This is certainly not the first time that we hear about Smart TV security issues, but this time a report shows how easy it is to extract user names, passwords and possibly even payment details from Samsung, LG, and Philips Smart TVs. The TVs are also sending extensive reports on your TV habits to several companies.
LG, Samsung & Philips singled out
We have already heard how the camera in a Samsung Smart TV can be used to spy on unsuspecting families and how LG is sending information about your home videos to LG’s servers in South Korea.
A German magazine – c’t – is now demonstrating how they have been able, with simple tools, to extract user names and passwords from Smart TVs and TV apps. They explain that the method can be used to extract credit card information through apps or website (for example online banking), too. They tried the same trick on five Smart TVs and found that Smart TVs from Samsung, LG (only TV apps) and Philips had security issues.
They go on to explain the method, saying that even though the data is sent in encrypted form it was as easy as changing the SSL certificate to an in-house generated certificate. Afterwards they were able to intercept the user names and passwords used in TV apps. The TVs did not bother to check if it was a genuine SSL certificate; just that a certificate existed. Who had signed the certificate had no significance.
All three TV makers have recognized the issues and confirm that this concerns all of their Smart TVs – not only a few models. They will release an update to fix the issue, but has not provided a timeframe.
A spy in your living room
It is no secret that manufacturers and content providers collect information on your viewing habits. It is used to improve the TV experience and recommend new TV content based on your viewing pattern. They say that collected data remains anonymous and is limited in scale, but as the LG case went on to show this is not always the case.
German c’t wanted to investigate just how much data modern Smart TVs are collecting about the user. They found that Hbb-TV, and internet TV platform developed jointly by European TV providers, collects and transmits extensive reports on your TV viewing habits to not just the TV maker, but also to the TV channel owners and Google (through the Google Analytics module). The reports are so extensive that they are illegal under German law according to several security experts, partly because the data can be traced back to the specific individual.
What is perhaps most worrying is that the TV makers refrain from telling exactly what is being collected. No conditions or terms had to be accepted by the end user and there was no option to turn off the snooping in the TV menus. You do not even have to use the built-in TV apps, as Hbb-TV collects data while you are watching TV channels, reports c’t.
As a private individual it gives food for thought – do we really want these same companies to create “smart” refrigerators, alarms and glasses? Speak up.