not there yet. No smart TV, bulb or whatever for me. I'd love that, but once the security concern is tackled. We're soooo not there yet, thanks to greed.
[ link to this | view in chronology ]
Vendors don't care because customers don't care
For the most part, vendors don't care about privacy because customers don't care about privacy or security. And many customers don't care about privacy because they don't know any better.
How many people realize that the "Which Harry Potter character are you" quizzes at Facebook allow the quiz-company full access to their public profile, including posts and photos?
And how many people realize a "bad guy" can easily create one of these quizzes and then data-mine everyone who answers... right down to the person's street address, elementary school, and the name of their dog. In other words, the answers to many sites' "recover your password" security questions.
If people don't care about privacy and security on Facebook, then convincing them to care about their TV's is a much harder process.
[ link to this | view in chronology ]
Re: Vendors don't care because customers don't care
PART of this goes back to Snail mail and the change to computers..
How much SPAM have you ever gotten in snail mail??
How much SPAM do you get in EMAIL??
THERE IS NO DIFFERENCE.
Iv seen email accounts getting over 100 emails per day, and they get overwhelmed. Iv seen SMART person divide email into sections..which works pretty well. only Email they want goes to the sections THEY WANT.. DUMP it before you even see it..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Solution to fix Roku Error Code 014
Get services for Roku Error Code 014, 014.40 , 014.50 , 014.30 , 014.20. We have experienced team for its all customers who are facing Roku errors in their Roku devices.
www.rokuerrorcode014.com
[ link to this | view in chronology ]